Hello,
I've got a setup like this:
There is a C7204 in my central site with an E3 line carrying several Frame Relay PVCs, that are defined as sub-ifs of the E3 serial interface. One of those and one of my LAN-facing Fastethernet ports are member of a VRF. The VRF is the only on on the router, all other interfaces and sub-interfaces belong to the global router.
This all works fine, until I want to encrypt the traffic sent over the subif belonging to the VRF.
Here are the relevant parts of the config:
ip vrf test
rd 10:100
!
interface Serial1/0
no ip address
encapsulation frame-relay
no fair-queue
!
interface Serial1/0.110 point-to-point
ip vrf forwarding test
ip address 1.2.3.6 255.255.255.252
frame-relay interface-dlci 110
crypto map testmap
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.2.3.5
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto map testmap
set peer 1.2.3.5
set transform-set test
match address 101
!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any eq 22 any
access-list 101 permit ip any any
The ACL makes sure SSH traffic is not being encrypted.
As soon as I put the crypto map onto the subif, I cannot
even ping from 1.2.3.5 to 1.2.3.6 (extended ping with source IP given).
I already tried to mess with MTU sizes, as I suppose it may be something like truncated or malformed packets.
Any suggestions?
Thanks a lot
Mike
I've got a setup like this:
There is a C7204 in my central site with an E3 line carrying several Frame Relay PVCs, that are defined as sub-ifs of the E3 serial interface. One of those and one of my LAN-facing Fastethernet ports are member of a VRF. The VRF is the only on on the router, all other interfaces and sub-interfaces belong to the global router.
This all works fine, until I want to encrypt the traffic sent over the subif belonging to the VRF.
Here are the relevant parts of the config:
ip vrf test
rd 10:100
!
interface Serial1/0
no ip address
encapsulation frame-relay
no fair-queue
!
interface Serial1/0.110 point-to-point
ip vrf forwarding test
ip address 1.2.3.6 255.255.255.252
frame-relay interface-dlci 110
crypto map testmap
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.2.3.5
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto map testmap
set peer 1.2.3.5
set transform-set test
match address 101
!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any eq 22 any
access-list 101 permit ip any any
The ACL makes sure SSH traffic is not being encrypted.
As soon as I put the crypto map onto the subif, I cannot
even ping from 1.2.3.5 to 1.2.3.6 (extended ping with source IP given).
I already tried to mess with MTU sizes, as I suppose it may be something like truncated or malformed packets.
Any suggestions?
Thanks a lot
Mike