From: Peter (peter@cyscoexpert.com)
Date: Sun Sep 15 2002 - 11:25:25 GMT-3
Rich,
Appears to me that on R5 content of ACL 155 should be in ACL 156 and vice
versa.
BTW: you don't need this many entries in those ACLs. Only traffic from local
IP to remote IP should be permitted. Remote IP to local IP is not necessary.
__________________________
Peter
#7247 (R&S, Security)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Fax (847) 674-2625
www.cyscoexpert.com
----- Original Message -----
From: "Rich Doty" <rdoty@meridiantelesis.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, September 14, 2002 11:41 PM
Subject: RE: Frame-relay IPSec tunnel question
> Hmm I guess I was wrong. It appears I've shifted my problem to R5. R2
> and R3 connect fine, but now neither will connect to R5. My current
> config is below. Have any further suggestions?
>
> I'm getting complaints of:
> R2: 00:31:48: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
> failed with peer at 202.21.8.145
> R5: 00:31:54: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
> failed with peer at 202.21.8.147
>
> R2:
>
> !
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.147
> crypto isakmp key cisco address 202.21.8.145
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 156
> !
> !
> interface Serial0.1 multipoint
> ip address 202.21.8.146 255.255.255.248
> no ip mroute-cache
> ip policy route-map 65a
> frame-relay de-group 1 123
> frame-relay de-group 1 125
> frame-relay map ip 202.21.8.145 125
> frame-relay map ip 202.21.8.147 123
> crypto map bgp
> !
> access-list 155 permit tcp host 202.21.8.146 eq bgp host 202.21.8.145
> access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.146
> access-list 155 permit tcp host 202.21.8.146 host 202.21.8.145 eq bgp
> access-list 155 permit tcp host 202.21.8.145 host 202.21.8.146 eq bgp
> access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
> access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
> access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
> access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
> ==============================
> R3:
> !
> crypto isakmp policy 10
> authentication pre-share
> !
> crypto isakmp policy 11
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.146
> crypto isakmp key cisco address 202.21.8.145
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp1
> match address 156
> !
> !
> interface Serial0.1 multipoint
> ip address 202.21.8.147 255.255.255.248
> no ip mroute-cache
> frame-relay de-group 1 132
> frame-relay de-group 1 135
> frame-relay map ip 202.21.8.145 135
> frame-relay map ip 202.21.8.146 132
> crypto map bgp
> !
> access-list 155 permit tcp host 202.21.8.147 eq bgp host 202.21.8.145
> access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.147
> access-list 155 permit tcp host 202.21.8.147 host 202.21.8.145 eq bgp
> access-list 155 permit tcp host 202.21.8.145 host 202.21.8.147 eq bgp
> access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
> access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
> access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
> access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
> ==============================
> R5:
> !
> crypto isakmp policy 10
> authentication pre-share
> !
> crypto isakmp policy 11
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.146
> crypto isakmp key cisco address 202.21.8.147
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 156
> !
> !
> interface Serial0.1 multipoint
> ip address 202.21.8.145 255.255.255.248
> ip access-group 195 out
> no ip mroute-cache
> frame-relay de-group 1 152
> frame-relay de-group 1 153
> frame-relay map ip 202.21.8.146 152
> frame-relay map ip 202.21.8.147 153
> crypto map bgp
> !
> access-list 155 permit tcp host 202.21.8.147 eq bgp host 202.21.8.145
> access-list 155 permit tcp host 202.21.8.145 eq bgp host 202.21.8.147
> access-list 155 permit tcp host 202.21.8.147 host 202.21.8.145 eq bgp
> access-list 155 permit tcp host 202.21.8.145 host 202.21.8.147 eq bgp
> access-list 156 permit tcp host 202.21.8.147 host 202.21.8.146 eq bgp
> access-list 156 permit tcp host 202.21.8.146 host 202.21.8.147 eq bgp
> access-list 156 permit tcp host 202.21.8.147 eq bgp host 202.21.8.146
> access-list 156 permit tcp host 202.21.8.146 eq bgp host 202.21.8.147
> ==============================
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Peter
> Sent: Saturday, September 14, 2002 10:56 PM
> To: ccielab@groupstudy.com
> Subject: Re: Frame-relay IPSec tunnel question
>
>
> That also wouldn't work. All the traffic will fall into ACL 155. The
> ACLs have to be different - each containing source and destination IP
> addresses of the appropriate BGP session.
>
> __________________________
> Peter
> #7247 (R&S, Security)
> CyscoExpert Corp.
> 4433 W. Touhy Ave. Suite 410
> Lincolnwood, IL 60712
> Phone (847) 674-3392
> Fax (847) 674-2625
> www.cyscoexpert.com
>
> ----- Original Message -----
> From: "Mahmud, Yasser" <YMahmud@Solutions.UK.ATT.com>
> To: "'Rich Doty'" <rdoty@meridiantelesis.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Saturday, September 14, 2002 9:21 PM
> Subject: RE: Frame-relay IPSec tunnel question
>
>
> > You need a separate access-list for each crypto map even though the
> > access-list would be identical, as need a unique access-list no. for
> > each tunnel. e.g r2 would be
> >
> > R2:
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key cisco address 202.21.8.145
> > crypto isakmp key cisco address 202.21.8.147
> > !
> > !
> > crypto ipsec transform-set bgp esp-des
> > crypto ipsec transform-set bgp1 esp-des
> > !
