From: Kent (cciecn@xxxxxxxxx)
Date: Mon Mar 20 2000 - 12:02:45 GMT-3
Ben,
I would try to use the ethernet ports to establish the
tunnel, because you are using the point-to-point and
the tunnel is using them as source and destinatioin,
it is something I do not feel comfortable if were you,
just a my two cents, please do let me know the result.
Kent
--- Ben_J_Durand@tivoli.com wrote:
> Hi guys,
>
> Was practicing encrypted GRE over frame relay and I
> ran into an problem that I
> can't figure out.
>
> - When connecting the routers via HDLC directly
> instead of frame, my crypto
> configs work fine.
> - When connecting the routers via a frame-relay
> cloud on a physical interface,
> my crypto configs still work fine.
> - When moving to a frame-relay sub-interface, it
> stops working. I tried both
> point-to-point with interface-dlci and multipoojnt
> with frame maps, neither
> work.
>
> Debug ip packet on R1 while a PC is trying to ping
> across gives "Crypto
> connection pending, packet dropped".
>
> Here is my basic config:
>
> R1
>
> interface e 0
> ip address 10.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.1 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.1 255.255.255.0
> tunnel source 20.1.1.1
> tunnel dest 20.1.1.2
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.1 host
> 20.1.1.2
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.2
> crypto ipsec transform-set MySet ah-sha-hmac esp-des
> esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 10.0.0.0
> network 40.0.0.0
> no auto-summary
>
>
> R2
>
> interface e 0
> ip address 30.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.2 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.2 255.255.255.0
> tunnel source 20.1.1.2
> tunnel dest 20.1.1.1
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.2 host
> 20.1.1.1
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.1
> crypto ipsec transform-set MySet ah-sha-hmac esp-des
> esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.1
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 30.0.0.0
> network 40.0.0.0
> no auto-summary
>
> This works just fine
>
> When I move to frame relay, the only thing I change
> is the serial interface
> configuration, and change from direct connect to the
> frame cloud:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.1 255.255.255.0
> frame-relay interface-dlci 103
> crypto map MyMap
>
> R2
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.2 255.255.255.0
> frame-relay interface-dlci 301
> crypto map MyMap
>
>
> This doesn't work. I've tried moving the "crypto
> map MyMap" statement from s0.1
> to s0, and even have it on both, but no go. If I do
> it on a frame relay
> physical interface using a frame map, it also works
> just fine.
>
> Any issues with using crypto maps on sub interfaces?
>
> The frame that workson physical interface:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.1 255.255.255.0
> frame-relay map ip 20.1.1.2 103 broadcast
> crypto map MyMap
>
>
> R2
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.2 255.255.255.0
> frame-relay map ip 20.1.1.1 301 broadcast
> crypto map MyMap
>
> This works. Any ideas?
>
> Thanks.
>
> - Ben
>
>
>
>
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3