Thursday, April 20, 2006

 

IPSec Access List. (Question #56)

Consider two routers connected via their serial interfaces and configured for IPSec with the following config

Router1

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.2
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set myset
match address 101
!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.1 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255


Router2

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 101
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.2 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255


Will the following ping command issued on Router1 succeed?

ping 192.168.1.254 source 10.1.1.254

Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?

Comments:
Yes the ping will succeed. The access list is used only as a criterion to determine which user data will be encrypted - not for filtering signalling traffic to set up the security association.
 
I just noticed that the access lists were not complete. They have to match also the incoming encrypted traffic. So each access list should be

access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 
Ignore my second comment. I stand by my first response.
 
Post a Comment

Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?