Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Encrypting a dedicated serial link

Hello...

I need to encrypt a dedicated serial link between two Cisco routers (1760 & 2811) both capable of doing VPN, tunneling, etc.

I'm not sure where to start because I'd like to configure fast encryption method that doesn't eat the BW and keep the latencies low.

What would you suggest?... tunneling? VPN with fast algorythms?... any ideas (and links to case studies or configuration guides) are welcome.

Regards,

Alberto F.

6 REPLIES

Re: Encrypting a dedicated serial link

Hi,

What are the reason behind this, security? If it is, tunneling like IP GRE is not recommended since serial link is already private, use IPSec VPN with AES-256/SHA-HMAC encryption. AES is faster than DES (3DES).

Regards,

Dandy

Re: Encrypting a dedicated serial link

There may be specific customer requirements to encrypt even a dedicated link especially with banking customers

As Dandy had pointed out, you can use IPsec to encrypt traffic between the routers

Have a look here

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

HTH

Narayan

Super Bronze

Re: Encrypting a dedicated serial link

"fast encryption method that doesn't eat the BW and keep the latencies low."

You're usaully going to give up some, since it's then nature of the beast. However, one item to watch for, often the encryption imposes a smaller effective MTU. Packet fragmention can often adversely impact performance. For TCP, if supported, the IOS command IP TCP adjust-mss helps avoid the issue.

New Member

Re: Encrypting a dedicated serial link

Thanks for the quick responses guys...

As Narayan said, I've been requested to encrypt the private leased line for security reasons... we just want the data to be secured and encrypted, even to the eyes of the telco.

I'll look into some documents and I'll take your recommendations, particularly the IP TCP adjust-mss issue and the AES-256/SHA-HMAC encryption.

These are the docs I'm looking at:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf8887/0#selected_message

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

Any other suggestions are more than welcome.

Regards,

Alberto

New Member

Re: Encrypting a dedicated serial link

Well, I managed to get the VPN up & running pretty fast... I just followed step by step the document (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml) and then I decided to add a litte extra security to the router config by encrypting the VPN pre-shared keys (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml).

Now I have a new problem... I've confirmed that all the traffic I want is going thru the VPN tunnel... nothing is going unencrypted anymore and that's exactly what I needed. However, we have Netflow running in the remote router and the Netflow packets are in fact getting encrypted in the remote side but then the peer routers rejects the packet by saying this over and over:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /10.50.10.10, src_addr= 10.60.10.1, prot= 17

Any light on this one?... I've looked it up in the web but have found pretty much nothing.

Thanks in advance,

Regards,

Alberto

Hall of Fame Super Gold

Re: Encrypting a dedicated serial link

Alberto

This is an indication that the access list that you are using does not match the access list used on the other end of the connection. That access list has a statement that permits the Netflow traffic and your access list does not have a statement that permits it.

Look at both access lists. They should be mirror images of each other. I believe that you will find that there is at least one statement on the other end that is not matched on your end. Fix the access lists so that they are mirror images of each other and I believe that the problem will be solved.

HTH

Rick

279
Views
11
Helpful
6
Replies
CreatePlease to create content