10-10-2008 01:44 AM - edited 03-03-2019 11:52 PM
Dear All Expert,
I would like you to advice me, So i would like to configure point to point but use command encryption data i don't know i which command that we can use.
Nopte: not use command VPN. and so my diagram use lease line connection, not use VPN connection ....
please advice me!!!
Best Regards,
Rechard_hk
10-10-2008 10:07 AM
Hi,
I would like to know your are using point to point leased line then why your are trying to user date encryption? . One option is there for data encryption.
User PPP ENCAPSULATION with chap or pap Authentication
10-11-2008 01:42 AM
If you are trying to encrypt data that would flow across the point-to-point link, then you can use IPsec. The router IOS should support this feature.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
HTH
Narayan
10-11-2008 02:10 AM
Dear royalblues,
Thanks you for your advice....
I saw your link but i would like to ask you that your link you gave me is configuration VPN right?I saw it configuration VPN..
Could you advice..
Best Regards,
Rechard_hk
10-11-2008 02:30 AM
It is not a VPN but a configuration example of IPsec between 2 devices (say routers)
When you configure this, the data would be encrypted using strong encryptions like 3Des / AES
For eg.. say you have a topology like this
10.10.10.0/24 --R1(1.1.1.1) --point-to-point -- (1.1.1.2)R2 20.20.20.0/24 and you want to encrypt all communication between them
on router R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key Password address 1.1.1.2
crypto ipsec transform-set toR2 esp-3des esp-md5-hmac
!
crypto map SER0 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set toR2
match address 100
access-list 100 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
interface serial 0/1
ip address 1.1.1.1 255.255.255.252
crypto map SER0
at R2
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key Password address 1.1.1.1
crypto ipsec transform-set toR1 esp-3des esp-md5-hmac
!
crypto map SER0 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set toR1
match address 100
access-list 100 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
interface serial 0/1
ip address 1.1.1.2 255.255.255.252
crypto map SER0
This configuration encrypts all data for the communication between 10.10.10.0/24 and 20.20.20.0/24... You can add further subnets by modifying your access-list
HTH
Narayan
10-12-2008 06:07 PM
Dear Narayan,
Thank you for your configuration,
So i would like to ask you one more that Could you give me configuration VPN ? so i would like to compare configuration VPN and IPSEC( not VPN)
Which are different?
Best Regards,
Rechard_hk
10-11-2008 02:04 AM
Hi thiru,
I want to make sure my data have encryption and more security..so this reason that i want to use encryption!!
Not like VPN connection .
Best Regards,
Rechard_hk
10-11-2008 09:09 AM
Hi,
You can use the isakmp crypto encryption , this is not a vpn this one type of security encryption. Could you please let us know which model router your are using because for this type con encryption you need to upgrade the IOS .
What Narayan said that correct .
10-14-2008 01:34 AM
Dear Thiru,
Thanks for your advice!! :)
so i still not clear about command encryption without VPN and encryption with VPN..i was compare command VPN and command Without VPN is it the same.
Could you advice me !!!!!!
Best Regards,
Rechard_hk
10-14-2008 06:56 AM
Shall i send you the sample configuration
10-15-2008 09:17 AM
Hi,
You can create a IPsec tnnel between two peers with encryption. So that data will be secure. For example
!--- Configuration for IKE policies.
crypto isakmp policy 1
!--- Enables the IKE policy configuration (config-isakmp) command mode,
!--- where you can specify the parameters to be used during
!--- an IKE negotiation.
encryption aes 256
!--- Specifies the encryption algorithm as AES with a 256
!--- bit key within an IKE policy.
authentication pre-share
group 2
crypto isakmp key cisco123 address 20.20.20.1
!--- Specifies the preshared key "cisco123" which
!--- should be identical at both peers.
!
!--- Configuration for IPsec policies.
crypto ipsec security-association lifetime seconds 28800
!--- Specifies the lifetime of the IPsec security association (SA).
!
crypto ipsec transform-set vpn esp-aes 256 esp-md5-hmac
!--- Enables the crypto transform configuration mode, where you can
!--- specify the transform sets to be used during an IPsec negotiation.
!
crypto map vpn 10 ipsec-isakmp
!--- Indicates that IKE is used to establish the IPsec SA for protecting
!--- the traffic specified by this crypto map entry.
set peer 20.20.20.1
!--- Sets the IP address of the remote end (VPN Concentrator).
set transform-set vpn
!--- Configures IPsec to use the transform-set "vpn" defined earlier.
!
!--- Specifies the traffic to be encrypted.
match address 110
!
interface Ethernet1/0
ip address 30.30.30.1 255.255.255.0
ip nat outside
half-duplex
crypto map vpn
!--- Configures the interface to use the crypto map "vpn" for IPsec.
!
interface FastEthernet2/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool mypool 30.30.30.3 30.30.30.3 netmask 255.255.255.0
ip nat inside source route-map nonat pool mypool overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 30.30.30.2
!
access-list 110 permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.0.255.255
!--- This crypto ACL-permit identifies the matching traffic
!--- flows to be protected via encryption.
!--- Specifies the traffic not to be encrypted.
access-list 120 deny ip 192.168.20.0 0.0.0.255 172.16.0.0 0.0.255.255
!--- This crypto ACL-deny identifies the matching traffic flows not to be encrypted.
!
access-list 120 permit ip 192.168.20.0 0.0.0.255 any
!--- The access control list (ACL) used in the NAT configuration exempts
!--- the LAN-to-LAN traffic from the NAT process,
!--- but allows all traffic going to the Internet to be translated.
!
route-map nonat permit 10
!--- The traffic flows not encrypted from the
!--- peer network are allowed.
match ip address 120
!
line con 0
line aux 0
line vty 0 4
login
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide