cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
2
Replies

Urgent help: ISDN backup for VPN -- Router configs

pax_2111
Level 1
Level 1

Hi,

Would anyone care and have a look at the configs of the routers and tell me what's wrong? I described the task I'm trying to solve and the problems in a previous message.

I'll greatly appreciate it.

----------

router 1

-----------

!

version 12.2

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

hostname r1

!

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

!

username r2 password 7 XXXXXX

ip subnet-zero

!

!

interface Tunnel1

ip address 192.168.3.1 255.255.255.0

ip mtu 1440

tunnel source 117.27.36.229

tunnel destination 117.27.34.230

!

interface Ethernet0/0

ip address 117.27.36.221 255.255.255.248

no ip redirects

no ip proxy-arp

half-duplex

no cdp enable

!

interface Serial0/0

bandwidth 512

no ip address

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type q933a

!

interface Serial0/0.1 point-to-point

bandwidth 512

ip address 117.27.36.229 255.255.255.252

no cdp enable

frame-relay interface-dlci 20 IETF

!

interface BRI1/2

no ip address

encapsulation ppp

no logging event link-status

dialer pool-member 5

isdn switch-type basic-net3

isdn incoming-voice data

no cdp enable

!

interface Dialer3

description Remote access

ip address 192.168.10.2 255.255.255.0

encapsulation ppp

ip ospf cost 9999

dialer pool 5

dialer string 1111111

dialer-group 2

no peer neighbor-route

no peer default ip address

pulse-time 0

no cdp enable

ppp authentication pap

ppp pap sent-username r1 password 7 XXXXXXXXXX

!

router ospf 100

no log-adjacency-changes

network 192.168.3.0 0.0.0.255 area 0

network 192.168.10.0 0.0.0.255 area 0

network 217.27.36.216 0.0.0.7 area 0

!

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

ip route 0.0.0.0 0.0.0.0 Dialer3 200

ip route 192.168.10.3 255.255.255.255 Dialer3

no ip http server

ip pim bidir-enable

!

access-list 120 deny ospf any any

access-list 120 permit ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip list 120

------------

router 2

------------

!

version 12.2

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname r2

!

aaa new-model

aaa authentication login default local

!

username r1 password 7 XXXXXXXXXX

ip subnet-zero

!

!

ip dhcp excluded-address 10.1.5.0 10.1.5.15

ip dhcp excluded-address 10.1.5.250 10.1.5.255

!

ip dhcp pool dyn

network 10.1.5.0 255.255.255.0

default-router 10.1.5.251

netbios-node-type h-node

netbios-name-server 10.1.1.200

domain-name aeolos.com

dns-server 119.237.32.197 119.237.32.196

lease 0 1

!

ip ssh time-out 120

ip ssh authentication-retries 3

!

crypto isakmp policy 10

authentication pre-share

lifetime 72000

!

crypto isakmp policy 11

encr 3des

authentication pre-share

lifetime 3600

crypto isakmp key XXXXXXX address 117.27.36.222

!

!

crypto ipsec transform-set nichqset ah-sha-hmac esp-des

!

crypto map cmap 12 ipsec-isakmp

set peer 117.27.36.222

set security-association lifetime seconds 72000

set transform-set nichqset

match address 102

isdn switch-type basic-net3

!

interface Tunnel0

ip address 192.168.3.2 255.255.255.0

ip mtu 1440

tunnel source 117.27.34.230

tunnel destination 117.27.36.229

!

interface Ethernet0/0

description Local Area Network

ip address 10.1.5.251 255.255.255.0

ip nat inside

rate-limit output 128000 16000 16000 conform-action set-prec-transmit 1 exceed-action set-prec-transmit 0

half-duplex

!

interface Serial0/0

description Frame Relay Link

bandwidth 512

no ip address

encapsulation frame-relay IETF

no ip route-cache

no ip mroute-cache

no fair-queue

frame-relay traffic-shaping

frame-relay lmi-type q933a

!

interface Serial0/0.1 point-to-point

description PVC to Anywhere

bandwidth 512

ip address 117.27.34.230 255.255.255.252

ip nat outside

no ip route-cache

no ip mroute-cache

no arp frame-relay

no cdp enable

frame-relay class frl

frame-relay interface-dlci 20 IETF

crypto map cmap

!

interface BRI0/0

description Remote access for Limassol Office 25 818410

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice data

no peer default ip address

no fair-queue

no cdp enable

ppp authentication pap

!

interface Dialer0

ip address 192.168.10.3 255.255.255.0

encapsulation ppp

no ip route-cache

ip ospf cost 9999

no ip mroute-cache

dialer pool 1

dialer remote-name r1

dialer string 1111111111

dialer hold-queue 10

dialer watch-group 10

dialer-group 2

no peer neighbor-route

no fair-queue

no cdp enable

ppp authentication pap

ppp pap sent-username r2 password XXXXXXXXXX

crypto map cmap

!

router ospf 100

no log-adjacency-changes

network 192.168.3.0 0.0.0.255 area 0

network 192.168.10.0 0.0.0.255 area 0

!

ip nat inside source route-map nonat interface Serial0/0.1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 117.27.34.229

ip route 0.0.0.0 0.0.0.0 Dialer0 200

ip route 192.168.10.0 255.255.255.0 Dialer0

ip route 117.27.32.0 255.255.240.0 Serial0/0.1

no ip http server

!

!

map-class frame-relay frl

frame-relay traffic-rate 256000 512000

frame-relay adaptive-shaping becn

access-list 100 permit ip host 10.1.1.1 any

access-list 102 permit ip 10.1.5.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 deny ip any any

access-list 130 deny ip 10.1.5.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 130 permit ip 10.1.5.0 0.0.0.255 any

dialer watch-list 10 ip 117.27.36.216 255.255.255.248

dialer-list 2 protocol ip list 120

route-map nonat permit 10

match ip address 130

!

2 Replies 2

yusuff
Cisco Employee
Cisco Employee

Your configs don't seem to be correct.

First of all there is no IPSec configuration on router1 ??

router2 is peering with 117.27.36.222, which router is this, it it router1 ???? doesn't look like! are you doing IPSec b/w these 2 routers ??

Anyways, you can use following URL as a template to achieve your objective

http://www.cisco.com/warp/public/707/ipsec_dialerwatch.html

HTH

R/Yusuf

That's the whole difficulty I'm facing. router 1 is not doing IPSec with router 2.

A PIX behind router 1 is doing IPSec with router 2.

The configs are correct, as IPSec is operational.

The URL you mentioned, doesn't apply to my case because of PIX and NAT

Thanx anyhow.