Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

IPSEC DDR ISDN BACKUP

scolombo
Cisco Employee
Cisco Employee

‎09-12-2003 02:38 AM - edited ‎02-21-2020 12:46 PM

I've the following question.

We have set up an IPSEC VPN between two CISCO 1601 .

Following the example in the cisco's documentation ( ipsec dialerwatch ) we've been able to configure a ISDN DDR backup.

The problem is that , as far as I understand , when the ISDN backup is up all the traffic is still encrypted . This is a problem because even if there's no user's traffic the IPSEC management traffic keeps the ISDN line on .

How can we configure the routers to have the traffic encrypted only over the ethernet and not the ISDN ?

thanks

Labels:
0 Helpful
2 Replies 2

jsivulka
Level 5
Level 5

‎09-18-2003 06:11 AM

If you succeed in doing what you are trying, you shall be compromising your data security. When the primary fails, the sensitive data being transmitted over the backup link will be vulenerable to snooping and tampering. Your entire inestment on deploying a VPN solution over the primary would have been (pretty much) a waste.

What you need to concentrate on is what kind of management traffic keeps the ISDN link up. One possibility is the routing protocol running on your network. For that you will need to configure snapshot routing (DV protocols) or OSPF demand circuit. Please see http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a008009454e.shtml and http://www.cisco.com/en/US/tech/tk365/tk480/technologies_tech_note09186a0080094a8f.shtml

0 Helpful

JOSH GANT
Level 1
Level 1

‎10-08-2003 07:23 AM

Here is a config that may work for you:

Current configuration : 3679 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname HOSTNAME

!

boot system flash flash:c1700-k9o3sy7-mz.122-15.T5.bin

logging queue-limit 100

!

username USERNAME password 0 PASSWORD

aaa new-model

!

!

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

ip domain name DOMAIN.NET

!

ip inspect name INET tcp timeout 28800

ip inspect name INET udp timeout 100

ip audit notify log

ip audit po max-events 100

!

isdn switch-type basic-ni

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key ISAKMPKEY address x.x.x.197

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

mode transport

!

crypto map CMAP local-address Ethernet0

crypto map CMAP 10 ipsec-isakmp

set peer 200.199.198.197

set transform-set TSET

match address 110

!

!

!

!

interface Loopback0

no ip address

shutdown

!

interface Tunnel0

ip address 192.168.254.34 255.255.255.252

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0

tunnel destination x.x.198.197

crypto map CMAP

!

interface BRI0

no ip address

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool-member 1

isdn switch-type basic-ni

isdn spid1 61677777770101 7777777

isdn spid2 61688888880101 8888888

isdn send-alerting

isdn sending-complete

no fair-queue

ppp authentication chap

ppp multilink

!

interface Ethernet0

desc EXTERNAL

ip address x.x.x.97 255.255.255.0

ip access-group 199 in

no ip proxy-arp

ip nat outside

ip inspect INET out

no ip route-cache

no ip mroute-cache

half-duplex

no cdp enable

crypto map CMAP

!

interface FastEthernet0

desc INTERNAL

ip address 192.168.14.1 255.255.255.0

ip helper-address 192.168.12.5

ip nat inside

speed auto

!

interface Dialer1

ip address 192.168.254.38 255.255.255.252

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name REMOTENAME

dialer idle-timeout 3600

dialer string 2695555555

dialer string 2696666666

dialer load-threshold 1 outbound

dialer-group 1

no fair-queue

ppp authentication chap

ppp multilink

!

router eigrp 100

network 192.168.14.0

network 192.168.254.32 0.0.0.3

network 192.168.254.36 0.0.0.3

no auto-summary

!

ip nat inside source route-map NONAT interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 100.99.98.1

ip route 192.168.12.0 255.255.255.0 192.168.254.37 250

no ip http server

no ip http secure-server

!

!

!

access-list 100 remark NAT

access-list 100 deny ip 192.168.14.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 100 permit ip 192.168.14.0 0.0.0.255 any

access-list 110 remark CryptoACL

access-list 110 permit gre host x.x.x.97 host 200.199.198.197

access-list 198 remark Dialer

access-list 198 deny eigrp any any

access-list 198 permit ip 192.168.14.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 199 remark Outside

access-list 199 permit udp any any eq isakmp

access-list 199 permit esp any any

access-list 199 permit gre host 200.199.198.197 host 100.99.98.97

access-list 199 deny tcp any range 1 65535 any range 1 65535 log

access-list 199 deny udp any range 1 65535 any range 1 65535 log

access-list 199 deny ip any any log

dialer-list 1 protocol ip list 198

!

route-map NONAT permit 10

match ip address 100

!

radius-server authorization permit missing Service-Type

!

line con 0

line aux 0

line vty 0 4

password PASSWORD

!

end

When the VPN goes down EIGRP updates will cease, causing the floating static to trigger the dialer. VPN and EIGRP come back up, traffic begins using the tunnel as that route is more attractive, the ISDN times out.

0 Helpful
Customers Also Viewed These Support Documents