[nsp] OSPF over GRE + IPSec - ISDN backup with Cisco dialer w atch

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Wed Jan 7 09:48:39 EST 2004 

i used to work for an isp that used isdn as a dial backup
methodoology. good idea as regards marketing horrible to keep sync'd
from a opr standpoint. dbu and isdn are subject to a myriad of timers.
these timers are a bit to courteous to each other. if you mix a true
flap, it really confuses dbu. imho, redundanncy overcomes fail-over as
a design feature.

~v/r
Del Hudson
61CS/SCBN - LAAFB NCC
Network Architecture & Engineering Group
delbert.hudson at losangeles.af.mil



-----Original Message-----
From: BERKANE Mourad [mailto:mourad.berkane.prestataire at sfrcegetelsi.fr]
Sent: Wednesday, January 07, 2004 5:00 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] OSPF over GRE + IPSec - ISDN backup with Cisco dialer
watch


OK.
 
Anybody already try using OSPF over GRE + IPsec over public internet with
Cisco dialer watch between central VPN router and remote VPN routers?
 
The idea is to use BRI interface (only) when a remote OSPF route disapear
(Cisco dialer watch) from the central router routing table. This could be a
way to deduce a transit problem between central and remote routers over
internet.
 
It should work but not yet try it, any success story is welcome.

-----Message d'origine-----
De: Mati Gil [mailto:mgil at servicom2000.com]
Date: mercredi 7 janvier 2004 09:16
À: BERKANE Mourad
Cc: cisco-nsp at puck.nether.net
Objet: RE: [nsp] Cisco VPN 3000 - basics questions


Hello Mourad,
I don't know any way to check tunnel status to force open a backup
interface. Our backup interfaces only come up when primary interface is down
but we cannot force it if there is a problem in transit over the Internet.
 
Regards,
Mati
 
 

-----Mensaje original-----
De: BERKANE Mourad [mailto:mourad.berkane.prestataire at sfrcegetelsi.fr]
Enviado el: lunes, 05 de enero de 2004 11:15
Para: 'Mati Gil'
CC: cisco-nsp at puck.nether.net
Asunto: RE: [nsp] Cisco VPN 3000 - basics questions




Hi Mati, 

Many Thanks! 

I have another quizz about VPN Concentrator. 
Is there any VPN Concentrator in the market allowing the activation of an
ISDN backup tunnel IPSec in case of failure of main IPSec tunnel over Public
Internet as shown in following diagram:


Router______Main IPSec tunnel over Public Internet________VPNConcentrator 
  |                                                          | 
  |--------------Backup IPSec over ISDN----------------------| 


Somethink like cisco backup interface is not enough, i need to check the
status of main tunnel in order to active backup one over ISDN.

All the best for u in 2004 :-) 

Regards, 
Mourad 
-----Message d'origine----- 
De: Mati Gil [ mailto:mgil at servicom2000.com <mailto:mgil at servicom2000.com> ]

Date: mercredi 31 décembre 2003 12:58 
À: BERKANE Mourad; cisco-nsp at puck.nether.net 
Objet: RE: [nsp] Cisco VPN 3000 - basics questions 


Mourad, 
to set up filters: 
1-create an IP In Rule: 
Direction: Inbound 
Protocol: Any (if all IP) 
Source address: IP network or network list with SA of traffic coming in 
Destination address: IP network or network list with DA of traffic coming in


2.-create an IP Out Rule: 
Direction: Outbound 
Protocol: Any (if all IP) 
Source address: IP network or network list with SA of traffic going out 
Destination address: IP network or network list with DA of traffic going out


3- Create a Filter: 
Default action: drop 

4- Assign rules to the filter: 
Add In and Out rules you've just created 

5- Apply filter to your wherever you want (L2L, remote access group, 
interface,...) 


To use Certificates: 
VPN3000 is not a Certificate Authority so it does not issue certificates. 
you'll need a CA anyway. But you can manually install certificates on 
VPN3000. 
Look at 
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuratio
n>  
_example09186a00800946f1.shtml for VPN3000 
and at 
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080
<http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008
0>  
09468a.shtml for VPN Client. 

I hope it helps, 
Mati 

-----Mensaje original----- 
De: cisco-nsp-bounces at puck.nether.net 
[ mailto:cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> ]En nombre de BERKANE Mourad 
Enviado el: miércoles, 31 de diciembre de 2003 11:38 
Para: 'cisco-nsp at puck.nether.net' 
Asunto: [nsp] Cisco VPN 3000 - basics questions 
Importancia: Alta 



I have 2 basic questions about Cisco VPN 3000 Series Concentrator. 

Reading the user guide chapter about Policy Management/Traffic 
Management/Filters, I see we could apply registered rules 
(HTTPS,IKE,HTTPS,GRE,L2TP,OSPF ... in/out) but seems not allow manual 
filters as we could setup with ACL. 
I want to apply IP src/dest filters. How to configure them if possible? 

Another question: can the Cisco VPN 3000 be a IKE certificate server if i 
don't want to use external one for certificate IKE parameters? 

Thanks! 
Mourad 
_______________________________________________ 
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
<https://puck.nether.net/mailman/listinfo/cisco-nsp>  
archive at http://puck.nether.net/pipermail/cisco-nsp/
<http://puck.nether.net/pipermail/cisco-nsp/>  


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list