Solved: ipsec site to site vpn

sarahr202 · ‎10-28-2012

Hi everybody.

Please consider the following commands:

R1(config)# crypto isakmp key firewallcx address 1.1.1.2

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

The above command will cause R1 to use md5-hmac for authentication and 3 des for encryption.

1)When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?

=========================================================================

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#mode ?

transport transport (payload encapsulation) mode

tunnel tunnel (datagram encapsulation) mode

2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?

3)

lan--R1--------------------------------------R2---lan

We want to create ipsec vpn site-to site. We want R1 and R2 to use AH for authentication and ESP for encryption.

Can we configure R1 as : ( assuming R2 is identically configured)

R1(config)#crypto ipsec transform-set TS ah-md5-hmac esp-3des

4) Can we also configure R1 as: ( assuming R2 is configured identically)

R1(config)#crypto ipsec transform-set TS ah-md5-hmac

R1(cfg-crypto-trans)#crypto ipsec transform-set TS esp-3des

(Above we configure Ah and esp portions separately.)

5) R1(config)#crypto ipsec transform-set TS ah-md5-hmac esp-sha-hmac esp-3des

Above, R1 is configured to use AH for authentication, but it is also configured to use esp for authentication.

Assuming R2 is identically configured, which authentication method will take precedence?

thanks and have a great day.

cadet alain · ‎10-29-2012

Hi,

1)

When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?

The default is tunnel mode

3 and 4)

No you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.

5) i don't remember so I'll have to lab and will tell you. EDIT: it will do both

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-29-2012

Hi,

1)

When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

2)Above if we do not specify " mode " what is the default mode? Is it tunnel or transport?

The default is tunnel mode

3 and 4)

No you can only use first syntax otherwise it will consider the second command is a global config command and it will override first one.

5) i don't remember so I'll have to lab and will tell you. EDIT: it will do both

Regards.

Alain

Don't forget to rate helpful posts.

sarahr202 · ‎10-29-2012

Thanks Alain

When performing md5-hmac , Does R1 use the key " firewallcx" as configured in the above command?

No this is the key you use for ISAKMP phase 1 with PSK authentication configured in crypto isakmp policy

If a router is onfigured to perform authetication for example AH authentication such as ah-md5-hmac. Does router use any key to compute hash over some fields of original ip header and its payload?

thanks