Hi all, Could anybody provide info on the following scenario: I was on a customer site which has IPSEC 3DES between two sites. On each site, there is also a private network (A class C subnet) which uses IPSEC DES56 to encrypt between these subnets. This has evolved from CET to IPSEC recently. Any traffic from these two subnets has always been denied from the access list which controls the 3 DES encryption, to avoid this traffic being double encrypted. After changing the addressing of the routers which are performing the DES56 encryption, I was just about to change the 3DES access list to deny the new IP addresses, when the customer mentioned that the private networks were talking to each other again. Show crypto eng conn active showed that the DES56 encryption was back up. I was under the impression, probably more from hearsay than research that traffic should not be double encrypted, particularly with 3DES. So my first question is: Is there any truth in this fact, or was there previously a problem with double encrypting CET. My second question concerns the routing. At the point I mentioned before, where the customer said his connectivity was restored, I had not issued the ospf network command for the new addresses , so none of the intermediate routers new how to get to the private subnets (I checked routing tables). Once the traffic is encrypted does it then only use the peer address as the destination, or is the private address still used (somehow). If it uses the peer address then that probably answers my first question as well, as the peer addresses were not denied in the 3DES access list previously. I will play with this in the lab with a sniffer when I get back to the office, but would like to hear of general rules for encryption from the study group if possible. Thanks, Gareth _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
