= IPSEC Setting of cisco router. [PC1] 192.168.0.2/24 - 192.168.0.1/23 [Cisco 3600] | 200.200.200.1/24 | IPSEC | | | 200.200.200.2/24 [PC2] 172.17.0.2/16 - 172.17.0.1/16 [Cisco 7200] = cisco 3600 Setting Define for IPSec traffic Router_A(config)#access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 Router_A(config)#crypto isakmp policy 1@ <-- IKE Policy Phase 1 Router_A(config-isakmp)#authentication pre-share Router_A(config-isakmp)#encryption des Router_A(config-isakmp)#group 1 Router_A(config-isakmp)#hash md5 Router_A(config-isakmp)#lifetime 86400 Router_A(config-isakmp)#exit Associate the Shared key and IP address Router_A(config)#crypto isakmp key cisco address 200.200.200.2 Set up transform (IPsec connection setting) Router_A(config)#crypto ipsec transform-set TS-IPSEC esp-des esp-md5-hmac Router_A(cfg-crypto-trans)#mode tunnel Router_A(cfg-crypto-trans)#exit IPSEC SA(Phase 2) Router_A(config)#crypto map MAP-IPSEC 1 ipsec-isakmp Router_A(config-crypto-map)#match address 100 Router_A(config-crypto-map)#set peer 200.200.200.2 Router_A(config-crypto-map)#set transform-set TS-IPSEC Router_A(config-crypto-map)#set security-association lifetime seconds 3600 Router_A(config-crypto-map)#exit Apply IPSEC policy into interface Router_A(config)#interface fastEthernet 0 Router_A(config-if)#crypto map MAP-IPSEC Router_A(config)#exit Router_A(config)#ip route 0.0.0.0 0.0.0.0 200.200.200.2 = cisco 7200 Router_B(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 Router_B(config)#crypto isakmp policy 1 Router_B(config-isakmp)#authentication pre-share Router_B(config-isakmp)#encryption des Router_B(config-isakmp)#group 1 Router_B(config-isakmp)#hash md5 Router_B(config-isakmp)#lifetime 86400 Router_B(config-isakmp)#exit Router_B(config)#crypto isakmp key cisco address 200.200.200.1 Router_B(config)#crypto ipsec transform-set TS-IPSEC esp-des esp-md5-hmac Router_B(cfg-crypto-trans)#mode tunnel Router_B(cfg-crypto-trans)#exit Router_B(config)#crypto map MAP-IPSEC 1 ipsec-isakmp Router_B(config-crypto-map)#match address 100 Router_B(config-crypto-map)#set peer 200.200.200.1 Router_B(config-crypto-map)#set transform-set TS-IPSEC Router_B(config-crypto-map)#set security-association lifetime seconds 3600 Router_B(config-crypto-map)#exit Router_B(config)#interface fastEthernet 0 Router_B(config-if)#crypto map MAP-IPSEC Router_B(config)#exit Router_B(config)#ip route 0.0.0.0 0.0.0.0 200.200.200.1 = Check command of sA Router#show crypto isakmp sa dst src state conn-id slot status 200.200.200.1 200.200.200.2 QM_IDLE 1 0 ACTIVE Router#show crypto ipsec sa interface: Ethernet0/0 Crypto map tag: MAP-IPSEC, local addr 200.200.200.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0) current_peer 200.200.200.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 389, #pkts encrypt: 389, #pkts digest: 389 #pkts decaps: 20074, #pkts decrypt: 20074, #pkts verify: 20074 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.200.200.1, remote crypto endpt.: 200.200.200.2 path mtu 1500, ip mtu 1500 current outbound spi: 0xE7EEA452(3891176530) inbound esp sas: spi: 0x1D806785(494954373) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: MAP-IPSEC sa timing: remaining key lifetime (k/sec): (4539574/1660) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE7EEA452(3891176530) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: MAP-IPSEC sa timing: remaining key lifetime (k/sec): (4541727/1659) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: = show run of cisco 3600 cisco3640#sh run Building configuration... Current configuration : 1526 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname cisco3640 ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model ! resource policy ! ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! no ip ips deny-action ips-interface ! no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco address 200.200.200.2 no crypto isakmp ccm ! ! crypto ipsec transform-set TS-IPSEC esp-des esp-md5-hmac ! crypto map MAP-IPSEC 1 ipsec-isakmp set peer 200.200.200.2 set transform-set TS-IPSEC match address 100 ! ! ! ! interface Ethernet0/0 no ip address shutdown half-duplex ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Ethernet1/0 ip address 200.200.200.1 255.255.255.0 ip access-group 150 in half-duplex crypto map MAP-IPSEC ! interface Ethernet1/1 ip address 192.168.0.1 255.255.255.0 half-duplex ! ip http server no ip http secure-server ! ip classless ip route 0.0.0.0 0.0.0.0 200.200.200.2 ! ! access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 150 permit ahp host 200.200.200.2 any access-list 150 permit esp host 200.200.200.2 any access-list 150 permit udp host 200.200.200.2 any eq isakmp access-list 150 permit tcp any any eq smtp ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 exec-timeout 30 0 password cisco login ! ! end == show version of cisco 3600 Router#show version Cisco IOS Software, 3600 Software (C3640-IK9O3S-M), Version 12.3(14)T5, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Mon 24-Oct-05 23:31 by kellythw ROM: System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 4 minutes System returned to ROM by power-on System image file is "flash:c3640-ik9o3s-mz.123-14.T5.bin" = show run of cisco 7200 cisco7206#show run Building configuration... Current configuration : 2868 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname cisco7206 ! enable password cisco ! no aaa new-model ip subnet-zero ! ! ip cef ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco address 200.200.200.1 ! ! crypto ipsec transform-set TS-IPSEC esp-des esp-md5-hmac ! crypto map MAP-IPSEC 1 ipsec-isakmp set peer 200.200.200.1 set transform-set TS-IPSEC match address 100 ! no scripting tcl init no scripting tcl encdir ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex half media-type mii ! interface Ethernet1/0 ip address 200.200.200.2 255.255.255.0 duplex half crypto map MAP-IPSEC ! interface Ethernet1/1 ip address 172.16.0.1 255.255.0.0 duplex half ! interface Ethernet1/2 no ip address shutdown duplex half ! interface Ethernet1/3 no ip address shutdown duplex half ! interface Ethernet1/4 no ip address shutdown duplex half ! interface Ethernet1/5 no ip address shutdown duplex half ! interface Ethernet1/6 no ip address shutdown duplex half ! interface Ethernet1/7 no ip address shutdown duplex half ! interface Ethernet3/0 no ip address shutdown duplex half ! interface Ethernet3/1 no ip address shutdown duplex half ! interface Ethernet3/2 no ip address shutdown duplex half ! interface Ethernet3/3 no ip address shutdown duplex half ! interface Ethernet4/0 no ip address shutdown duplex half ! interface Ethernet4/1 no ip address shutdown duplex half ! interface Ethernet4/2 no ip address shutdown duplex half ! interface Ethernet4/3 no ip address shutdown duplex half ! interface Ethernet5/0 no ip address shutdown duplex half ! interface Ethernet5/1 no ip address shutdown duplex half ! interface Ethernet5/2 no ip address shutdown duplex half ! interface Ethernet5/3 no ip address shutdown duplex half ! interface Serial6/0 no ip address shutdown serial restart-delay 0 ! interface Serial6/1 no ip address shutdown serial restart-delay 0 ! interface Serial6/2 no ip address shutdown serial restart-delay 0 ! interface Serial6/3 no ip address shutdown serial restart-delay 0 ! ip classless ip route 0.0.0.0 0.0.0.0 200.200.200.1 no ip http server no ip http secure-server ! ! access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all stopbits 1 line vty 0 4 exec-timeout 30 0 password cisco login transport preferred all transport input all transport output all ! ! ! end show version of cisco 7200 Router#show version Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9O3S-M), Version 12.3(2)T, RELEASE SOFTWARE (fc1) Synched to technology version 12.3(1.9) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Fri 25-Jul-03 11:13 by ccai Image text-base: 0x60008954, data-base: 0x61FAA000 ROM: System Bootstrap, Version 11.1(5) [mkamson 5], RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-BOOT-M), Version 11.1(6), RELEASE SOFTWARE (fc1) Router uptime is 0 minutes System returned to ROM by power-on System image file is "slot0:c7200-ik9o3s-mz.123-2.T.bin"