I have the following VPN setup on a 1711 router and am trying to understand it better. This is what i know so far. Phase 1 for the ipsec tunnels is esp-3des. Phase 2 is esp-sha-hmac. DH group is 2. The tunnels use pre-share keys. The rules for the tunnels correspond to the access list associated with each tunnel.
What I am not sure of is how the crypto isakmp policies tie into the picture, is the key shown below the actual key or an encrypted version, on a 12.3 ios how do i get the real key, and do the route-maps matter? I do not see the route maps applied anywhere.
I am not concerned with the client/easy vpn config part. Thank you.
During the phase 1 exchange, the initiator and responder will agree on the parameters to be used to secure the communications between the two peers. These parameters are defined in the ISAKMP policy. Both the initator and responder will need to agree on a matching ISAKMP policy if the negotiations are going to proceed. The ISAKMP keys in your configuration are the actual keys vs. encrypted keys. As for the route-maps, they should be unrelated to the overall VPN configuration, however, I would need to see the entire config to understand what other services may be referencing them. These could include NAT and policy routing to name a few.
During the phase 1 exchange, the initiator will send its configured ISAKMP policies to its peer. The peer will then compare the promposed polcies to those that are locally configured and select the first match. During phase 2, a similar exchange is performed for the transform set attributes. You can use the "sh cry isa sa det" and "sh cry ipsec sa peer [ip address]" commands to review what attributes are being used for a given tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...