From: Gerard Robinson (gerardrobinson@xxxxxxxxxxxxxx)
Date: Tue Mar 21 2000 - 18:05:44 GMT-3
Try turning off route caching on the s0 interface, the command is
no ip route-cache
This may or may not work but I have been playing with IPSec and tunnels
a little on my 2500s and turning off route caching does work on occasion.
----- Original Message -----
From: <Ben_J_Durand@tivoli.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, March 19, 2000 7:09 PM
Subject: Crypto over frame-relay sub-interfaces problem
> Hi guys,
>
> Was practicing encrypted GRE over frame relay and I ran into an problem
that I
> can't figure out.
>
> - When connecting the routers via HDLC directly instead of frame, my
crypto
> configs work fine.
> - When connecting the routers via a frame-relay cloud on a physical
interface,
> my crypto configs still work fine.
> - When moving to a frame-relay sub-interface, it stops working. I tried
both
> point-to-point with interface-dlci and multipoojnt with frame maps,
neither
> work.
>
> Debug ip packet on R1 while a PC is trying to ping across gives "Crypto
> connection pending, packet dropped".
>
> Here is my basic config:
>
> R1
>
> interface e 0
> ip address 10.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.1 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.1 255.255.255.0
> tunnel source 20.1.1.1
> tunnel dest 20.1.1.2
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.1 host 20.1.1.2
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.2
> crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 10.0.0.0
> network 40.0.0.0
> no auto-summary
>
>
> R2
>
> interface e 0
> ip address 30.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.2 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.2 255.255.255.0
> tunnel source 20.1.1.2
> tunnel dest 20.1.1.1
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.2 host 20.1.1.1
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.1
> crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.1
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 30.0.0.0
> network 40.0.0.0
> no auto-summary
>
> This works just fine
>
> When I move to frame relay, the only thing I change is the serial
interface
> configuration, and change from direct connect to the frame cloud:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.1 255.255.255.0
> frame-relay interface-dlci 103
> crypto map MyMap
>
> R2
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.2 255.255.255.0
> frame-relay interface-dlci 301
> crypto map MyMap
>
>
> This doesn't work. I've tried moving the "crypto map MyMap" statement
from s0.1
> to s0, and even have it on both, but no go. If I do it on a frame relay
> physical interface using a frame map, it also works just fine.
>
> Any issues with using crypto maps on sub interfaces?
>
> The frame that workson physical interface:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.1 255.255.255.0
> frame-relay map ip 20.1.1.2 103 broadcast
> crypto map MyMap
>
>
> R2
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.2 255.255.255.0
> frame-relay map ip 20.1.1.1 301 broadcast
> crypto map MyMap
>
> This works. Any ideas?
>
> Thanks.
>
> - Ben
>
>
>
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3