\n\n![\"Topology](\"https:\/\/blog.iwen.de\/wp-content\/uploads\/2006\/08\/ipsectunnelinterfaces.png\") \n<\/td>\n<\/tr>\n<\/table>\n
\nConfiguration<\/strong>
\nISAKMP is configured as usual, e.g.:<\/p>\n\ncrypto isakmp policy 10\n encr aes 256\n auth pre\n group 5\n\ncrypto isakmp key MXg6AzCGBYw\/I0%$ address 172.30.2.2\n<\/code><\/pre>\nwe need to configure a transform-set and attach this transform-set to an ipsec-profile:<\/p>\n \ncrypto ipsec transform-set EspAesSha esp-aes esp-sha-hmac\ncrypto ipsec profile TunnelProfile\n set transform-set EspAesSha\n<\/code><\/pre>\nnext, a tunnel-interface is created:<\/p>\n \ninterface Tunnel 0\n ip address 10.11.11.1 255.255.255.252\n tunnel source FastEthernet0\/1\n tunnel destination 172.30.2.2\n<\/code><\/pre>\nthis tunnel is set to ipsec-mode and is protected with the ipsec- profile:<\/p>\n \ninterface Tunnel 0\n tunnel mode ipsec ipv4\n tunnel protection ipsec profile TunnelProfile\n<\/code><\/pre>\nthe physical interface hast to allow the ipsec-packets:<\/p>\n \nip access-list ext outside-in\n remark ACL eingehend vom Internet\n permit esp any host 172.30.1.2\n permit udp any host 172.30.1.2 eq 500\n<\/code><\/pre>\nthe configuration of the WAN-Interface:<\/p>\n \ninterface FastEthernet0\/1\n description WAN-Interface\n ip address 172.30.1.2 255.255.255.0\n ip access-group outside-in in\n<\/code><\/pre>\nwe can start a routing-process on the tunnel-interface:<\/p>\n \nrouter eigrp 1\n network 10.0.0.0\n no auto-summary\n<\/code><\/pre>\nand we learn remote-networks through the tunnel<\/p>\n \nRouter1# show ip route eigrp\n 10.0.0.0\/24 is subnetted, 3 subnets\nD 10.0.2.0 [90\/297246976] via 10.11.11.2, 15:33:11, Tunnel0\nRouter#\n<\/code><\/pre>\nthe router automatically generates crypto maps:<\/p>\n \nRouter1#sh cry map\nCrypto Map \"Tunnel0-head-0\" 65536 ipsec-isakmp\n Profile name: TunnelProfile\n Security association lifetime: 4608000 kilobytes\/3600 seconds\n PFS (Y\/N): N\n Transform sets={\n \t EspAesSha,\n }\n\nCrypto Map \"Tunnel0-head-0\" 65537 ipsec-isakmp\n Map is a PROFILE INSTANCE.\n Peer = 172.30.2.2\n Extended IP access list\n access-list permit ip any any\n Current peer: 172.30.2.2\n Security association lifetime: 4608000 kilobytes\/3600 seconds\n PFS (Y\/N): N\n Transform sets={\n \t EspAesSha,\n }\n Interfaces using crypto map Tunnel0-head-0:\n Tunnel0\n<\/code><\/pre>\nthe resulting IPSec-SA:<\/p>\n \nRouter1#sh cry ips sa\n\ninterface: Tunnel0\n Crypto map tag: Tunnel0-head-0, local addr 172.30.1.2\n\n protected vrf: (none)\n local ident (addr\/mask\/prot\/port): (0.0.0.0\/0.0.0.0\/0\/0)\n remote ident (addr\/mask\/prot\/port): (0.0.0.0\/0.0.0.0\/0\/0)\n current_peer 172.30.2.2 port 500\n PERMIT, flags={origin_is_acl,}\n #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72\n #pkts decaps: 71, #pkts decrypt: 71, #pkts verify: 71\n #pkts compressed: 0, #pkts decompressed: 0\n #pkts not compressed: 0, #pkts compr. failed: 0\n #pkts not decompressed: 0, #pkts decompress failed: 0\n #send errors 0, #recv errors 0\n\n local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2\n path mtu 1500, ip mtu 1500\n current outbound spi: 0x47537458(1196651608)\n\n inbound esp sas:\n spi: 0x230B9AF1(587963121)\n transform: esp-256-aes esp-sha-hmac ,\n in use settings ={Tunnel, }\n conn id: 2002, flow_id: NETGX:2, crypto map: Tunnel0-head-0\n sa timing: remaining key lifetime (k\/sec): (4536356\/3553)\n IV size: 16 bytes\n replay detection support: Y\n Status: ACTIVE\n\n outbound esp sas:\n spi: 0x47537458(1196651608)\n transform: esp-256-aes esp-sha-hmac ,\n in use settings ={Tunnel, }\n conn id: 2001, flow_id: NETGX:1, crypto map: Tunnel0-head-0\n sa timing: remaining key lifetime (k\/sec): (4536356\/3551)\n IV size: 16 bytes\n replay detection support: Y\n Status: ACTIVE\n\u2026\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"A sample-configuration of IPSec Tunnel-Interfaces, a new 12.3(14)T-Feature (Updated 2006-03-29).<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,7],"tags":[307,317,358],"class_list":["post-42","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-security","tag-ios","tag-ipsec","tag-konfiguration"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/42","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=42"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/42\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
|