Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco 1760 - IPSec Tunnel

Posted on 2006-07-10
14
Medium Priority
?
1,314 Views
Last Modified: 2011-09-20
Hi All,

I have asked to configure a site to site tunnel for the network and am getting a lot of mixed information about it.

I have a Cisco 1760 - without the VPN Module.  I assumed this would be the end of it, and that we would need that module, but I found this -> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml <- which seems to suggest it is possible without that Module.

Incidentally, this tunnel is not going to be doing much work - heavy load seems the be the only reason for the VPN module (correct me if I am wrong!)

So, to kick-start what is not doubt going to be 10 (individual EE) Questions from me;

CAN my 1760 handle this site to site IPSec VPN as it is now?

The other end is a Checkpoint something with the following confusion :)
Version:      NG AI R55 HFA 09
Transforms:      ESP 3DES
ISA Timers:      IKE=....; IPSEC=....

Thanks in advance - 500 points cause I am in a hurry for a change :)

-red
0
Comment
Question by:redseatechnologies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1000 total points
ID: 17078215
Correct, the VPN module offloads encryption from the main processor so if you are pushing heavy traffic through the tunnel, your router CPU won't be tied up doing encryption.  Essential for high volumes of IPSEC traffic but you can get away without it.

First off, you need to make sure the 1760's IOS supports IPSEC.  You need an IOS with IPSEC support to configure VPN's.  You can use the "Software Advisor" tool on Cisco's site if you have a CCO account, if not, post your IOS version and someone here can verify it has IPSEC support.

Seeing as the Checkpoint Firewall supports IPSEC, you shouldn't have a problem establishing a tunnel between the two.
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17078440
Thanks for the response JFrederick29,

I have IOS version 12.4

The router is relatively new, ~6 months, so I assume it is a recent, if not the latest IOS for this router.

Will that IOS Support IPSEC?

Thanks again

-red
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17080697
It's the feature set that dictates whether it will support IPSEC or not, i.e. advanced IP services, advanced enterprise services, etc...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17083164
do a show flash and post the c1700.x.x.x info and that will tell us if you can encrytp the data or not..  BTW encryption hits the router CPU hard without the card so what is more important encryption or performance?

Thanks
scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17086608
Hi Guys,

show flash returns this;

c1700-y7-mz.124-1c.bin

Encryption is more important than performance - we only have minimal users, and data going over this tunnel will be very little

If that flash doesn't support it, then I assume it should be just a matter or reflashing the router, right?

I also have some questions that the other end of the tunnel want to know (but as yet, i have no idea about it) Should I ask that here, or would you prefer a new question?

Thanks

-red
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 1000 total points
ID: 17087146
this image is not an encryption image....

you would want the following.

c1700-advsecurityk9-mz.124-8.bin 64 meg ram 16 meg flash

that is 12.4

12.3

c1700-advsecurityk9-mz.123-19.bin then you would need 48 meg ram 16 meg flash and this is GD so you know it is stable.

Thanks
Scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17087907
Right,

I think I only have 32MB ram - will it still work?  If so, how do I do it (and where do I get the flash from) I haven't started googling yet :)

This help?

axis-rd1#sh hard
Cisco IOS Software, C1700 Software (C1700-Y7-M), Version 12.4(1c), RELEASE SOFTW
ARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 06:46 by evmiller

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

axis-rd1 uptime is 4 weeks, 1 hour, 54 minutes
System returned to ROM by power-on
System image file is "flash:c1700-y7-mz.124-1c.bin"

Cisco 1760 (MPC860P) processor (revision 0x600) with 57550K/7986K bytes of memor
y.
Processor board ID FOC094748LP (2384546931), with hardware revision 0000
MPC860P processor: part number 5, mask 2
1 FastEthernet interface
2 ATM interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

axis-rd1#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17089635
You actually have 32MB of Flash and 64MB of RAM so you are in good shape to load the new image.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17091430
Yup image should work but if your much over 800K you in data rate your performace will suffer due to the encryption.

Thanks
Scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17095161
Yeah, I saw this >  57550K/7986K bytes of memory.  < and was hopeful!

Thanks for your help guys, I just downloaded the only image I could find (not being a cisco.com member) which is c1700-advsecurityk9-mz.124-7.bin

I am not sure if this image will work (but assume it would as it is so close) and worse than that, I am not sure that this image has not been tampered with between cisco and me.

First, how do you update the image, and second, is there somewhere else that I can download the correct image from?

Thanks

-red
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17095250
The only way to verify the image is to have access to a CCO account.  the simple way to do this is to get a tftp server on a laptop and then issue a copy tftp flash
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17095986
Well technically, you need to purchase a license for the IOS with the feature set you need since you bought the router with the base image.
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17096017
Ok, thanks for your help guys, I will look into the IOS license and go from there

-red
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17097858
The saga continues;

I would love your help here guys

http://www.experts-exchange.com/Hardware/Routers/Q_21917774.html

Thanks

-red
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question