Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Confused - VPN 1

Status
Not open for further replies.
mrn

mrn

MIS
Joined
Apr 27, 2001
Messages
3,993
Location
GB
Hello,

Just wondered if someone could clear something up for me.

How do policies work?

I thought I'd got it but looking at the config on one of my routers I'm not sure now.

I have

crypto isamkp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key atest adress 1.0.0.0 no-xauth

crypto ipsec transform-set my_vpn esp-3des esp-md5-hmac

crypto map my_vpn 1 ipsec-isakmp
Description A test
set peer 10.10.0.0
set transform-set my_vpn
match address 101

does the 1 in crypto map my_vpn 1 ipsec-isakmp refer to the policy?

Regards

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Sort by date Sort by votes
You can only have one crypto map applied to the interface so the "1" just has local significance as a local number. It doesn't refer to anything else. So, if you had a number of VPNs then you might have;

crypto map my_vpn 1 ipsec-isakmp
Description A test
set peer 10.10.0.0
set transform-set my_vpn
match address 101
!
crypto map my_vpn 2 ipsec-isakmp
Description Another test
set peer 172.16.1.1
set transform-set my_vpn
match address 102
!
crypto map my_vpn 3 ipsec-isakmp
Description Some other VPN
set peer 1.2.3.4
set transform-set my_vpn
match address 103

etc...

You only have one crypto map (my_vpn) but with three different VPN's applied to it. The number only refers to the settings for that VPN peer within the crypto map.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Thanks,

So how does the policy tie in?

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
If you mean the ISAKMP policy, it negotiates a matching policy with the other end. The ISAKMP policy is phase 1 IKE negotiations. The cryptomap refers to phase 2 ipsec. Phase 2 only comes into play when you have a phase 1 SA set up so there is nothing in the crypto map that "ties in" to the ISAKMP policy.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
I'm still confused (No supprise there then)

How does this part

crypto isamkp policy 1
encr 3des
hash md5
authentication pre-share
group 2

relate to this part

crypto map my_vpn 1 ipsec-isakmp
Description A test
set peer 10.10.0.0
set transform-set my_vpn
match address 101

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
Mike,

This part ...

crypto isamkp policy 1
encr 3des
hash md5
authentication pre-share
group 2

.. is the phase 1 IKE setup. When two peers are trying to establish a VPN they will compare the IKE policies to see if they have one that matches. If they do then they go ahead and complete a Diffe Hellman key exchange and form a phase 1 SA. The end result is a key that can be used a seed to generate more keys for encryption, hashing etc..

This bit ...

crypto map my_vpn 1 ipsec-isakmp
Description A test
set peer 10.10.0.0
set transform-set my_vpn
match address 101

... is the phase 2 part and defines the actual IPSec policy. It's an ipsec-isakmp VPN. It defines the peer address of the VPN gateway at the other end, the transform set to be used for encryption and hash algorithms and the traffic that this policy should be applied to. So, you have two bits that relate to two processes.

1. ISAKMP/IKE for phase 1 key exchange

2. IPSEC for encryption and/or authentication

You could have a whole bunch of isakmp policies and one crypto map statement or one ikakmp policy and a bunch of crypto map peers. As long as the two ends of the VPN first agree on a phase 1 policy and then agree on ipsec parameters.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Thanks for clearing that up for me. Your help is very much appreciated.

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
316
quazimotto
quazimotto
tviman
  • Locked
  • Question Question
Same subnet on each side of a VPN
Replies
2
Views
367
tviman
tviman
DigitalG
  • Locked
  • Question Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
258
DigitalG
DigitalG
napoleao
  • Locked
  • Question Question
IPSec VPN
Replies
3
Views
426
napoleao
napoleao
whatwhatwhatwhat
  • Locked
  • Question Question
VPN problem. Please help!
Replies
2
Views
323
ngtri
ngtri

Part and Inventory Search

Sponsor

Back
Top