From: Mahmud, Yasser (YMahmud@Solutions.UK.ATT.com)
Date: Sat Sep 14 2002 - 23:21:02 GMT-3
You need a separate access-list for each crypto map even though the
access-list would be identical, as need a unique access-list no. for each
tunnel.
e.g r2 would be
R2:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.21.8.145
crypto isakmp key cisco address 202.21.8.147
!
!
crypto ipsec transform-set bgp esp-des
crypto ipsec transform-set bgp1 esp-des
!
crypto map bgp 10 ipsec-isakmp
set peer 202.21.8.145
set transform-set bgp
match address 155
crypto map bgp 11 ipsec-isakmp
set peer 202.21.8.147
set transform-set bgp1
match address 156
interface Serial0.1 multipoint
ip address 202.21.8.146 255.255.255.248
ip policy route-map 65a
frame-relay de-group 1 123
frame-relay de-group 1 125
frame-relay map ip 202.21.8.145 125
frame-relay map ip 202.21.8.147 123
crypto map bgp
access-list 155 permit tcp any any eq bgp
access-list 155 permit tcp any eq bgp any
access-list 156 permit tcp any any eq bgp
access-list 156 permit tcp any eq bgp any
==========================================
Let me know if it works
Rgds,
Yasser
> -----Original Message-----
> From: Rich Doty [SMTP:rdoty@meridiantelesis.com]
> Sent: Sunday, September 15, 2002 1:46 AM
> To: ccielab@groupstudy.com
> Subject: Frame-relay IPSec tunnel question
>
> Task: Encrypt BGP traffic using IPSec on a frame relay network.
>
> Problem: Basically I configured all of my frame relay interfaces as s0.1
> multipoint, and I applied 'crypto map bgp' to them (they aren't shown
> here because I took them off to restore my BGP neighbors). The ipsec
> tunnel seems to work for me between R5 and R2, but neither can create a
> tunnel with R3. Here are my configs. Initially I had placed two set peer
> statements under a single crypto map, but referred to resources showing
> it done with 2 crypto maps. I've checked for access-lists or policies
> that would be blocking my IPSEC traffic and haven't found any (I
> initially had to remove an access-group from R3s S0.1 to permit IPsec,
> that was from an older task).
>
> Anyone have any ideas, or had problems with this type of setup?
>
> Thanks
>
> Rich
>
> ----------------------------------
>
> R2:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.147
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.146 255.255.255.248
> ip policy route-map 65a
> frame-relay de-group 1 123
> frame-relay de-group 1 125
> frame-relay map ip 202.21.8.145 125
> frame-relay map ip 202.21.8.147 123
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> ==========================================
> R3:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.145
> crypto isakmp key cisco address 202.21.8.146
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.145
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.147 255.255.255.248
> no ip mroute-cache
> frame-relay de-group 1 132
> frame-relay de-group 1 135
> frame-relay map ip 202.21.8.145 135
> frame-relay map ip 202.21.8.146 132
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> ==========================================
> R5:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key cisco address 202.21.8.147
> crypto isakmp key cisco address 202.21.8.146
> !
> !
> crypto ipsec transform-set bgp esp-des
> crypto ipsec transform-set bgp1 esp-des
> !
> crypto map bgp 10 ipsec-isakmp
> set peer 202.21.8.146
> set transform-set bgp
> match address 155
> crypto map bgp 11 ipsec-isakmp
> set peer 202.21.8.147
> set transform-set bgp1
> match address 155
>
> interface Serial0.1 multipoint
> ip address 202.21.8.145 255.255.255.248
> ip access-group 195 out
> frame-relay de-group 1 152
> frame-relay de-group 1 153
> frame-relay map ip 202.21.8.146 152
> frame-relay map ip 202.21.8.147 153
> crypto map bgp
>
> access-list 155 permit tcp any any eq bgp
> access-list 155 permit tcp any eq bgp any
> =========================================
>
> Thanks Again!
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3