RE: Frame-relay IPSec tunnel question

From: Mahmud, Yasser (YMahmud@Solutions.UK.ATT.com)
Date: Sat Sep 14 2002 - 23:57:38 GMT-3

• Next message: Chris Hugo: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Previous message: ying c: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Rich Doty: "RE: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rich,
Below needs further ammendment as per Peter's reply
        R2:
                crypto isakmp policy 10
                 authentication pre-share
                crypto isakmp key cisco address 202.21.8.145
                crypto isakmp key cisco address 202.21.8.147
                !
                !
                crypto ipsec transform-set bgp esp-des
                crypto ipsec transform-set bgp1 esp-des
                !
                crypto map bgp 10 ipsec-isakmp
                 set peer 202.21.8.145
                 set transform-set bgp
                 match address 155
                crypto map bgp 11 ipsec-isakmp
                 set peer 202.21.8.147
                 set transform-set bgp1
                 match address 156

                interface Serial0.1 multipoint
                 ip address 202.21.8.146 255.255.255.248
                 ip policy route-map 65a
                 frame-relay de-group 1 123
                 frame-relay de-group 1 125
                 frame-relay map ip 202.21.8.145 125
                 frame-relay map ip 202.21.8.147 123
                 crypto map bgp

                access-list 155 permit tcp host 202.21.8.146 host
202.21.8.145 eq bgp
                access-list 155 permit tcp host 202.21.8.145 eq bgp host
202.21.8.146

                access-list 156 permit tcp host 202.21.8.146 host
202.21.8.147 eq bgp
                access-list 156 permit tcp host 202.21.8.147 eq bgp host
202.21.8.146

                ==========================================

Yasser

> -----Original Message-----
> From: Mahmud, Yasser [SMTP:YMahmud@Solutions.UK.ATT.com]
> Sent: Sunday, September 15, 2002 2:21 AM
> To: 'Rich Doty'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: Frame-relay IPSec tunnel question
>
> You need a separate access-list for each crypto map even though the
> access-list would be identical, as need a unique access-list no. for each
> tunnel.
> e.g r2 would be
>
> R2:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.147
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 156
>
> interface Serial0.1 multipoint
> ip address 202.21.8.146 255.255.255.248
> ip policy route-map 65a
> frame-relay de-group 1 123
> frame-relay de-group 1 125
> frame-relay map ip 202.21.8.145 125
> frame-relay map ip 202.21.8.147 123
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
>
> access-list 156 permit tcp any any eq bgp
> access-list 156 permit tcp any eq bgp any
>
> ==========================================
>
>
>
>
>
> Let me know if it works
>
> Rgds,
> Yasser
>
> > -----Original Message-----
> > From: Rich Doty [SMTP:rdoty@meridiantelesis.com]
> > Sent: Sunday, September 15, 2002 1:46 AM
> > To: ccielab@groupstudy.com
> > Subject: Frame-relay IPSec tunnel question
> >
> > Task: Encrypt BGP traffic using IPSec on a frame relay network.
> >
> > Problem: Basically I configured all of my frame relay interfaces as s0.1
> > multipoint, and I applied 'crypto map bgp' to them (they aren't shown
> > here because I took them off to restore my BGP neighbors). The ipsec
> > tunnel seems to work for me between R5 and R2, but neither can create a
> > tunnel with R3. Here are my configs. Initially I had placed two set peer
> > statements under a single crypto map, but referred to resources showing
> > it done with 2 crypto maps. I've checked for access-lists or policies
> > that would be blocking my IPSEC traffic and haven't found any (I
> > initially had to remove an access-group from R3s S0.1 to permit IPsec,
> > that was from an older task).
> >
> > Anyone have any ideas, or had problems with this type of setup?
> >
> > Thanks
> >
> > Rich
> >
> > ----------------------------------
> >
> > R2:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.145
> > crypto isakmp key cisco address 202.21.8.147
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.145
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.147
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.146 255.255.255.248
> > ip policy route-map 65a
> > frame-relay de-group 1 123
> > frame-relay de-group 1 125
> > frame-relay map ip 202.21.8.145 125
> > frame-relay map ip 202.21.8.147 123
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > ==========================================
> > R3:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.145
> > crypto isakmp key cisco address 202.21.8.146
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.145
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.146
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.147 255.255.255.248
> > no ip mroute-cache
> > frame-relay de-group 1 132
> > frame-relay de-group 1 135
> > frame-relay map ip 202.21.8.145 135
> > frame-relay map ip 202.21.8.146 132
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > ==========================================
> > R5:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.147
> > crypto isakmp key cisco address 202.21.8.146
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.146
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.147
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.145 255.255.255.248
> > ip access-group 195 out
> > frame-relay de-group 1 152
> > frame-relay de-group 1 153
> > frame-relay map ip 202.21.8.146 152
> > frame-relay map ip 202.21.8.147 153
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > =========================================
> >
> > Thanks Again!

• Next message: Chris Hugo: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Previous message: ying c: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Rich Doty: "RE: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3