Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec disconnectons

0 views
Skip to first unread message

Jan Olav Skeie

unread,
May 25, 2000, 3:00:00 AM5/25/00
to
Hi

I've set up Cisco IPsec56 between 4 routers. Below are some parameters of
the config:

.....snip.....
!
ip inspect name outbound udp
ip inspect name outbound http java-list 20
ip inspect name outbound ftp
ip inspect name inbound udp
ip inspect name inbound tftp
ip inspect name inbound ftp
ip inspect name inbound http java-list 20
!
crypto isakmp policy 25
authentication pre-share
crypto isakmp key <key> address aaa.aaa.aaa.aaa
crypto isakmp key <key> address bbb.bbb.bbb.bbb
crypto isakmp key <key> address ccc.ccc.ccc.ccc
crypto isakmp key <key> address ddd.ddd.ddd.ddd
crypto ipsec transform-set our-vpn esp-des
!
crypto map mapname 25 ipsec-isakmp
set peer aaa.aaa.aaa.aaa
set transform-set our-vpn
match address singapore-acl
----etc..
!
interface Tunnel0
description Oslo to Singapore tunnel
bandwidth 128
ip address 10.0.2.1 255.255.255.252
no ip directed-broadcast
tunnel source eee.eee.eee.eee
tunnel destination aaa.aaa.aaa.aaa
crypto map mapname
------etc
!
!
interface FastEthernet0/1
description Connected to Internet/VPN to remote sites
bandwidth 2048
ip address eee.eee.eee.eee 255.255.255.192
no ip directed-broadcast
speed 10
no fair-queue
no cdp enable
crypto map mapname
!
ip forward-protocol turbo-flood
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 192.168.10.0 255.255.255.0 Tunnel0
no ip http server
!
ip access-list extended singapore-acl
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 abc.def.ghi.16 0.0.0.15
!
etc...
The access-list permits gre, ahp, esp, udp=isakmp and udp=1732
peer-to-peer.
Problem 1:
The router in Miami uses an ISDN dialup with a static IP address. When the
line goes down ->UP the routers looses synch. And the crypto sa's must be
cleared. Is there any way to avoid this?

Problem2: Users in Tokyo (VPN tunnels to Oslo and Singapore) looses TCP
sessions 3-5 times per day betw. Tokyo and Singapore. This problem does not
occour betw. Oslo and Tokyo. Could this be related to faulty lines ? I've
checked the interfaces 1 error and the crypto ipse sa 7 errors.
All the routers are Cisco 26xx with IOS 12.0.7 IP/FW/IDS Plus IPSEC.


Thanks in advance

Jan Olav Skeie

0 new messages