From: Maljure, Sanjay (smaljure@xxxxxxxxxxxxxxxxx)
Date: Mon Mar 27 2000 - 13:54:14 GMT-3
Hi,
I have a question w.r.t the config below.....
Lets say u wanted to encrypt pakets from 10.1.1.0/24 to 30.1.1.0/24 and ur
access-list was..
access-list 100 permit ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
I see that in ur config, u apply the crypto-map to the s0 and the tu0
interface of both the routers...
I read on the CCO that the crypto map is applied to the "egress
interface"...
so would the crypto map be now applied to the e0 interface?
Thanks for ur time...
Did it finally work on the subif of frame-relay????
Sanjay
> Hi guys,
>
> Was practicing encrypted GRE over frame relay and I ran into an problem
that I
> can't figure out.
>
> - When connecting the routers via HDLC directly instead of frame, my
crypto
> configs work fine.
> - When connecting the routers via a frame-relay cloud on a physical
interface,
> my crypto configs still work fine.
> - When moving to a frame-relay sub-interface, it stops working. I tried
both
> point-to-point with interface-dlci and multipoojnt with frame maps,
neither
> work.
>
> Debug ip packet on R1 while a PC is trying to ping across gives "Crypto
> connection pending, packet dropped".
>
> Here is my basic config:
>
> R1
>
> interface e 0
> ip address 10.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.1 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.1 255.255.255.0
> tunnel source 20.1.1.1
> tunnel dest 20.1.1.2
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.1 host 20.1.1.2
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.2
> crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 10.0.0.0
> network 40.0.0.0
> no auto-summary
>
>
> R2
>
> interface e 0
> ip address 30.1.1.1 255.255.255.0
> !
> interface s 0
> ip address 20.1.1.2 255.255.255.0
> crypto map MyMap
> !
> interface tunnel 0
> ip address 40.1.1.2 255.255.255.0
> tunnel source 20.1.1.2
> tunnel dest 20.1.1.1
> crypto map MyMap
> !
> access-list 101 permit gre host 20.1.1.2 host 20.1.1.1
> access-list 101 deny ip any any
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key MyKey address 20.1.1.1
> crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> crypto map MyMap 10 ipsec-isakmp
> set peer 20.1.1.1
> set transform-set MySet
> match address 101
> !
> router eigrp 100
> network 30.0.0.0
> network 40.0.0.0
> no auto-summary
>
> This works just fine
>
> When I move to frame relay, the only thing I change is the serial
interface
> configuration, and change from direct connect to the frame cloud:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.1 255.255.255.0
> frame-relay interface-dlci 103
> crypto map MyMap
>
> R2
>
> interface s 0
> encapsulation frame-relay
> no ip address
> !
> interface s 0.1 point-to-point
> ip address 20.1.1.2 255.255.255.0
> frame-relay interface-dlci 301
> crypto map MyMap
>
>
> This doesn't work. I've tried moving the "crypto map MyMap" statement
from s0.1
> to s0, and even have it on both, but no go. If I do it on a frame relay
> physical interface using a frame map, it also works just fine.
>
> Any issues with using crypto maps on sub interfaces?
>
> The frame that workson physical interface:
>
> R1
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.1 255.255.255.0
> frame-relay map ip 20.1.1.2 103 broadcast
> crypto map MyMap
>
>
> R2
>
> interface s 0
> encapsulation frame-relay
> ip adress 20.1.1.2 255.255.255.0
> frame-relay map ip 20.1.1.1 301 broadcast
> crypto map MyMap
>
> This works. Any ideas?
>
> Thanks.
>
> - Ben
>
>
>
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:07 GMT-3