Thursday, April 20, 2006
IPSec Access List. (Question #56)
Consider two routers connected via their serial interfaces and configured for IPSec with the following config
Router1
Router2
Will the following ping command issued on Router1 succeed?
Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?
Router1
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.2
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set myset
match address 101
!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.1 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Router2
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 101
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.2 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Will the following ping command issued on Router1 succeed?
ping 192.168.1.254 source 10.1.1.254
Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?
Comments:
<< Home
Yes the ping will succeed. The access list is used only as a criterion to determine which user data will be encrypted - not for filtering signalling traffic to set up the security association.
I just noticed that the access lists were not complete. They have to match also the incoming encrypted traffic. So each access list should be
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Post a Comment
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
<< Home