Solved: ipsec AH in transport mode ,AH in tunnel mode - Page 2

sarahr202 · ‎10-27-2012

Hi everybody.

I am reading about Ipsec which contains two major protocols among others: AH and ESP.

For now, I am focused on AH only. I read the theory on AH and two modes AH can operate : Transport mode and tunnel mode.

(201.201.201.1)h1--------R1(199.199.199.1) s0--------------------------------------------------------s0(199.199.199.2)R2-------H2( 200.200.200.2)

I want to implement the following:

Every time R1 receives ip packet from H1 destined for H2, R1 should use AH in transport mode before it sends the packet out to R2, Similarly, R2 should use AH in transport for packets sent by H2 to H1, before sending them to R1.

I just need an example as to how we can configure R1 and R2 to accomplish the above task..

Thanks for your help and have a great day.

.

Karsten Iwen · ‎10-30-2012

1) The "crypto-isakmp" commands don't specify to use tunnel mode or not. That's done in the "crypto ipsec transform-set". The ISAKMP-commands specify the parameters for the setup of the ISAKMP-tunnel. You can look at this tunnel as a management-connection between the two ipsec-peers. I skipped that because the router (starting with 12.4(20)T has usable defaults. You can see the defaults with "show crypto isakmp policy". The key is still needed to authenticate the connection-setup against Man-in-the-Mittle-attacks. Thats independent of using transport- or tunnel-mode.

2) The crypto-map is incomplete until you configure a "match address" and "set peer" statement. It just has to be there to work.

Sent from Cisco Technical Support iPad App

sarahr202 · ‎10-30-2012

thanks Karsten.