Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Redundant Routes in IPSec VPNs, ISDN Backup

Reply
Thread Tools

Redundant Routes in IPSec VPNs, ISDN Backup

 
 
Manfred
Guest
Posts: n/a
 
      04-29-2004
Hi all,
I looked for a solution to backup my IPSec VPN with ISDN-Backup like
„Floating Static" and hit on the document "Redundant Routes in IPSec
VPNs" from Vincent C. Jones. I arranged two pix and two wan router to
a real enviroment for testing like in the white paper. After
installing router and pix, BGP runs well and distributed necessary
routing information, routing is o.k. and I can reach all resources in
both networks. If I break the VPN connection, the ISDN dialup comes up
without problems. Single problem is, that no packet will be routed
over active ISDN backup. I compared my configuration with the
configuration of Vincent, I made some debugs, but I canīt find any
failure and I have no idea where could be the misconfig. I attached
the "running configurations" and "show version" of both routers.

So long
Manfred

Remote System

REMOTE#sh run
version 11.2
hostname REMOTE
!
username CENTRAL password 0 test1
no ip domain-lookup
isdn switch-type basic-net3
!
interface Ethernet0
ip address 10.22.1.2 255.255.0.0
no ip redirects
ip route-cache same-interface
!
interface BRI0
description ISDN-Einwahl Centrallocation
no ip address
no ip directed-broadcast
encapsulation ppp
no keepalive
dialer rotary-group 0
dialer-group 1
!
interface Dialer0
description Dialer fuer Centrallocation
ip address 192.168.50.22 255.255.255.0
no ip mroute-cache
encapsulation ppp
no ip route-cache
dialer in-band
dialer map ip 192.168.50.50 name CENTRAL 12345678
dialer-group 1
ppp authentication chap
!
router bgp 65500
no synchronization
network 10.22.0.0 mask 255.255.0.0
timers bgp 5 16
neighbor 10.13.1.8 remote-as 65500
neighbor 10.13.1.8 update-source Ethernet0
neighbor 10.13.1.8 route-map vpn_central in
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.22.1.1
ip route 10.13.0.0 255.255.0.0 192.168.50.50 210
ip route 10.13.1.8 255.255.255.255 10.22.1.1 3
ip route 192.168.50.50 255.255.255.255 Dialer0
route-map vpn_central permit 10
set ip next-hop 10.22.1.1
!
dialer-list 1 protocol ip permit
!
end

REMOTE#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 11.2(9), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 22-Sep-97 21:31 by ckralik
Image text-base: 0x0302EB70, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
RELEASE SOFT
WARE (fc1)

REMOTE uptime is 3 weeks, 1 day, 51 minutes
System restarted by power-on
System image file is "flash:c2500-is-l.112-9", booted via flash

cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of
memory.
Processor board ID 06929956, with hardware revision 00000001
Bridging software.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
Basic Rate ISDN software, Version 1.0.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

Central System

CENTRAL#sh run
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CENTRAL
!
username REMOTE password 0 test1
!
ip subnet-zero
!
isdn switch-type basic-net3
!
interface TokenRing0
ip address 10.13.1.8 255.255.0.0
no ip redirects
ip route-cache same-interface
ring-speed 16
multiring all
!
interface BRI0
description ISDN-Einwahl Remotelocation
no ip address
encapsulation ppp
dialer rotary-group 0
dialer-group 1
isdn switch-type basic-net3
no cdp enable
!
interface Dialer0
description Dialer fuer Remotelocation
ip address 192.168.50.50 255.255.255.0
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
dialer map ip 192.168.50.22 name REMOTE
dialer-group 1
no cdp enable
ppp authentication chap
!
router bgp 65500
no synchronization
no bgp log-neighbor-changes
network 10.13.0.0 mask 255.255.0.0
timers bgp 5 16
neighbor 10.22.1.2 remote-as 65500
neighbor 10.22.1.2 update-source TokenRing0
neighbor 10.22.1.2 route-map vpn_location in
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.13.25.200
ip route 10.22.0.0 255.255.0.0 192.168.50.22 210
ip route 10.22.1.2 255.255.255.255 10.13.25.200 3
ip route 192.168.50.22 255.255.255.255 Dialer0
no ip http server
!
dialer-list 1 protocol ip permit
route-map vpn_location permit 10
set ip next-hop 10.13.25.200
!
end

