10-28-2012 05:23 PM - edited 03-07-2019 09:43 AM
Hi everybody.
Please consider the following commands:
R1(config)# crypto isakmp key firewallcx address 1.1.1.2
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
The above command will cause R1 to use md5-hmac for authentication and 3 des for encryption.
1)When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?
=========================================================================
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?
3)
lan--R1--------------------------------------R2---lan
We want to create ipsec vpn site-to site. We want R1 and R2 to use AH for authentication and ESP for encryption.
Can we configure R1 as : ( assuming R2 is identically configured)
R1(config)#crypto ipsec transform-set TS ah-md5-hmac esp-3des
4) Can we also configure R1 as: ( assuming R2 is configured identically)
R1(config)#crypto ipsec transform-set TS ah-md5-hmac
R1(cfg-crypto-trans)#crypto ipsec transform-set TS esp-3des
(Above we configure Ah and esp portions separately.)
5) R1(config)#crypto ipsec transform-set TS ah-md5-hmac esp-sha-hmac esp-3des
Above, R1 is configured to use AH for authentication, but it is also configured to use esp for authentication.
Assuming R2 is identically configured, which authentication method will take precedence?
thanks and have a great day.
Solved! Go to Solution.
10-29-2012 01:07 AM
Hi,
1)
When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?
No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy
2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?
The default is tunnel mode
3 and 4)
No you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.
5) i don't remember so I'll have to lab and will tell you. EDIT: it will do both
Regards.
Alain
Don't forget to rate helpful posts.
10-29-2012 01:07 AM
Hi,
1)
When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?
No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy
2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?
The default is tunnel mode
3 and 4)
No you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.
5) i don't remember so I'll have to lab and will tell you. EDIT: it will do both
Regards.
Alain
Don't forget to rate helpful posts.
10-29-2012 05:00 AM
Thanks Alain
When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?
No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy
If a router is onfigured to perform authetication for example AH authentication such as ah-md5-hmac. Does router use any key to compute hash over some fields of original ip header and its payload?
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: