Direct ISDN dial backup for VPN over Internet (ADSL link)

Discussion in 'Cisco' started by dbmasterguru@yahoo.de, Dec 3, 2004.

  1. Guest

    Hi folks,


    I would like to know if the following network setup/architecture
    is possible:

    - HQ/Central site (the hub) is connected to the Internet via leased
    line.
    It uses a static IP address.

    Router equipment: CISCO 2811 with builtin 8-port-ISDN-BRI-module


    - Multiple remote sites (the spokes) with dynamic IP adresses are
    connected to the Internet using dynamic IP addresses (PPPoE over
    ADSL).

    Router equipment: CISCO 836 ADSL/ISDN/VPN/Dial-Backup


    During normal service, the clients connect to an ISP over PPPoE/ADSL,
    get a dynamic IP address from the ISP and set up a VPN tunnel to
    the central site. Now the users "behind" the client-side router
    are able to communicate with computers in the HQ.

    In case of a problem (ISP has routing problems or VPN tunnels go down
    for whatever reason) the client should make a direct ISDN-call to
    the central site (MPPP) to bypass the public Internet.

    Is this setup possible?
    If yes: how can we learn how to do it? :)

    Cheers,
    DBM
     
    , Dec 3, 2004
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Hi folks,
    >
    >
    >I would like to know if the following network setup/architecture
    >is possible:
    >
    >- HQ/Central site (the hub) is connected to the Internet via leased
    >line.
    >It uses a static IP address.
    >
    >Router equipment: CISCO 2811 with builtin 8-port-ISDN-BRI-module
    >
    >
    >- Multiple remote sites (the spokes) with dynamic IP adresses are
    >connected to the Internet using dynamic IP addresses (PPPoE over
    >ADSL).
    >
    >Router equipment: CISCO 836 ADSL/ISDN/VPN/Dial-Backup
    >
    >
    >During normal service, the clients connect to an ISP over PPPoE/ADSL,
    >get a dynamic IP address from the ISP and set up a VPN tunnel to
    >the central site. Now the users "behind" the client-side router
    >are able to communicate with computers in the HQ.
    >
    >In case of a problem (ISP has routing problems or VPN tunnels go down
    >for whatever reason) the client should make a direct ISDN-call to
    >the central site (MPPP) to bypass the public Internet.
    >
    >Is this setup possible?
    >If yes: how can we learn how to do it? :)
    >
    >Cheers,
    >DBM


    Yes, this setup is possible. See the white paper on my web site on
    Redundant VPN's for an explanation of what it takes and a sample
    configuration.

    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Dec 6, 2004
    #2
    1. Advertising

  3. Guest

    Hi Vincent,


    thank you for your reply and the hint.


    As an alternative for using a dynamic routing protocol, we figured
    out another setup.


    1. Target: we need to get access from the headquarter to the FTP
    servers
    of 5 clients. There is no need for the 5 client sites to communicate
    with each other.


    2. All 3 client sites connect to the Internet using a CISCO 836 router
    via PPPoE/ADSL. Each client site gets a dynamic ip address from
    the ISP.
    The routers are also connected to a ISDN line which should
    be used as a backup to direct dial the headquarter.


    3. The headquarter is connected to the Internet and uses static
    IP addresses.


    4. Due to the strict security policy, the use of dynamic routing
    protocols on the firewall is not desirable.


    5. The central site contains 2 routers:


    cisco-vpn: directly connected to the Internet
    & endpoint for the VPN/GRE tunnel for the
    remote clients


    cisco-isdn: no direct Internet connection,
    provides 5 ISDN ports/lines for
    ISDN dial backup


    Here is a network diagram of the setup:

    +----------+
    |FTP client|
    +-----+----+
    | Intranet
    ----+-----+------
    |
    +---+----+
    |firewall|
    +---+----- HEADQUARTER ZONE
    |
    -------+-------+----------+--
    | |
    +----+----+ +----+-----+
    |cisco-vpn| |cisco-isdn|
    +----+----+ +----+-----+
    \ /
    - - - - - - - - - - - - - - - - - - - - - -
    \ /
    IPSEC-Tunnel / ISDN-link
    over / 2 x 64 kbps
    Internet /
    \ / CLIENT ZONE
    \ /
    +----++---+ +---++----+
    |cisco-836| ... |cisco-836|
    | client1 | ... | client3 |
    +----+----+ +----+----+
    | |
    net:10.10.10.0/24 | | net:10.10.30.0/24
    ----+------+---- ---+--+-------
    | |
    +-----+------+ +-----+------+
    | FTP-Server | | FTP-Server |
    | of client1 | | of client2 |
    | 10.10.10.1 | | 10.10.30.1 |
    +------------+ +------------+



    During normal service, the clients connect to an ISP over PPPoE/ADSL,
    get a dynamic IP address from the ISP and set up a IPSEC/GRE tunnel to
    the central site. Now the users in the headquarter are able to
    communicate with the FTP-server of the clients.

    In case of a problem (ISP has routing problems or VPN tunnels go down
    for whatever reason) the client should make a direct ISDN-call to
    the central site (MPPP) to bypass the public Internet.

    Due to the strict security policy we are not allowed to
    use dynamic routing protocols between the routers and
    the firewall in the HQ.

    Now the idea is to setup the HQ routers as following:

    The HQ routers cisco-vpn and cisco-isdn use MHSRP
    to provide the gateway IP address into the
    client's networks (10.10.x.0/24) for the firewall:

    - use a separate IPSEC/GRE tunnel for each client

    - enable IKE keepalive to bring the tunnel down
    when the IPSEC connection is "dead"

    - track the status of each tunnel interface
    using a separate HSPR group (multi-group HSRP)

    The IPSEC/GRE tunnels over the Internet from cisco-vpn
    to the client-side routers are the primary link/route.
    In case of a broken tunnel, HSRP takes over the gateway
    IP address for this client to cisco-isdn and cisco-isdn
    makes a direct ISDN call to the client-side router


    On the client routers, we use static floating routes:

    - the primary route which points to the other
    end of the IPSEC/VPN tunnel

    - the secondary route (higher metric) points to
    the ISDN dialer interface and goes active when
    the IKE keepalive mechanism finds out that
    the IPSEC/VPN tunnel is down
    What do you think about this setup?
    Will it work?

    Cheers,
    DBM
     
    , Jan 9, 2005
    #3
  4. Guest

    Here we go again for the network diagram because
    Google News wasn't able to deal with the ASCII spaces...

    ....
    Here is a network diagram of the setup:

    +----------+
    |FTP client|
    +-----+----+
    | Intranet
    ----+-----+------
    |
    +---+----+
    |firewall|
    +---+----- HEADQUARTER ZONE
    |
    -------+-------+----------+--
    | |
    +----+----+ +----+-----+
    |cisco-vpn| |cisco-isdn|
    +----+----+ +----+-----+
    \ /
    - - - - - - - - - - - - - - - - - - - - - -
    \ /
    IPSEC-Tunnel / ISDN-link
    over / 2 x 64 kbps
    Internet /
    \ / CLIENT ZONE
    \ /
    +----++---+ +---++----+
    |cisco-836| ... |cisco-836|
    | client1 | ... | client3 |
    +----+----+ +----+----+
    | |
    net:10.10.10.0/24 | | net:10.10.30.0/24
    ----+------+---- ---+--+-------
    | |
    +-----+------+ +-----+------+
    | FTP-Server | | FTP-Server |
    | of client1 | | of client2 |
    | 10.10.10.1 | | 10.10.30.1 |
    +------------+ +------------+

    ....
     
    , Jan 10, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Maurer
    Replies:
    5
    Views:
    14,869
    moc.hooha
    Nov 7, 2008
  2. sync
    Replies:
    0
    Views:
    623
  3. cowboyz
    Replies:
    1
    Views:
    505
  4. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,072
    Theo Markettos
    Feb 14, 2008
  5. Giuen
    Replies:
    0
    Views:
    1,450
    Giuen
    Sep 12, 2008
Loading...

Share This Page