Solved

Cisco site-site VPN over Adsl with ISDN backup - Object tracking problem

Posted on 2006-11-03
8
793 Views
Last Modified: 2008-02-01
Hi all,

I have been trying to get an ISDN circuit to dial up and connect 2x 1841
Cisco routers together if the primary adsl interface fails. (I'm pulling my hair out
 and almost out of time in implementing this, so there's lots of points up for grabs if anyone can help me.)


Background:
Main site: 192.168.1.x
Remote Site: 192.168.2.x
VPN to each end over aDSL appears to work fine, no reported issues (not sure
its 100% correct, but it works).

Due to an issue with the DSL connection at the remote site, it has been
decided to introduce an ISDN circuit at each end, so if the dsl fails, then
the sites can connect via ISDN.

ISDN calls must be made from the MAIN site to the remote site.

After asking on this group the other day, it was suggested that the
backup-interface doesn't work that well, and some sort of route object
tracking was needed to perform the function correctly.

This is what i have tried to do however its not working I'm sure its only an
access list that is stopping the ISDN dialling up, but I'm not seeing my
mistake at the moment! Can you?

------------------------------------------------------------------------------------------------------

Configuration from Main site (any boring stuff edited out)
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
!
ip sla monitor 1
 type echo protocol ipIcmpEcho (ADSL outside interface at remote site)
ip sla monitor schedule 1 life forever start-time now
!
isdn switch-type basic-net3
!
crypto pki trustpoint TP-self-signed-30453xxxxxx
!
!
crypto pki certificate chain TP-self-signed-30453xxxxxx
!
username admin privilege 15 secret
username backup password 7
!
!
track 123 rtr 1 reachability
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key  xxxxxxxx address (ADSL outside interface at remote site)
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer (ADSL outside interface at remote site)
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.242 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0/1/0
 no ip address
 encapsulation ppp
 dialer pool-member 2
 isdn switch-type basic-net3
 isdn point-to-point-setup
 ppp authentication chap
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname name@isp.com
 ppp chap password 7
 crypto map SDM_CMAP_1
!
interface Dialer2
 ip address 172.16.200.2 255.255.255.0
 encapsulation ppp
 dialer pool 2
 dialer idle-timeout 180
 dialer string (remote site number)
 dialer-group 2
 ppp chap hostname backup
 ppp chap password 7 (same as password defined above)
!
ip local policy route-map MY_Backup_Policy
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 0.0.0.0 0.0.0.0 Dialer2 100
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host (remote site) echo
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map MY_Backup_Policy permit 10
 match ip address 105
 set interface Null0
 set ip next-hop (outside interface of this router when connected to adsl)
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
end

------------------------------------------------------------------------------------------------------

Remote site (remember this just needs to answer the isdn calls from main
site)

aaa new-model
aaa authentication login default local
aaa authentication ppp default local
!
isdn switch-type basic-net3
!
crypto pki trustpoint TP-self-signed-214962xxxx
 enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-214962xxxx
 revocation-check none
 rsakeypair TP-self-signed-214962xxxx
!
!
crypto pki certificate chain TP-self-signed-214962xxxx
 certificate self-signed 01
!
username admin privilege 15 xxxxxxxxxxxx
username backup password 7 xxxxxxxxxx
!

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxx address (main site outside interface)
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer (main site outside interface)
 set transform-set ESP-3DES-SHA
 match address 100
!
interface FastEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0/1/0
 no ip address
 isdn switch-type basic-net3
 isdn point-to-point-setup
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname name@isp.com
 ppp chap password 7
 crypto map SDM_CMAP_1
!
interface Dialer2
 ip address 172.16.200.2 255.255.255.0
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 ppp chap hostname backup
 ppp chap password 7 (same as password defined above)
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer2 100
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
end

------------------------------------------------------------------------------------------------------





To show that tracking is working correctly on the MAIN unit, you can see the
following:

#sho track
Track 123
  Response Time Reporter 1 reachability
  Reachability is Up
    1 change, last change 00:00:26
  Latest operation return code: OK
  Latest RTT (millisecs) 52
  Tracked by:
    STATIC-IP-ROUTING 0

#sho ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     80.0.0.0/32 is subnetted, 1 subnets
C       (outside interface of this router) is directly connected, Dialer0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.200.0 is directly connected, Dialer2
     195.166.128.0/32 is subnetted, 1 subnets   <-ISP kit
C       195.166.128.123 is directly connected, Dialer0  <-ISP kit
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer0

#show ip route track-table
 ip route 0.0.0.0 0.0.0.0 Dialer0 track 123 state is [up]

------------------------------------------------------------------------------------------------------

Congratulations if you have got this far, thanks for taking the time to
read and a triple thanks! if you are able to point out the errors in my way.


Thanks!
0
Comment
Question by:tamlync
  • 4
  • 4
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869271
>isdn switch-type basic-net3
Are you sure you have the correct switch type?
Can you post result of "show isdn status"

Even if your DSL line goes down, and your router dials the other end, the other end won't change its route because its DSL line is still up...

Try using a dynamic routing protocol. Add this:
MAIN:
router eigrp 1000
 network 172.16.0.0
 no auto-summary

REMOTE:
router eigrp 1000
 network 172.16.0.0
 no auto-summary

You also have the same IP address on the dialer2 interface at remote as you do at MAIN
interface Dialer2
 ip address 172.16.200.2 255.255.255.0  <== same IP on both?




0
 

Author Comment

by:tamlync
ID: 17870400
>Are you sure you have the correct switch type?
>Can you post result of "show isdn status"
Yes, i'm in the UK :)
#sho isdn status
Global ISDN Switchtype = basic-net3
ISDN BRI0/1/0 interface
        dsl 2, interface ISDN Switchtype = basic-net3
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 116, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
        CCB:callid=8007, sapi=0, ces=1, B-chan=1, calltype=DATA, hdlctype=HDLC-T
RUNK
    Active dsl 2 CCBs = 1
    The Free Channel Mask:  0x80000002
    Total Allocated ISDN CCBs = 1
#

>Try using a dynamic routing protocol. Add this
Added that, now the ISDN dials up constantly, soon as it drops it re-dials up.
However don't you mean " network 172.16.200.0 "
(strangely the router cannot ping either of the 172.16.200.x address either remote or itself )

>You also have the same IP address on the dialer2 interface at remote as you do at MAIN
>interface Dialer2
Yes spotted that myself just after I posted (sorry) - Main is now .1 and remote is .2


So, in  summary, the ISDN does now indeed dial up and connects (although constantly rather than when the reachability of remote network goes down).

Still - I don't believe the solution as a whole works as it should be working as there appears to be no communication over the ISDN once it is dialled up.



Thank you very very much for you answer so far.


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17870510
OK, that's progress.
So, how about we deny EIGRP from triggering the dialer:

access-list 102 deny eigrp any any
access-list 102 permit ip any any
 dialer-list 2 protocol ip list 102  <== I'm only going off memory for this one..


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17870532
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:tamlync
ID: 17870721
>OK, that's progress.
Indeed it is, thank you.

> So, how about we deny EIGRP from triggering the dialer:
Your commands worked great the ISDN did not dial, i dropped the ATM interface and it then dialled up

Problems encountered now though :(
ATM interface comes back up - yet routing through it is impossible, the 0.0.0.0 route stays with the dialer2 (isdn dialer) and does not move back to the dialer1 (atm interface)
Still unable to route (see routing tables below when the atm interface is down at the main site, and the ISDN has dialed up)
MAIN: (appears correct to me)
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.200.0 is directly connected, Dialer2
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer2
#

REMOTE: (appears incorrect - still a dialer1 shown as default)
ateway of last resort is 0.0.0.0 to network 0.0.0.0

     80.0.0.0/32 is subnetted, 1 subnets
C       (outside inteface of this router) is directly connected, Dialer0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.200.0 is directly connected, Dialer2
     195.166.128.0/32 is subnetted, 1 subnets
C       195.166.128.53 is directly connected, Dialer0
C    192.168.2.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer0
#


>You might also combine that with the backup interface command
Indeed this is where i started, however if the atm interface stays up, yet the ISP has routing issues, the backup wouldn't kick in, meaning the communication between the sites would be down until someone physically removed the dsl interface from one of the routers, at least with reachability, anywhere on the link can fail and the ISDN can kick in and work in its place. (that's my opinion but I'm willing to learn a different way if necessary)


Thanks
0
 

Author Comment

by:tamlync
ID: 17874001
Hrrm.

As a thought, my original question was for getting the ISDN to dial-up, this has now been solved.

Therefore should i award points to the poster who answered and got the ISDN working and then start a fresh topic for the new issue that i have?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17874050
That would be the best option...
I'll help as much as I can, I just had to catch a flight yesterday and spent most of the afternoon/evening waiting on a late flight.
0
 

Author Comment

by:tamlync
ID: 17933510
>That would be the best option...
That is what i shall do then, thank you very much for your help so far with this.

> I'll help as much as I can, I just had to catch a flight yesterday and spent most of the afternoon/evening waiting on a late flight.
No worries - as you can tell i haven't been around either, due to being dragged onto another project. I'm back again now and still wanting to resolve this - so look out for a new post shortly!

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now