Re: dynamic IPSec with router IOS

tato386 · ‎10-26-2006

The PIX has the ability to create dynamic IPSec crypto maps which I find REALLY handy. Can I router with the encryption capable IOS image do the same?

Thanks,

Diego

ajagadee · ‎10-26-2006

Diego,

Yes, it is possible.

Please refer the below URL for details:

Configuring Router-to-Router Dynamic-to-Static IPSec with NAT

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

Let me know if it helps.

Regards,

Arul

** Please rate all helpful posts **

tato386 · ‎10-27-2006

This looks exactly what I need except for one thing. Since sam-i-am is accepting dynamic connections why does it need an ACL to define IPSec traffic? The PIX that I have setup to accept dynamic, incoming IPSec connections does not have an ACL configured since by defintion, you don't know which subnet/router will be connecting. It seems to me that sam-i-man should "figure out" what to encrypt based on the incoming ACL/connection from whoovie like the PIX does. I guess some experimenting/testing is in order. Thank you very much for that link.

m.sir · ‎10-27-2006

In example DYNAMIC means that outside public IP address is negotiated - so it helps you establish IPsec no matter what IP address peer gets... but with ACLs you are sayin what traffic you need encrypt between private LANs - those address are always same (10.2.2.x and 10.1.1.1 in this example)...

So i think you always needs ACL to specify what traffic is encrypted

You need also this destination network remove from NAT process(route map nonat is used in this example)

M.

Hope that helps rate if it does