cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
248
Views
0
Helpful
2
Replies
Highlighted
Contributor

ipsec site to site vpn

Hi everybody.

Please consider the following commands:

R1(config)# crypto isakmp key firewallcx address 1.1.1.2

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

               

The above command will cause R1 to use md5-hmac for authentication and 3 des for encryption.

1)When performing md5-hmac , Does R1 use the key "  firewallcx" as configured in the above command?

=========================================================================

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#mode ?

  transport  transport (payload encapsulation) mode

  tunnel     tunnel (datagram encapsulation) mode

2)Above if we do not specify " mode " what is the default mode?  Is it tunnel or transport?

3)  

  lan--R1--------------------------------------R2---lan

We want to create ipsec vpn site-to site.  We want R1 and R2 to use AH for authentication and ESP for encryption.

Can we configure R1 as : ( assuming R2 is identically configured)

R1(config)#crypto ipsec transform-set TS  ah-md5-hmac esp-3des

4) Can we also configure R1 as: ( assuming R2 is configured identically)

R1(config)#crypto ipsec transform-set TS ah-md5-hmac

R1(cfg-crypto-trans)#crypto ipsec transform-set TS esp-3des

(Above we configure Ah and esp portions separately.)

5) R1(config)#crypto ipsec transform-set TS ah-md5-hmac esp-sha-hmac   esp-3des

Above, R1 is configured to use AH for authentication, but it is also configured to use esp for authentication.

Assuming R2 is identically configured, which authentication method will take precedence?

thanks and have a great day.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advisor

Re: ipsec site to site vpn

Hi,

1)

When performing md5-hmac , Does R1 use the key "  firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

2)Above if we do not specify " mode " what is the default mode?  Is it tunnel or transport?

The default is tunnel mode

3 and 4)

No  you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.

5) i don't remember so I'll have to lab and will tell you.  EDIT:  it will do both

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

2 REPLIES 2
Advisor

Re: ipsec site to site vpn

Hi,

1)

When performing md5-hmac , Does R1 use the key "  firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

2)Above if we do not specify " mode " what is the default mode?  Is it tunnel or transport?

The default is tunnel mode

3 and 4)

No  you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.

5) i don't remember so I'll have to lab and will tell you.  EDIT:  it will do both

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Contributor

ipsec site to site vpn

Thanks Alain

When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

If a router is onfigured to perform authetication for example AH authentication such as  ah-md5-hmac.   Does router use any key to compute hash over some fields of original ip header and its payload?

thanks

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards