Crypto over frame-relay sub-interfaces problem

From: Ben_J_Durand@xxxxxxxxxx
Date: Sun Mar 19 2000 - 16:09:42 GMT-3

   
Hi guys,

Was practicing encrypted GRE over frame relay and I ran into an problem that I
can't figure out.

- When connecting the routers via HDLC directly instead of frame, my crypto
configs work fine.
- When connecting the routers via a frame-relay cloud on a physical interface,
my crypto configs still work fine.
- When moving to a frame-relay sub-interface, it stops working. I tried both
point-to-point with interface-dlci and multipoojnt with frame maps, neither
work.

Debug ip packet on R1 while a PC is trying to ping across gives "Crypto
connection pending, packet dropped".

Here is my basic config:

R1

interface e 0
  ip address 10.1.1.1 255.255.255.0
!
interface s 0
  ip address 20.1.1.1 255.255.255.0
  crypto map MyMap
!
interface tunnel 0
  ip address 40.1.1.1 255.255.255.0
  tunnel source 20.1.1.1
  tunnel dest 20.1.1.2
  crypto map MyMap
!
access-list 101 permit gre host 20.1.1.1 host 20.1.1.2
access-list 101 deny ip any any
!
crypto isakmp policy 1
  authentication pre-share
  group 2
crypto isakmp key MyKey address 20.1.1.2
crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
crypto map MyMap 10 ipsec-isakmp
  set peer 20.1.1.2
  set transform-set MySet
  match address 101
!
router eigrp 100
  network 10.0.0.0
  network 40.0.0.0
  no auto-summary

R2

interface e 0
  ip address 30.1.1.1 255.255.255.0
!
interface s 0
  ip address 20.1.1.2 255.255.255.0
  crypto map MyMap
!
interface tunnel 0
  ip address 40.1.1.2 255.255.255.0
  tunnel source 20.1.1.2
  tunnel dest 20.1.1.1
  crypto map MyMap
!
access-list 101 permit gre host 20.1.1.2 host 20.1.1.1
access-list 101 deny ip any any
!
crypto isakmp policy 1
  authentication pre-share
  group 2
crypto isakmp key MyKey address 20.1.1.1
crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
crypto map MyMap 10 ipsec-isakmp
  set peer 20.1.1.1
  set transform-set MySet
  match address 101
!
router eigrp 100
  network 30.0.0.0
  network 40.0.0.0
  no auto-summary

This works just fine

When I move to frame relay, the only thing I change is the serial interface
configuration, and change from direct connect to the frame cloud:

R1

interface s 0
  encapsulation frame-relay
  no ip address
!
interface s 0.1 point-to-point
  ip address 20.1.1.1 255.255.255.0
  frame-relay interface-dlci 103
  crypto map MyMap

R2

interface s 0
  encapsulation frame-relay
  no ip address
!
interface s 0.1 point-to-point
  ip address 20.1.1.2 255.255.255.0
  frame-relay interface-dlci 301
  crypto map MyMap

This doesn't work. I've tried moving the "crypto map MyMap" statement from s0.
1
to s0, and even have it on both, but no go. If I do it on a frame relay
physical interface using a frame map, it also works just fine.

Any issues with using crypto maps on sub interfaces?

The frame that workson physical interface:

R1

interface s 0
  encapsulation frame-relay
  ip adress 20.1.1.1 255.255.255.0
  frame-relay map ip 20.1.1.2 103 broadcast
  crypto map MyMap

R2

interface s 0
  encapsulation frame-relay
  ip adress 20.1.1.2 255.255.255.0
  frame-relay map ip 20.1.1.1 301 broadcast
  crypto map MyMap

This works. Any ideas?

Thanks.

- Ben

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3