Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Questions on IPSec.

I have two nodes (routers) connected to the internet and would need a secure connection between them. I was told I should use IPSec. If so I need to clarify a few things:

1) Can I use IPSec if one of the routers is assigned a dynamic IP address by the ISP.

2) Does IPSec contribute to delay in response time? If so by how much?

3) Can I run MPLS over IPSec??

4) If I were to secure these routers and the network behind them from hackers/virus/unauthorised access what should I be looking at besides IPSec?

5) Also when do I use Cisco IOS firewall and when do I use a PIX?



Re: Questions on IPSec.

You should read over this link, I think it will answer most of your questions.

New Member

Re: Questions on IPSec.

I will not be able to answer all of your questions but hopefully some of this will be useful.

1: Yes, you configure a "dynamic crypto map" on the router which "talks" to the dhcp enabled router, not on the dhcp router.

Example: (only the IPSec portion of the config)

Router A - has a static address

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key password-key address

( is not always the best but it fits this example)

crypto ipsec transform-set testing-set esp-des esp-md5-hmac

crypto dynamic-map mymap 10

set transform-set testing-set

match address 110

crypto map test-crypto 10 ipsec-isakmp dynamic mymap

interface Serial0/0.1 (outgoing interface)

ip address x.x.x.x x.x.x.x


crypto map test-crypto

access-list 110 permit/deny statements.....


Router B - receives a DHCP address

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key pass-key address

crypto ipsec transform-set testing-setB esp-des esp-md5-hmac

crypto map RouterBMap 10 ipsec-isakmp

set peer

set transform-set testing-setB

match address 116

interface Dialer1 (outgoing interface)

ip address negotiated


crypto map RouterBMap

access-list 116 permit/deny statements....


2. I have not seen any great increase in latency. Just make sure your router has the minimum amount of memory to run IPSec comfortably and watch the processing.

sh mem / show proc cpu

Some routers have a built in VPN Accelerator Card to help with the IPSec encryption processes instead of it all being executed in the IOS.


3. Sorry I don't know (I need to learn more about MPLS before answering that.)


4. The following Cisco site has great information on security policy and management. It may be able to point you at what other events/transactions you could be watching.


5. That would depend on if you would like to use a hardware based firewall or a software based firewall, if you needed a DMZ or multiple DMZs, and how comfortable you are in configuring either. The best way to judge may be to evaluate your needs and allowances.


CreatePlease to create content