Re: Crypto over frame-relay sub-interfaces problem

From: Robert Marnell (rmarnell@xxxxxxxxxxx)
Date: Tue Mar 21 2000 - 11:57:33 GMT-3

• Next message: zheng jiang gu: "multilink ppp voice question?"
• Previous message: Ledwidge, Feargal: "RE: weird thought?"
• Maybe in reply to: Ben_J_Durand@xxxxxxxxxx: "Crypto over frame-relay sub-interfaces problem"
• Next in thread: Gerard Robinson: "Re: Crypto over frame-relay sub-interfaces problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
try changing
frame-relay interface-dlci 301
to
frame-relay interface-dlci 301 broadcast protocol ip 20.1.1.2

and change the other side aswell. I will test also. If you are successful,
let me know.

Robb

>From: Kent <cciecn@yahoo.com>
>Reply-To: Kent <cciecn@yahoo.com>
>To: Ben_J_Durand@tivoli.com, ccielab@groupstudy.com
>Subject: Re: Crypto over frame-relay sub-interfaces problem
>Date: Mon, 20 Mar 2000 07:02:45 -0800 (PST)
>
>Ben,
>
>I would try to use the ethernet ports to establish the
>tunnel, because you are using the point-to-point and
>the tunnel is using them as source and destinatioin,
>it is something I do not feel comfortable if were you,
>just a my two cents, please do let me know the result.
>
>Kent
>
>--- Ben_J_Durand@tivoli.com wrote:
> > Hi guys,
> >
> > Was practicing encrypted GRE over frame relay and I
> > ran into an problem that I
> > can't figure out.
> >
> > - When connecting the routers via HDLC directly
> > instead of frame, my crypto
> > configs work fine.
> > - When connecting the routers via a frame-relay
> > cloud on a physical interface,
> > my crypto configs still work fine.
> > - When moving to a frame-relay sub-interface, it
> > stops working. I tried both
> > point-to-point with interface-dlci and multipoojnt
> > with frame maps, neither
> > work.
> >
> > Debug ip packet on R1 while a PC is trying to ping
> > across gives "Crypto
> > connection pending, packet dropped".
> >
> > Here is my basic config:
> >
> > R1
> >
> > interface e 0
> > ip address 10.1.1.1 255.255.255.0
> > !
> > interface s 0
> > ip address 20.1.1.1 255.255.255.0
> > crypto map MyMap
> > !
> > interface tunnel 0
> > ip address 40.1.1.1 255.255.255.0
> > tunnel source 20.1.1.1
> > tunnel dest 20.1.1.2
> > crypto map MyMap
> > !
> > access-list 101 permit gre host 20.1.1.1 host
> > 20.1.1.2
> > access-list 101 deny ip any any
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > group 2
> > crypto isakmp key MyKey address 20.1.1.2
> > crypto ipsec transform-set MySet ah-sha-hmac esp-des
> > esp-sha-hmac
> > crypto map MyMap 10 ipsec-isakmp
> > set peer 20.1.1.2
> > set transform-set MySet
> > match address 101
> > !
> > router eigrp 100
> > network 10.0.0.0
> > network 40.0.0.0
> > no auto-summary
> >
> >
> > R2
> >
> > interface e 0
> > ip address 30.1.1.1 255.255.255.0
> > !
> > interface s 0
> > ip address 20.1.1.2 255.255.255.0
> > crypto map MyMap
> > !
> > interface tunnel 0
> > ip address 40.1.1.2 255.255.255.0
> > tunnel source 20.1.1.2
> > tunnel dest 20.1.1.1
> > crypto map MyMap
> > !
> > access-list 101 permit gre host 20.1.1.2 host
> > 20.1.1.1
> > access-list 101 deny ip any any
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > group 2
> > crypto isakmp key MyKey address 20.1.1.1
> > crypto ipsec transform-set MySet ah-sha-hmac esp-des
> > esp-sha-hmac
> > crypto map MyMap 10 ipsec-isakmp
> > set peer 20.1.1.1
> > set transform-set MySet
> > match address 101
> > !
> > router eigrp 100
> > network 30.0.0.0
> > network 40.0.0.0
> > no auto-summary
> >
> > This works just fine
> >
> > When I move to frame relay, the only thing I change
> > is the serial interface
> > configuration, and change from direct connect to the
> > frame cloud:
> >
> > R1
> >
> > interface s 0
> > encapsulation frame-relay
> > no ip address
> > !
> > interface s 0.1 point-to-point
> > ip address 20.1.1.1 255.255.255.0
> > frame-relay interface-dlci 103
> > crypto map MyMap
> >
> > R2
> >
> > interface s 0
> > encapsulation frame-relay
> > no ip address
> > !
> > interface s 0.1 point-to-point
> > ip address 20.1.1.2 255.255.255.0
> > frame-relay interface-dlci 301
> > crypto map MyMap
> >
> >
> > This doesn't work. I've tried moving the "crypto
> > map MyMap" statement from s0.1
> > to s0, and even have it on both, but no go. If I do
> > it on a frame relay
> > physical interface using a frame map, it also works
> > just fine.
> >
> > Any issues with using crypto maps on sub interfaces?
> >
> > The frame that workson physical interface:
> >
> > R1
> >
> > interface s 0
> > encapsulation frame-relay
> > ip adress 20.1.1.1 255.255.255.0
> > frame-relay map ip 20.1.1.2 103 broadcast
> > crypto map MyMap
> >
> >
> > R2
> >
> > interface s 0
> > encapsulation frame-relay
> > ip adress 20.1.1.2 255.255.255.0
> > frame-relay map ip 20.1.1.1 301 broadcast
> > crypto map MyMap
> >
> > This works. Any ideas?
> >
> > Thanks.
> >
> > - Ben
> >
> >
> >
> >
> >
> >
> >
> >

• Next message: zheng jiang gu: "multilink ppp voice question?"
• Previous message: Ledwidge, Feargal: "RE: weird thought?"
• Maybe in reply to: Ben_J_Durand@xxxxxxxxxx: "Crypto over frame-relay sub-interfaces problem"
• Next in thread: Gerard Robinson: "Re: Crypto over frame-relay sub-interfaces problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3