From: Rich Doty (rdoty@meridiantelesis.com)
Date: Sat Sep 14 2002 - 22:46:16 GMT-3
Task: Encrypt BGP traffic using IPSec on a frame relay network.
Problem: Basically I configured all of my frame relay interfaces as s0.1
multipoint, and I applied 'crypto map bgp' to them (they aren't shown
here because I took them off to restore my BGP neighbors). The ipsec
tunnel seems to work for me between R5 and R2, but neither can create a
tunnel with R3. Here are my configs. Initially I had placed two set peer
statements under a single crypto map, but referred to resources showing
it done with 2 crypto maps. I've checked for access-lists or policies
that would be blocking my IPSEC traffic and haven't found any (I
initially had to remove an access-group from R3s S0.1 to permit IPsec,
that was from an older task).
Anyone have any ideas, or had problems with this type of setup?
Thanks
Rich
----------------------------------
R2:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.21.8.145
crypto isakmp key cisco address 202.21.8.147
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
set peer 202.21.8.145
set transform-set bgp
match address 155
crypto map bgp 11 ipsec-isakmp
set peer 202.21.8.147
set transform-set bgp1
match address 155
interface Serial0.1 multipoint
ip address 202.21.8.146 255.255.255.248
ip policy route-map 65a
frame-relay de-group 1 123
frame-relay de-group 1 125
frame-relay map ip 202.21.8.145 125
frame-relay map ip 202.21.8.147 123
crypto map bgp
access-list 155 permit tcp any any eq bgp
access-list 155 permit tcp any eq bgp any
==========================================
R3:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.21.8.145
crypto isakmp key cisco address 202.21.8.146
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
set peer 202.21.8.145
set transform-set bgp
match address 155
crypto map bgp 11 ipsec-isakmp
set peer 202.21.8.146
set transform-set bgp1
match address 155
interface Serial0.1 multipoint
ip address 202.21.8.147 255.255.255.248
no ip mroute-cache
frame-relay de-group 1 132
frame-relay de-group 1 135
frame-relay map ip 202.21.8.145 135
frame-relay map ip 202.21.8.146 132
crypto map bgp
access-list 155 permit tcp any any eq bgp
access-list 155 permit tcp any eq bgp any
==========================================
R5:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.21.8.147
crypto isakmp key cisco address 202.21.8.146
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
set peer 202.21.8.146
set transform-set bgp
match address 155
crypto map bgp 11 ipsec-isakmp
set peer 202.21.8.147
set transform-set bgp1
match address 155
interface Serial0.1 multipoint
ip address 202.21.8.145 255.255.255.248
ip access-group 195 out
frame-relay de-group 1 152
frame-relay de-group 1 153
frame-relay map ip 202.21.8.146 152
frame-relay map ip 202.21.8.147 153
crypto map bgp
access-list 155 permit tcp any any eq bgp
access-list 155 permit tcp any eq bgp any
=========================================
Thanks Again!
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3