One of the most common tasks dealing with Cisco routers is building a site to site VPN tunnel between different geographic locations. Today we will look at an example setting up a VPN tunnel between a main office and a remote branch office. At our disposal, we have: Cisco 2800 router in the main office (R-MAIN) Main office user LAN 192.168.10.0 /24.
Contents
Introduction
The Software Encryption Algorithm (SEAL) is an alternative algorithm to Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. This document illustrates how to configure a LAN-to-LAN (site-to-site) IPSec tunnel using SEAL.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco 7200 series routers running Cisco IOS® Software Release 12.3(7)T
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
Router 1 |
---|
Router 2 |
---|
Verify
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
-
show crypto map—Verifies the configuration on the router.
This output is taken from Router 1.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Troubleshooting Commands
Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
Note: Before issuing debug commands, refer to Important Information on Debug Commands.
ISAMP and IPSec Debugs
-
show debugging—Displays information about the types of debugging that are enabled for your router.
show Commands
-
show crypto isakmp sa—Shows the Internet Security Association Management Protocol (ISAKMP) Security Association (SA) built between peers.
-
show crypto ipsec sa—Shows the IPSec SA built between peers.
Limitations with esp-seal Transform Set
There are three limitations on the use of the esp-seal transform set:
-
The esp-seal transform set can be used only if no crypto accelerators are present. This limitation is present because no current crypto accelerators implement the SEAL encryption transform set, and if a crypto accelerator is present, it will handle all IPSec connections that are negotiated with IKE. If a crypto accelerator is present, the Cisco IOS software will allow the transform set to be configured, but it will warn that it will not be used as long as the crypto accelerator is enabled.
-
The esp-seal transform set can be used only in conjunction with an authentication transform set, namely one of these: esp-md5-hmac, esp-sha-hmac, ah-md5-hmac, or ah-sha-hmac. This limitation is present because SEAL encryption is especially weak when it comes to protecting against modifications of the encrypted packet. Therefore, to prevent such a weakness, an authentication transform set is required (Authentication transform sets are designed to foil such attacks.). If you attempt to configure an IPSec transform set using SEAL without an authentication transform set, an error is generated, and the transform set is rejected.
-
The esp-seal transform set cannot be used with a manually keyed crypto map. This limitation is present because such a configuration would reuse the same keystream for each reboot, which would compromise security. Because of the security issue, such a configuration is prohibited. If you attempt to configure a manually keyed crypto map with a SEAL-based transform set, an error is generated, and the transform set is rejected.