CENTRAL#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 4000 Software (C4000-IS-M), Version 12.1(17), RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 03-Sep-02 16:32 by kellythw
Image text-base: 0x00012000, data-base: 0x0097C7F8

ROM: System Bootstrap, Version 4.14(7), SOFTWARE

CENTRAL uptime is 3 weeks, 1 day, 2 hours, 57 minutes
System returned to ROM by power-on
System image file is "flash:c4000-is-mz.121-17.bin"

cisco 4000 (68030) processor (revision 0xC0) with 32768K/4096K bytes
of memory.
Processor board ID 5054057
G.703/E1 software, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
1 Token Ring/IEEE 802.5 interface(s)
4 ISDN Basic Rate interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
 
Reply With Quote
 
 
 
 
Vincent C Jones
Guest
Posts: n/a
 
      05-03-2004
In article <(E-Mail Removed) >,
Manfred <(E-Mail Removed)> wrote:
>Hi all,
>I looked for a solution to backup my IPSec VPN with ISDN-Backup like
>„Floating Static" and hit on the document "Redundant Routes in IPSec
>VPNs" from Vincent C. Jones. I arranged two pix and two wan router to
>a real enviroment for testing like in the white paper. After
>installing router and pix, BGP runs well and distributed necessary
>routing information, routing is o.k. and I can reach all resources in
>both networks. If I break the VPN connection, the ISDN dialup comes up
>without problems. Single problem is, that no packet will be routed
>over active ISDN backup. I compared my configuration with the
>configuration of Vincent, I made some debugs, but I canīt find any
>failure and I have no idea where could be the misconfig. I attached
>the "running configurations" and "show version" of both routers.
>
>So long
>Manfred
>
>Remote System
>
>REMOTE#sh run
>version 11.2
>hostname REMOTE
>!
>username CENTRAL password 0 test1
>no ip domain-lookup
>isdn switch-type basic-net3
>!
>interface Ethernet0
> ip address 10.22.1.2 255.255.0.0
> no ip redirects
> ip route-cache same-interface
>!
>interface BRI0
> description ISDN-Einwahl Centrallocation
> no ip address
> no ip directed-broadcast
> encapsulation ppp
> no keepalive
> dialer rotary-group 0
> dialer-group 1
>!
>interface Dialer0
> description Dialer fuer Centrallocation
> ip address 192.168.50.22 255.255.255.0
> no ip mroute-cache
> encapsulation ppp
> no ip route-cache
> dialer in-band
> dialer map ip 192.168.50.50 name CENTRAL 12345678
> dialer-group 1
> ppp authentication chap
>!
>router bgp 65500
> no synchronization
> network 10.22.0.0 mask 255.255.0.0
> timers bgp 5 16
> neighbor 10.13.1.8 remote-as 65500
> neighbor 10.13.1.8 update-source Ethernet0
> neighbor 10.13.1.8 route-map vpn_central in
>!
>no ip classless
>ip route 0.0.0.0 0.0.0.0 10.22.1.1
>ip route 10.13.0.0 255.255.0.0 192.168.50.50 210
>ip route 10.13.1.8 255.255.255.255 10.22.1.1 3
>ip route 192.168.50.50 255.255.255.255 Dialer0
>route-map vpn_central permit 10
> set ip next-hop 10.22.1.1
>!
>dialer-list 1 protocol ip permit
>!
>end
>
>REMOTE#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) 2500 Software (C2500-IS-L), Version 11.2(9), RELEASE SOFTWARE
>(fc1)
>Copyright (c) 1986-1997 by cisco Systems, Inc.
>Compiled Mon 22-Sep-97 21:31 by ckralik
>Image text-base: 0x0302EB70, data-base: 0x00001000
>
>ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
>BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
>RELEASE SOFT
>WARE (fc1)
>
>REMOTE uptime is 3 weeks, 1 day, 51 minutes
>System restarted by power-on
>System image file is "flash:c2500-is-l.112-9", booted via flash
>
>cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of
>memory.
>Processor board ID 06929956, with hardware revision 00000001
>Bridging software.
