index_174
Router Security Configuration Guide
UNCLASSIFIED
174
UNCLASSIFIED
Version 1.0g
(key eng. msg.) dest= 7.12.1.20, src= 14.2.0.20,
dest_proxy= 7.12.1.20/255.255.255.255/0/0 (type=1),
src_proxy= 14.2.0.20/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= 3esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x238108A4(595658916), conn_id=100, keysize=0,flags=0x4
4w0d: IPSEC(initialize_sas): ,
(key eng. msg.) dest= 7.12.1.20, src= 14.2.0.20,
dest_proxy= 7.12.1.20/255.255.255.255/0/0 (type=1),
src_proxy= 14.2.0.20/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= 3esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x385219F(59056543), conn_id=101, keysize=0, flags=0x4
4w0d: IPSEC(create_sa): sa created,
(sa) sa_dest= 7.12.1.20, sa_prot= 50,
sa_spi= 0x238108A4(595658916),
sa_trans= 3esp-des esp-sha-hmac , sa_conn_id= 100
4w0d: IPSEC(create_sa): sa created,
(sa) sa_dest= 7.12.1.20, sa_prot= 50,
sa_spi= 0x385219F(59056543),
sa_trans= 3esp-des esp-sha-hmac , sa_conn_id= 101
North# no debug all
4. Use an IP packet sniffer to observe the contents of each packet in the IPSec
tunnel negotiation
This information, like that obtained from running the debug commands on the router,
is invaluable in diagnosing exactly where the tunnel negotiation is failing, and for
recovering from failures.
5.2.2. Using IPSec for Secure Remote Administration
The example used throughout the preceding section was to securely connect two
networks from their gateways (which were Cisco routers). This could represent
either connecting widely separated networks, or isola ting networks within an
organization. Another use of IPSec would be to use it to protect the administration of
a Cisco router. Common ways to perform administration of a Cisco router is to use
either a telnet (which sends the password in the clear) or SN MP. Since both of these
run over IP, IPSec can be used to encrypt this communication, eliminating the threat
of a network sniffer seeing either the password being sent across the network or the
current configuration.
In this example, a computer on the desk of the administrator is to be used to
administer the North router. Lets say the computer the administrator uses to
configure the router has IP address 14.2.9.6, which is next to the servers in Figure 4-
1. The IP address of the North router on the interface closest to the administrator is
14.2.1.250, so well secure a connection to there. First, well set up the configuration
on the router, then examine the configuration sequence for a PC running Microsoft
Windows 2000.