RE: Frame-relay IPSec tunnel question

From: Rich Doty (rdoty@meridiantelesis.com)
Date: Sun Sep 15 2002 - 01:41:13 GMT-3

• Next message: Chris Hugo: "Re: alternate default gateways with IOS image on Catalyst?"
• Previous message: Erick B.: "Re: alternate default gateways with IOS image on Catalyst?"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Peter: "Re: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hmm I guess I was wrong. It appears I've shifted my problem to R5. R2
and R3 connect fine, but now neither will connect to R5. My current
config is below. Have any further suggestions?

I'm getting complaints of:
R2: 00:31:48: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at 202.21.8.145
R5: 00:31:54: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at 202.21.8.147

R2:

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 202.21.8.147
crypto isakmp key cisco address 202.21.8.145
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
 set peer 202.21.8.145
 set transform-set bgp
 match address 155
crypto map bgp 11 ipsec-isakmp
 set peer 202.21.8.147
 set transform-set bgp1
 match address 156
!
!
interface Serial0.1 multipoint
 ip address 202.21.8.146 255.255.255.248
 no ip mroute-cache
 ip policy route-map 65a
 frame-relay de-group 1 123
 frame-relay de-group 1 125
 frame-relay map ip 202.21.8.145 125
 frame-relay map ip 202.21.8.147 123
 crypto map bgp
!
access-list 155 permit tcp host 202.21.8.146 eq bgp host 202.21.8.145
access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.146
access-list 155 permit tcp host 202.21.8.146 host 202.21.8.145 eq bgp
access-list 155 permit tcp host 202.21.8.145 host 202.21.8.146 eq bgp
access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
==============================
R3:
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 11
 authentication pre-share
crypto isakmp key cisco address 202.21.8.146
crypto isakmp key cisco address 202.21.8.145
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
 set peer 202.21.8.145
 set transform-set bgp
 match address 155
crypto map bgp 11 ipsec-isakmp
 set peer 202.21.8.146
 set transform-set bgp1
 match address 156
!
!
interface Serial0.1 multipoint
 ip address 202.21.8.147 255.255.255.248
 no ip mroute-cache
 frame-relay de-group 1 132
 frame-relay de-group 1 135
 frame-relay map ip 202.21.8.145 135
 frame-relay map ip 202.21.8.146 132
 crypto map bgp
!
access-list 155 permit tcp host 202.21.8.147 eq bgp host 202.21.8.145
access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.147
access-list 155 permit tcp host 202.21.8.147 host 202.21.8.145 eq bgp
access-list 155 permit tcp host 202.21.8.145 host 202.21.8.147 eq bgp
access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
==============================
R5:
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 11
 authentication pre-share
crypto isakmp key cisco address 202.21.8.146
crypto isakmp key cisco address 202.21.8.147
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
 set peer 202.21.8.146
 set transform-set bgp
 match address 155
crypto map bgp 11 ipsec-isakmp
 set peer 202.21.8.147
 set transform-set bgp1
 match address 156
!
!
interface Serial0.1 multipoint
 ip address 202.21.8.145 255.255.255.248
 ip access-group 195 out
 no ip mroute-cache
 frame-relay de-group 1 152
 frame-relay de-group 1 153
 frame-relay map ip 202.21.8.146 152
 frame-relay map ip 202.21.8.147 153
 crypto map bgp
!
access-list 155 permit tcp host 202.21.8.147 eq bgp host 202.21.8.145
access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.147
access-list 155 permit tcp host 202.21.8.147 host 202.21.8.145 eq bgp
access-list 155 permit tcp host 202.21.8.145 host 202.21.8.147 eq bgp
access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
==============================

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peter
Sent: Saturday, September 14, 2002 10:56 PM
To: ccielab@groupstudy.com
Subject: Re: Frame-relay IPSec tunnel question

That also wouldn't work. All the traffic will fall into ACL 155. The
ACLs have to be different - each containing source and destination IP
addresses of the appropriate BGP session.

__________________________
Peter
#7247 (R&S, Security)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Fax (847) 674-2625
www.cyscoexpert.com

----- Original Message -----
From: "Mahmud, Yasser" <YMahmud@Solutions.UK.ATT.com>
To: "'Rich Doty'" <rdoty@meridiantelesis.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, September 14, 2002 9:21 PM
Subject: RE: Frame-relay IPSec tunnel question

> You need a separate access-list for each crypto map even though the
> access-list would be identical, as need a unique access-list no. for
> each tunnel. e.g r2 would be
>
> R2:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.147
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 156
>
> interface Serial0.1 multipoint
> ip address 202.21.8.146 255.255.255.248
> ip policy route-map 65a
> frame-relay de-group 1 123
> frame-relay de-group 1 125
> frame-relay map ip 202.21.8.145 125
> frame-relay map ip 202.21.8.147 123
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
>
> access-list 156 permit tcp any any eq bgp
> access-list 156 permit tcp any eq bgp any
>
> ==========================================
>
>
>
>
>
> Let me know if it works
>
> Rgds,
> Yasser
>
> > -----Original Message-----
> > From: Rich Doty [SMTP:rdoty@meridiantelesis.com]
> > Sent: Sunday, September 15, 2002 1:46 AM
> > To: ccielab@groupstudy.com
> > Subject: Frame-relay IPSec tunnel question
> >
> > Task: Encrypt BGP traffic using IPSec on a frame relay network.
> >
> > Problem: Basically I configured all of my frame relay interfaces as
> > s0.1 multipoint, and I applied 'crypto map bgp' to them (they aren't

> > shown here because I took them off to restore my BGP neighbors). The

> > ipsec tunnel seems to work for me between R5 and R2, but neither can

> > create a tunnel with R3. Here are my configs. Initially I had placed

> > two set peer statements under a single crypto map, but referred to
> > resources showing it done with 2 crypto maps. I've checked for
> > access-lists or policies that would be blocking my IPSEC traffic and

> > haven't found any (I initially had to remove an access-group from
> > R3s S0.1 to permit IPsec, that was from an older task).
> >
> > Anyone have any ideas, or had problems with this type of setup?
> >
> > Thanks
> >
> > Rich
> >
> > ----------------------------------
> >
> > R2:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.145
> > crypto isakmp key cisco address 202.21.8.147
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.145
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.147
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.146 255.255.255.248
> > ip policy route-map 65a
> > frame-relay de-group 1 123
> > frame-relay de-group 1 125
> > frame-relay map ip 202.21.8.145 125
> > frame-relay map ip 202.21.8.147 123
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > ==========================================
> > R3:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.145
> > crypto isakmp key cisco address 202.21.8.146
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.145
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.146
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.147 255.255.255.248
> > no ip mroute-cache
> > frame-relay de-group 1 132
> > frame-relay de-group 1 135
> > frame-relay map ip 202.21.8.145 135
> > frame-relay map ip 202.21.8.146 132
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > ==========================================
> > R5:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.147
> > crypto isakmp key cisco address 202.21.8.146
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.146
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.147
> > set transform-set bgp1
> > match address 155
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.145 255.255.255.248
> > ip access-group 195 out
> > frame-relay de-group 1 152
> > frame-relay de-group 1 153
> > frame-relay map ip 202.21.8.146 152
> > frame-relay map ip 202.21.8.147 153
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> > =========================================
> >
> > Thanks Again!

• Next message: Chris Hugo: "Re: alternate default gateways with IOS image on Catalyst?"
• Previous message: Erick B.: "Re: alternate default gateways with IOS image on Catalyst?"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Peter: "Re: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3