> > crypto map bgp 10 ipsec-isakmp
> > set peer 202.21.8.145
> > set transform-set bgp
> > match address 155
> > crypto map bgp 11 ipsec-isakmp
> > set peer 202.21.8.147
> > set transform-set bgp1
> > match address 156
> >
> > interface Serial0.1 multipoint
> > ip address 202.21.8.146 255.255.255.248
> > ip policy route-map 65a
> > frame-relay de-group 1 123
> > frame-relay de-group 1 125
> > frame-relay map ip 202.21.8.145 125
> > frame-relay map ip 202.21.8.147 123
> > crypto map bgp
> >
> > access-list 155 permit tcp any any eq bgp
> > access-list 155 permit tcp any eq bgp any
> >
> > access-list 156 permit tcp any any eq bgp
> > access-list 156 permit tcp any eq bgp any
> >
> > ==========================================
> >
> >
> >
> >
> >
> > Let me know if it works
> >
> > Rgds,
> > Yasser
> >
> > > -----Original Message-----
> > > From: Rich Doty [SMTP:rdoty@meridiantelesis.com]
> > > Sent: Sunday, September 15, 2002 1:46 AM
> > > To: ccielab@groupstudy.com
> > > Subject: Frame-relay IPSec tunnel question
> > >
> > > Task: Encrypt BGP traffic using IPSec on a frame relay network.
> > >
> > > Problem: Basically I configured all of my frame relay interfaces as
> > > s0.1 multipoint, and I applied 'crypto map bgp' to them (they aren't
>
> > > shown here because I took them off to restore my BGP neighbors). The
>
> > > ipsec tunnel seems to work for me between R5 and R2, but neither can
>
> > > create a tunnel with R3. Here are my configs. Initially I had placed
>
> > > two set peer statements under a single crypto map, but referred to
> > > resources showing it done with 2 crypto maps. I've checked for
> > > access-lists or policies that would be blocking my IPSEC traffic and
>
> > > haven't found any (I initially had to remove an access-group from
> > > R3s S0.1 to permit IPsec, that was from an older task).
> > >
> > > Anyone have any ideas, or had problems with this type of setup?
> > >
> > > Thanks
> > >
> > > Rich
> > >
> > > ----------------------------------
> > >
> > > R2:
> > > crypto isakmp policy 10
> > > authentication pre-share
> > > crypto isakmp key cisco address 202.21.8.145
> > > crypto isakmp key cisco address 202.21.8.147
> > > !
> > > !
> > > crypto ipsec transform-set bgp esp-des
> > > crypto ipsec transform-set bgp1 esp-des
> > > !
> > > crypto map bgp 10 ipsec-isakmp
> > > set peer 202.21.8.145
> > > set transform-set bgp
> > > match address 155
> > > crypto map bgp 11 ipsec-isakmp
> > > set peer 202.21.8.147
> > > set transform-set bgp1
> > > match address 155
> > >
> > > interface Serial0.1 multipoint
> > > ip address 202.21.8.146 255.255.255.248
> > > ip policy route-map 65a
> > > frame-relay de-group 1 123
> > > frame-relay de-group 1 125
> > > frame-relay map ip 202.21.8.145 125
> > > frame-relay map ip 202.21.8.147 123
> > > crypto map bgp
> > >
> > > access-list 155 permit tcp any any eq bgp
> > > access-list 155 permit tcp any eq bgp any
> > > ==========================================
> > > R3:
> > > crypto isakmp policy 10
> > > authentication pre-share
> > > crypto isakmp key cisco address 202.21.8.145
> > > crypto isakmp key cisco address 202.21.8.146
> > > !
> > > !
> > > crypto ipsec transform-set bgp esp-des
> > > crypto ipsec transform-set bgp1 esp-des
> > > !
> > > crypto map bgp 10 ipsec-isakmp
> > > set peer 202.21.8.145
> > > set transform-set bgp
> > > match address 155
> > > crypto map bgp 11 ipsec-isakmp
> > > set peer 202.21.8.146
> > > set transform-set bgp1
> > > match address 155
> > >
> > > interface Serial0.1 multipoint
> > > ip address 202.21.8.147 255.255.255.248
> > > no ip mroute-cache
> > > frame-relay de-group 1 132
> > > frame-relay de-group 1 135
> > > frame-relay map ip 202.21.8.145 135
> > > frame-relay map ip 202.21.8.146 132
> > > crypto map bgp
> > >
> > > access-list 155 permit tcp any any eq bgp
> > > access-list 155 permit tcp any eq bgp any
> > > ==========================================
> > > R5:
> > > crypto isakmp policy 10
> > > authentication pre-share
> > > crypto isakmp key cisco address 202.21.8.147
> > > crypto isakmp key cisco address 202.21.8.146
> > > !
> > > !
> > > crypto ipsec transform-set bgp esp-des
> > > crypto ipsec transform-set bgp1 esp-des
> > > !
> > > crypto map bgp 10 ipsec-isakmp
> > > set peer 202.21.8.146
> > > set transform-set bgp
> > > match address 155
> > > crypto map bgp 11 ipsec-isakmp
> > > set peer 202.21.8.147
> > > set transform-set bgp1
> > > match address 155
> > >
> > > interface Serial0.1 multipoint
> > > ip address 202.21.8.145 255.255.255.248
> > > ip access-group 195 out
> > > frame-relay de-group 1 152
> > > frame-relay de-group 1 153
> > > frame-relay map ip 202.21.8.146 152
> > > frame-relay map ip 202.21.8.147 153
> > > crypto map bgp
> > >
> > > access-list 155 permit tcp any any eq bgp
> > > access-list 155 permit tcp any eq bgp any
> > > =========================================
> > >
> > > Thanks Again!
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3