01-03-2006 04:13 AM - edited 02-21-2020 02:10 PM
Hello,
Does anybody have an idea how to interconnect through ipsec to routers, one 1605R with ios c1600-sy56i-mz.120-14.bin (4MB Flash/16 MB RAM) and one 3745 with ios c3745-adventerprisek9-mz.123-16.bin 32 MB Flash/256 RAM)? As far as I know, there is an incompatibility between the old versions of ipsec and the new ones. Is there any ios that can replace my old 12.0-14 on the 1605R (with my hardware configuration) and it is also compatibil with the 12.3-16 on the 3745?
Thank you in advance.
Gabriel
01-03-2006 04:50 AM
Hi
I did try to find out the ios for ur 1605 which can support ipsec single des encryption strength.
But it does require 16MB DRAM and 6MB Flash..
Its a GD version and the filename is c1600-sy56i-mz.121-27b.bin ..
Again 1605 router has reached end-of-sale or end-of-life status so better would suggest to lookout for an upgrade either to a 1700 or 1800 series model..
regds
01-03-2006 10:50 AM
Hi,
Thank you very much, but there is no possibility to replace the 1605Rs with other routers, as they are part of a project implemented by another company for us. It seems that the newest ios that can fit into my flash is c1600-sy56i-mz.12.0-7.T2 (12/4). Maybe there is a way to establish an ipsec tunnel between this one and the 12.3-16. If anybody knows how to do it, I would realy appreciate your input.
Gabriel
01-03-2006 02:03 PM
just wondering what you are referring to when you mentioned the two ios are not compatible.
01-04-2006 12:44 AM
Hi
As jackko mentioned do post out the constraints u hve in getting the tunnel established between the routers and also the configs of both the routers.
regds
01-04-2006 07:29 AM
Hi,
I have tested the following config:
Router1605R:
crypto isakmp policy 100
authentication pre-share
crypto isakmp key cucu address 192.168.200.1
crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac
crypto map hq 100 ipsec-isakmp
set peer 192.168.200.1
set transform-set mimi
match address titi
interface Loopback100
ip address 192.168.201.2 255.255.255.255
no ip directed-broadcast
interface Tunnel100
ip address 192.168.200.2 255.255.255.0
no ip directed-broadcast
tunnel source 10.4.208.4
tunnel destination 192.168.1.2
crypto map hq
ip route 192.168.201.1 255.255.255.255 192.168.200.1
ip access-list extended titi
permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
Router3745:
crypto isakmp policy 100
authentication pre-share
crypto isakmp key cucu address 192.168.200.2
!
!
crypto ipsec transform-set mimi ah-sha-hmac esp-des esp-sha-hmac
!
crypto map hq 100 ipsec-isakmp
set peer 192.168.200.2
set transform-set mimi
match address titi
interface Loopback100
ip address 192.168.201.1 255.255.255.255
!
interface Tunnel100
ip address 192.168.200.1 255.255.255.0
tunnel source 192.168.1.2
tunnel destination 10.4.208.4
crypto map hq
ip route 192.168.201.2 255.255.255.255 192.168.200.2
ip access-list extended titi
permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
Test without crypto map applied on the tunnel 100 interface, of the 3745:
3745#ping
Protocol [ip]:
Target IP address: 192.168.201.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.201.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/100/104 ms
Test with the crypto map applied:
3745#ping
Protocol [ip]:
Target IP address: 192.168.201.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.201.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.1
.....
Success rate is 0 percent (0/5)
P.S. I tried to apply the crypto map on the physical interface of the 1605r also (as I red about the difference between the older verions of ios and the new ones), but no success...
Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: