Solved

Cisco 1760 - IPSec Tunnel

Posted on 2006-07-10
14
1,306 Views
Last Modified: 2011-09-20
Hi All,

I have asked to configure a site to site tunnel for the network and am getting a lot of mixed information about it.

I have a Cisco 1760 - without the VPN Module.  I assumed this would be the end of it, and that we would need that module, but I found this -> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml <- which seems to suggest it is possible without that Module.

Incidentally, this tunnel is not going to be doing much work - heavy load seems the be the only reason for the VPN module (correct me if I am wrong!)

So, to kick-start what is not doubt going to be 10 (individual EE) Questions from me;

CAN my 1760 handle this site to site IPSec VPN as it is now?

The other end is a Checkpoint something with the following confusion :)
Version:      NG AI R55 HFA 09
Transforms:      ESP 3DES
ISA Timers:      IKE=....; IPSEC=....

Thanks in advance - 500 points cause I am in a hurry for a change :)

-red
0
Comment
Question by:redseatechnologies
  • 6
  • 4
  • 4
14 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 17078215
Correct, the VPN module offloads encryption from the main processor so if you are pushing heavy traffic through the tunnel, your router CPU won't be tied up doing encryption.  Essential for high volumes of IPSEC traffic but you can get away without it.

First off, you need to make sure the 1760's IOS supports IPSEC.  You need an IOS with IPSEC support to configure VPN's.  You can use the "Software Advisor" tool on Cisco's site if you have a CCO account, if not, post your IOS version and someone here can verify it has IPSEC support.

Seeing as the Checkpoint Firewall supports IPSEC, you shouldn't have a problem establishing a tunnel between the two.
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17078440
Thanks for the response JFrederick29,

I have IOS version 12.4

The router is relatively new, ~6 months, so I assume it is a recent, if not the latest IOS for this router.

Will that IOS Support IPSEC?

Thanks again

-red
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17080697
It's the feature set that dictates whether it will support IPSEC or not, i.e. advanced IP services, advanced enterprise services, etc...
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17083164
do a show flash and post the c1700.x.x.x info and that will tell us if you can encrytp the data or not..  BTW encryption hits the router CPU hard without the card so what is more important encryption or performance?

Thanks
scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17086608
Hi Guys,

show flash returns this;

c1700-y7-mz.124-1c.bin

Encryption is more important than performance - we only have minimal users, and data going over this tunnel will be very little

If that flash doesn't support it, then I assume it should be just a matter or reflashing the router, right?

I also have some questions that the other end of the tunnel want to know (but as yet, i have no idea about it) Should I ask that here, or would you prefer a new question?

Thanks

-red
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 250 total points
ID: 17087146
this image is not an encryption image....

you would want the following.

c1700-advsecurityk9-mz.124-8.bin 64 meg ram 16 meg flash

that is 12.4

12.3

c1700-advsecurityk9-mz.123-19.bin then you would need 48 meg ram 16 meg flash and this is GD so you know it is stable.

Thanks
Scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17087907
Right,

I think I only have 32MB ram - will it still work?  If so, how do I do it (and where do I get the flash from) I haven't started googling yet :)

This help?

axis-rd1#sh hard
Cisco IOS Software, C1700 Software (C1700-Y7-M), Version 12.4(1c), RELEASE SOFTW
ARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 06:46 by evmiller

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

axis-rd1 uptime is 4 weeks, 1 hour, 54 minutes
System returned to ROM by power-on
System image file is "flash:c1700-y7-mz.124-1c.bin"

Cisco 1760 (MPC860P) processor (revision 0x600) with 57550K/7986K bytes of memor
y.
Processor board ID FOC094748LP (2384546931), with hardware revision 0000
MPC860P processor: part number 5, mask 2
1 FastEthernet interface
2 ATM interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

axis-rd1#
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 43

Expert Comment

by:JFrederick29
ID: 17089635
You actually have 32MB of Flash and 64MB of RAM so you are in good shape to load the new image.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17091430
Yup image should work but if your much over 800K you in data rate your performace will suffer due to the encryption.

Thanks
Scott
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17095161
Yeah, I saw this >  57550K/7986K bytes of memory.  < and was hopeful!

Thanks for your help guys, I just downloaded the only image I could find (not being a cisco.com member) which is c1700-advsecurityk9-mz.124-7.bin

I am not sure if this image will work (but assume it would as it is so close) and worse than that, I am not sure that this image has not been tampered with between cisco and me.

First, how do you update the image, and second, is there somewhere else that I can download the correct image from?

Thanks

-red
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17095250
The only way to verify the image is to have access to a CCO account.  the simple way to do this is to get a tftp server on a laptop and then issue a copy tftp flash
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17095986
Well technically, you need to purchase a license for the IOS with the feature set you need since you bought the router with the base image.
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17096017
Ok, thanks for your help guys, I will look into the IOS license and go from there

-red
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17097858
The saga continues;

I would love your help here guys

http://www.experts-exchange.com/Hardware/Routers/Q_21917774.html

Thanks

-red
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now