12.0-14 to 12.3-16 ipsec compatibility issue ?

gabipopescu25 · ‎01-03-2006

Hello,

Does anybody have an idea how to interconnect through ipsec to routers, one 1605R with ios c1600-sy56i-mz.120-14.bin (4MB Flash/16 MB RAM) and one 3745 with ios c3745-adventerprisek9-mz.123-16.bin 32 MB Flash/256 RAM)? As far as I know, there is an incompatibility between the old versions of ipsec and the new ones. Is there any ios that can replace my old 12.0-14 on the 1605R (with my hardware configuration) and it is also compatibil with the 12.3-16 on the 3745?

Thank you in advance.

Gabriel

spremkumar · ‎01-03-2006

Hi

I did try to find out the ios for ur 1605 which can support ipsec single des encryption strength.

But it does require 16MB DRAM and 6MB Flash..

Its a GD version and the filename is c1600-sy56i-mz.121-27b.bin ..

Again 1605 router has reached end-of-sale or end-of-life status so better would suggest to lookout for an upgrade either to a 1700 or 1800 series model..

regds

gabipopescu25 · ‎01-03-2006

Hi,

Thank you very much, but there is no possibility to replace the 1605Rs with other routers, as they are part of a project implemented by another company for us. It seems that the newest ios that can fit into my flash is c1600-sy56i-mz.12.0-7.T2 (12/4). Maybe there is a way to establish an ipsec tunnel between this one and the 12.3-16. If anybody knows how to do it, I would realy appreciate your input.

Gabriel

jackko · ‎01-03-2006

just wondering what you are referring to when you mentioned the two ios are not compatible.

spremkumar · ‎01-04-2006

Hi

As jackko mentioned do post out the constraints u hve in getting the tunnel established between the routers and also the configs of both the routers.

regds

gabipopescu25 · ‎01-04-2006

Hi,

I have tested the following config:

Router1605R:

crypto isakmp policy 100

authentication pre-share

crypto isakmp key cucu address 192.168.200.1

crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac

crypto map hq 100 ipsec-isakmp

set peer 192.168.200.1

set transform-set mimi

match address titi

interface Loopback100

ip address 192.168.201.2 255.255.255.255

no ip directed-broadcast

interface Tunnel100

ip address 192.168.200.2 255.255.255.0

no ip directed-broadcast

tunnel source 10.4.208.4

tunnel destination 192.168.1.2

crypto map hq

ip route 192.168.201.1 255.255.255.255 192.168.200.1

ip access-list extended titi

permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255

Router3745:

crypto isakmp policy 100

authentication pre-share

crypto isakmp key cucu address 192.168.200.2

!

crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac

!

crypto map hq 100 ipsec-isakmp

set peer 192.168.200.2

set transform-set mimi

match address titi

interface Loopback100

ip address 192.168.201.1 255.255.255.255

!

interface Tunnel100

ip address 192.168.200.1 255.255.255.0

tunnel source 192.168.1.2

tunnel destination 10.4.208.4

crypto map hq

ip route 192.168.201.2 255.255.255.255 192.168.200.2

ip access-list extended titi

permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255

Test without crypto map applied on the tunnel 100 interface, of the 3745:

3745#ping

Protocol [ip]:

Target IP address: 192.168.201.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.201.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.201.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 100/100/104 ms

Test with the crypto map applied: