09-12-2003 02:38 AM - edited 02-21-2020 12:46 PM
I've the following question.
We have set up an IPSEC VPN between two CISCO 1601 .
Following the example in the cisco's documentation ( ipsec dialerwatch ) we've been able to configure a ISDN DDR backup.
The problem is that , as far as I understand , when the ISDN backup is up all the traffic is still encrypted . This is a problem because even if there's no user's traffic the IPSEC management traffic keeps the ISDN line on .
How can we configure the routers to have the traffic encrypted only over the ethernet and not the ISDN ?
thanks
09-18-2003 06:11 AM
If you succeed in doing what you are trying, you shall be compromising your data security. When the primary fails, the sensitive data being transmitted over the backup link will be vulenerable to snooping and tampering. Your entire inestment on deploying a VPN solution over the primary would have been (pretty much) a waste.
What you need to concentrate on is what kind of management traffic keeps the ISDN link up. One possibility is the routing protocol running on your network. For that you will need to configure snapshot routing (DV protocols) or OSPF demand circuit. Please see http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a008009454e.shtml and http://www.cisco.com/en/US/tech/tk365/tk480/technologies_tech_note09186a0080094a8f.shtml
10-08-2003 07:23 AM
Here is a config that may work for you:
Current configuration : 3679 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname HOSTNAME
!
boot system flash flash:c1700-k9o3sy7-mz.122-15.T5.bin
logging queue-limit 100
!
username USERNAME password 0 PASSWORD
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name DOMAIN.NET
!
ip inspect name INET tcp timeout 28800
ip inspect name INET udp timeout 100
ip audit notify log
ip audit po max-events 100
!
isdn switch-type basic-ni
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key ISAKMPKEY address x.x.x.197
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
mode transport
!
crypto map CMAP local-address Ethernet0
crypto map CMAP 10 ipsec-isakmp
set peer 200.199.198.197
set transform-set TSET
match address 110
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Tunnel0
ip address 192.168.254.34 255.255.255.252
no ip route-cache
no ip mroute-cache
tunnel source Ethernet0
tunnel destination x.x.198.197
crypto map CMAP
!
interface BRI0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 61677777770101 7777777
isdn spid2 61688888880101 8888888
isdn send-alerting
isdn sending-complete
no fair-queue
ppp authentication chap
ppp multilink
!
interface Ethernet0
desc EXTERNAL
ip address x.x.x.97 255.255.255.0
ip access-group 199 in
no ip proxy-arp
ip nat outside
ip inspect INET out
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map CMAP
!
interface FastEthernet0
desc INTERNAL
ip address 192.168.14.1 255.255.255.0
ip helper-address 192.168.12.5
ip nat inside
speed auto
!
interface Dialer1
ip address 192.168.254.38 255.255.255.252
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name REMOTENAME
dialer idle-timeout 3600
dialer string 2695555555
dialer string 2696666666
dialer load-threshold 1 outbound
dialer-group 1
no fair-queue
ppp authentication chap
ppp multilink
!
router eigrp 100
network 192.168.14.0
network 192.168.254.32 0.0.0.3
network 192.168.254.36 0.0.0.3
no auto-summary
!
ip nat inside source route-map NONAT interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.99.98.1
ip route 192.168.12.0 255.255.255.0 192.168.254.37 250
no ip http server
no ip http secure-server
!
!
!
access-list 100 remark NAT
access-list 100 deny ip 192.168.14.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.14.0 0.0.0.255 any
access-list 110 remark CryptoACL
access-list 110 permit gre host x.x.x.97 host 200.199.198.197
access-list 198 remark Dialer
access-list 198 deny eigrp any any
access-list 198 permit ip 192.168.14.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 199 remark Outside
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit gre host 200.199.198.197 host 100.99.98.97
access-list 199 deny tcp any range 1 65535 any range 1 65535 log
access-list 199 deny udp any range 1 65535 any range 1 65535 log
access-list 199 deny ip any any log
dialer-list 1 protocol ip list 198
!
route-map NONAT permit 10
match ip address 100
!
radius-server authorization permit missing Service-Type
!
line con 0
line aux 0
line vty 0 4
password PASSWORD
!
end
When the VPN goes down EIGRP updates will cease, causing the floating static to trigger the dialer. VPN and EIGRP come back up, traffic begins using the tunnel as that route is more attractive, the ISDN times out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide