Re: Crypto over frame-relay sub-interfaces problem

From: pkm@xxxxxxxxxx
Date: Tue Mar 28 2000 - 04:55:28 GMT-3

• Next message: pkm@xxxxxxxxxx: "Re: DEC and DTE interface"
• Previous message: Clifton L. Stewart: "DEC and DTE interface"
• Maybe in reply to: Ben_J_Durand@xxxxxxxxxx: "Crypto over frame-relay sub-interfaces problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Sanjay,

It looks to me that you forgot to disable split horizon on your hub router. By
default, split-horizon is disabled with only physical interfaces. That is not
the case with multipoint subinterfaces. Try to add:
no ip split-horizon eigrp 100 on your serial interface (multipoint)
I have the same configs and it works fine for me.

Maljure, Sanjay wrote:

> Hi,
> I have a question w.r.t the config below.....
>
> Lets say u wanted to encrypt pakets from 10.1.1.0/24 to 30.1.1.0/24 and ur
> access-list was..
>
> access-list 100 permit ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
>
> I see that in ur config, u apply the crypto-map to the s0 and the tu0
> interface of both the routers...
>
> I read on the CCO that the crypto map is applied to the "egress
> interface"...
> so would the crypto map be now applied to the e0 interface?
>
> Thanks for ur time...
> Did it finally work on the subif of frame-relay????
> Sanjay
>
> > Hi guys,
> >
> > Was practicing encrypted GRE over frame relay and I ran into an problem
> that I
> > can't figure out.
> >
> > - When connecting the routers via HDLC directly instead of frame, my
> crypto
> > configs work fine.
> > - When connecting the routers via a frame-relay cloud on a physical
> interface,
> > my crypto configs still work fine.
> > - When moving to a frame-relay sub-interface, it stops working. I tried
> both
> > point-to-point with interface-dlci and multipoojnt with frame maps,
> neither
> > work.
> >
> > Debug ip packet on R1 while a PC is trying to ping across gives "Crypto
> > connection pending, packet dropped".
> >
> > Here is my basic config:
> >
> > R1
> >
> > interface e 0
> > ip address 10.1.1.1 255.255.255.0
> > !
> > interface s 0
> > ip address 20.1.1.1 255.255.255.0
> > crypto map MyMap
> > !
> > interface tunnel 0
> > ip address 40.1.1.1 255.255.255.0
> > tunnel source 20.1.1.1
> > tunnel dest 20.1.1.2
> > crypto map MyMap
> > !
> > access-list 101 permit gre host 20.1.1.1 host 20.1.1.2
> > access-list 101 deny ip any any
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > group 2
> > crypto isakmp key MyKey address 20.1.1.2
> > crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> > crypto map MyMap 10 ipsec-isakmp
> > set peer 20.1.1.2
> > set transform-set MySet
> > match address 101
> > !
> > router eigrp 100
> > network 10.0.0.0
> > network 40.0.0.0
> > no auto-summary
> >
> >
> > R2
> >
> > interface e 0
> > ip address 30.1.1.1 255.255.255.0
> > !
> > interface s 0
> > ip address 20.1.1.2 255.255.255.0
> > crypto map MyMap
> > !
> > interface tunnel 0
> > ip address 40.1.1.2 255.255.255.0
> > tunnel source 20.1.1.2
> > tunnel dest 20.1.1.1
> > crypto map MyMap
> > !
> > access-list 101 permit gre host 20.1.1.2 host 20.1.1.1
> > access-list 101 deny ip any any
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > group 2
> > crypto isakmp key MyKey address 20.1.1.1
> > crypto ipsec transform-set MySet ah-sha-hmac esp-des esp-sha-hmac
> > crypto map MyMap 10 ipsec-isakmp
> > set peer 20.1.1.1
> > set transform-set MySet
> > match address 101
> > !
> > router eigrp 100
> > network 30.0.0.0
> > network 40.0.0.0
> > no auto-summary
> >
> > This works just fine
> >
> > When I move to frame relay, the only thing I change is the serial
> interface
> > configuration, and change from direct connect to the frame cloud:
> >
> > R1
> >
> > interface s 0
> > encapsulation frame-relay
> > no ip address
> > !
> > interface s 0.1 point-to-point
> > ip address 20.1.1.1 255.255.255.0
> > frame-relay interface-dlci 103
> > crypto map MyMap
> >
> > R2
> >
> > interface s 0
> > encapsulation frame-relay
> > no ip address
> > !
> > interface s 0.1 point-to-point
> > ip address 20.1.1.2 255.255.255.0
> > frame-relay interface-dlci 301
> > crypto map MyMap
> >
> >
> > This doesn't work. I've tried moving the "crypto map MyMap" statement
> from s0.1
> > to s0, and even have it on both, but no go. If I do it on a frame relay
> > physical interface using a frame map, it also works just fine.
> >
> > Any issues with using crypto maps on sub interfaces?
> >
> > The frame that workson physical interface:
> >
> > R1
> >
> > interface s 0
> > encapsulation frame-relay
> > ip adress 20.1.1.1 255.255.255.0
> > frame-relay map ip 20.1.1.2 103 broadcast
> > crypto map MyMap
> >
> >
> > R2
> >
> > interface s 0
> > encapsulation frame-relay
> > ip adress 20.1.1.2 255.255.255.0
> > frame-relay map ip 20.1.1.1 301 broadcast
> > crypto map MyMap
> >
> > This works. Any ideas?
> >
> > Thanks.
> >
> > - Ben
> >
> >
> >
> >
> >
> >
> >

• Next message: pkm@xxxxxxxxxx: "Re: DEC and DTE interface"
• Previous message: Clifton L. Stewart: "DEC and DTE interface"
• Maybe in reply to: Ben_J_Durand@xxxxxxxxxx: "Crypto over frame-relay sub-interfaces problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:07 GMT-3