Re: Crypto Map on a BVI interface

dhcchan · ‎03-28-2003

Hi there,

I got a serial interface as a member of bridge group 1. An IRB bridge with interface bvi 1 has been created. IPSec tunnel is supposed to between this serial interface and remote site. A crypto map has been configured under BVI 1 interface. However, we find that packets are decrypted in this router, but no packet is being encrypted from a command "show crypto engine connection active", there is no increase in Encrypt column.

May I ask is it feasible to implement crypto map in BVI interface. And is there any alternative for this case?

many thanks

David

gfullage · ‎03-30-2003

Try applying the crypto mapo to both the BVI and the physical serial interface. Other than that, can you post your config (xxxx out your passwords, etc) for us to have a look at.

dhcchan · ‎03-30-2003

Hi,

I have tried to apply crypto in both serial 0/0.1 and and BVI interface, but still fail.

The config is as below for your reference.

Current configuration : 3341 bytes

!

! Last configuration change at 15:59:33 HKT Sun Mar 30 2003

! NVRAM config last updated at 16:23:31 HKT Sat Mar 29 2003

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

!

hostname STK

!

logging rate-limit console 10 except errors

enable password 7

!

username STK password 0

clock timezone HKT 8

ip subnet-zero

no ip source-route

!

no ip finger

no ip domain-lookup

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key cisco123 address 10.1.250.69

crypto isakmp key cisco123 address 10.1.250.165

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map Serial0/0.2 10 ipsec-isakmp

set peer 10.1.250.165

set transform-set myset

match address 104

!

crypto map Serial0/0.1 10 ipsec-isakmp

set peer 10.1.250.69

set transform-set myset

match address 104

!

chat-script dialout "" "AT" TIMEOUT 30 OK "ATDT\T" TIMEOUT 90 CONNECT \c

chat-script reset "" "AT&FS0=1&C1&D3&K3&Q6&Q5&Q9" "OK" ""

call rsvp-sync

cns event-service server

!

bridge irb

!

interface Loopback0

ip address 10.1.252.14 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.18.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

description STK DL682060

mtu 1800

bandwidth 96

backup delay 0 20

backup interface Async65

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

cdp enable

!

interface Serial0/0.1 point-to-point

bandwidth 64

frame-relay interface-dlci 301 IETF

bridge-group 1

!

interface Serial0/0.2 point-to-point

bandwidth 32

ip address 10.1.250.166 255.255.255.252

frame-relay interface-dlci 207 IETF

crypto map Serial0/0.2

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Async65

description PHONE NO. 26972489

ip address 10.1.250.26 255.255.255.252

encapsulation ppp

ip ospf network broadcast

dialer in-band

dialer map ip 10.1.250.25 name STK modem-script dialout broadcast 27203657

dialer-group 1

async default routing

async dynamic routing

async mode dedicated

fair-queue 64 32 0

pulse-time 1

ppp authentication chap

ppp chap hostname HQ

ppp chap password 7 052A202B

!

interface BVI1

bandwidth 128

ip address 10.1.250.70 255.255.255.252

ip ospf network point-to-point

ip ospf priority 0

crypto map Serial0/0.1

!

router ospf 1

log-adjacency-changes

passive-interface FastEthernet0/0

network 10.1.0.0 0.0.255.255 area 1

!

ip kerberos source-interface any

ip classless

no ip http server

!

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 104 permit ip 10.1.18.0 0.0.0.255 10.0.0.0 0.255.255.255

dialer-list 1 protocol ip list 1

!

bridge cmf

bridge 1 protocol dec

bridge 1 route ip

!

dial-peer cor custom

!

banner motd ^CC

AFCD NT South Animal Management Centre!!!

^C

!

line con 0

transport input none

line aux 0

exec-timeout 0 0

script startup reset

script reset reset

modem InOut

transport input all

stopbits 1

speed 38400

flowcontrol hardware

line vty 0 4

exec-timeout 60 0

password 7

login

!

no scheduler allocate

ntp clock-period 17179778

ntp server 10.1.252.5

ntp server 10.1.252.6 prefer

end

gfullage · ‎03-30-2003

Reapply the crypto map to the serial interface also, then on both the serial and the BVI do "no ip route-cache" and see if that works. There's lots of bugs in 12.1 code with fast switching and IPSec and virtual interfaces.