>X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
>Basic Rate ISDN software, Version 1.0.
>1 Ethernet/IEEE 802.3 interface(s)
>2 Serial network interface(s)
>1 ISDN Basic Rate interface(s)
>32K bytes of non-volatile configuration memory.
>8192K bytes of processor board System flash (Read ONLY)
>
>Configuration register is 0x2102
>
>Central System
>
>CENTRAL#sh run
>version 12.1
>no service single-slot-reload-enable
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname CENTRAL
>!
>username REMOTE password 0 test1
>!
>ip subnet-zero
>!
>isdn switch-type basic-net3
>!
>interface TokenRing0
> ip address 10.13.1.8 255.255.0.0
> no ip redirects
> ip route-cache same-interface
> ring-speed 16
> multiring all
>!
>interface BRI0
> description ISDN-Einwahl Remotelocation
> no ip address
> encapsulation ppp
> dialer rotary-group 0
> dialer-group 1
> isdn switch-type basic-net3
> no cdp enable
>!
>interface Dialer0
> description Dialer fuer Remotelocation
> ip address 192.168.50.50 255.255.255.0
> encapsulation ppp
> no ip route-cache
> no ip mroute-cache
> dialer in-band
> dialer map ip 192.168.50.22 name REMOTE
> dialer-group 1
> no cdp enable
> ppp authentication chap
>!
>router bgp 65500
> no synchronization
> no bgp log-neighbor-changes
> network 10.13.0.0 mask 255.255.0.0
> timers bgp 5 16
> neighbor 10.22.1.2 remote-as 65500
> neighbor 10.22.1.2 update-source TokenRing0
> neighbor 10.22.1.2 route-map vpn_location in
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 10.13.25.200
>ip route 10.22.0.0 255.255.0.0 192.168.50.22 210
>ip route 10.22.1.2 255.255.255.255 10.13.25.200 3
>ip route 192.168.50.22 255.255.255.255 Dialer0
>no ip http server
>!
>dialer-list 1 protocol ip permit
>route-map vpn_location permit 10
> set ip next-hop 10.13.25.200
>!
>end
>
>CENTRAL#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) 4000 Software (C4000-IS-M), Version 12.1(17), RELEASE
>SOFTWARE (fc1)
>Copyright (c) 1986-2002 by cisco Systems, Inc.
>Compiled Tue 03-Sep-02 16:32 by kellythw
>Image text-base: 0x00012000, data-base: 0x0097C7F8
>
>ROM: System Bootstrap, Version 4.14(7), SOFTWARE
>
>CENTRAL uptime is 3 weeks, 1 day, 2 hours, 57 minutes
>System returned to ROM by power-on
>System image file is "flash:c4000-is-mz.121-17.bin"
>
>cisco 4000 (68030) processor (revision 0xC0) with 32768K/4096K bytes
>of memory.
>Processor board ID 5054057
>G.703/E1 software, Version 1.0.
>Bridging software.
>X.25 software, Version 3.0.0.
>Basic Rate ISDN software, Version 1.1.
>2 Ethernet/IEEE 802.3 interface(s)
>1 Token Ring/IEEE 802.5 interface(s)
>4 ISDN Basic Rate interface(s)
>128K bytes of non-volatile configuration memory.
>8192K bytes of processor board System flash (Read/Write)
>
>Configuration register is 0x2102


As you can tell from the lack of responses, nothing obvious is wrong
with your configuration.

Are you allowing time for the floating static route to float into
action (floating static routes are only updated during per minute
processing unless there is a hardware status change).

What does "show ip route" say on both routers when the VPN is down
and ISDN is up?

Good luck and good hunting!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pc with isdn modem not connecte isdn 1841 router with isdn module sync Cisco 0 06-05-2007 10:10 AM
Redundant VPN ipsec tunnel using 2 dsl connections and a 1841 router? Mephesto Cisco 0 06-29-2005 09:44 PM
redundant switches / redundant server NICs Stuart Kendrick Cisco 4 08-10-2004 08:54 PM
Redundant ipsec solution with two routers Tom Pouce Cisco 1 02-13-2004 04:36 PM
Ipsec-Tunnel with ISDN-Backup using Dialer Watch Joerg Woste Cisco 0 07-21-2003 09:52 AM



Advertisments