Configuring IPSec Between Three Routers Using Private Addresses

Introduction

This document describes a fully meshed configuration with three routers that use private addresses. The example illustrates these features:

• Encapsulating Security Payload (ESP) - Data Encryption Standard (DES) only
• Pre-shared keys
• Private networks behind each router: 192.168.1.0, 192.168.2.0, and 192.168.3.0
• isakmp policy and crypto map configuration
• Tunnel traffic defined with the access-list and route-map commands. In addition to Port Address Translation (PAT), route maps can be applied to a one-to-one static Network Address Translation (NAT) on Cisco IOS® Software Release 12.2(4)T2 and later. For more information refer to NAT - Ability to Use Route Maps with Static Translations Feature Overview.

Note: Encryption technology is subject to export controls. It is your responsibility to know the law regarding export of encryption technology. See the Bureau of Export Administration home page for more information. If you have any questions regarding export control, please send an email to export@cisco.com.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco IOS Software Release 12.3.(7)T.
• Cisco routers configured with IPSec.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

• Router 1
• Router 2
• Router 3

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

• show crypto engine connections active Shows encrypted and decrypted packets between IPSec peers.
• show crypto isakmp sa Shows all current IKE security associations (SAs) at a peer.
• show crypto ipsec sa Shows the settings used by current (IPSec) SAs.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

Note: The following debugs must be running on both IPSec routers (peers). Clearing SAs must be done on both peers.

• debug crypto isakmp Displays errors during Phase 1.
• debug crypto ipsec Displays errors during Phase 2.
• debug crypto engine Displays information from the crypto engine.
• clear crypto connection connection-id [slot | rsm | vip] Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to learn the connection-id value.
• clear crypto isakmp Clears the Phase 1 SAs.
• clear crypto sa Clears the Phase 2 SAs.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

Related Information

• IPSec Support Page
• Technical Support - Cisco Systems

All contents are Copyright © 1992-2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.