Re: Frame-relay IPSec tunnel question

From: Peter (peter@cyscoexpert.com)
Date: Sat Sep 14 2002 - 23:24:15 GMT-3

• Next message: Chris Larson: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Previous message: Rich Doty: "Frame-relay IPSec tunnel question"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Mahmud, Yasser: "RE: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rich,

The problem is in the access-list configuration. BGP traffic to both
neighbors matches ACL 155 and uses the first sequence in your crypto map.
You have to differentiate BGP traffic with 2 separate ACLs. Change your ACL
155 to permit BGP from and to one neighbor (by using proper source and
destination IP addresses) and add ACL 156 to permit BGP from and to the
other neighbor. Then change your crypto map sequence 11 to match ACL 156
instead of 155. If you have more problems - let me know.

BTW: you can reuse the same transform set, you don't need 2 identical.

__________________________
Peter
#7247 (R&S, Security)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Fax (847) 674-2625
www.cyscoexpert.com

----- Original Message -----
From: "Rich Doty" <rdoty@meridiantelesis.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, September 14, 2002 8:45 PM
Subject: Frame-relay IPSec tunnel question

> Task: Encrypt BGP traffic using IPSec on a frame relay network.
>
> Problem: Basically I configured all of my frame relay interfaces as s0.1
> multipoint, and I applied 'crypto map bgp' to them (they aren't shown
> here because I took them off to restore my BGP neighbors). The ipsec
> tunnel seems to work for me between R5 and R2, but neither can create a
> tunnel with R3. Here are my configs. Initially I had placed two set peer
> statements under a single crypto map, but referred to resources showing
> it done with 2 crypto maps. I've checked for access-lists or policies
> that would be blocking my IPSEC traffic and haven't found any (I
> initially had to remove an access-group from R3s S0.1 to permit IPsec,
> that was from an older task).
>
> Anyone have any ideas, or had problems with this type of setup?
>
> Thanks
>
> Rich
>
> ----------------------------------
>
> R2:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.147
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.146 255.255.255.248
> ip policy route-map 65a
> frame-relay de-group 1 123
> frame-relay de-group 1 125
> frame-relay map ip 202.21.8.145 125
> frame-relay map ip 202.21.8.147 123
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> ==========================================
> R3:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.146
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.147 255.255.255.248
> no ip mroute-cache
> frame-relay de-group 1 132
> frame-relay de-group 1 135
> frame-relay map ip 202.21.8.145 135
> frame-relay map ip 202.21.8.146 132
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> ==========================================
> R5:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.147
> crypto isakmp key cisco address 202.21.8.146
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.145 255.255.255.248
> ip access-group 195 out
> frame-relay de-group 1 152
> frame-relay de-group 1 153
> frame-relay map ip 202.21.8.146 152
> frame-relay map ip 202.21.8.147 153
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> =========================================
>
> Thanks Again!

• Next message: Chris Larson: "Re: EIGRP Manual Neighbor Configuration/Unicast"
• Previous message: Rich Doty: "Frame-relay IPSec tunnel question"
• Maybe in reply to: Rich Doty: "Frame-relay IPSec tunnel question"
• Next in thread: Mahmud, Yasser: "RE: Frame-relay IPSec tunnel question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3