RE: [fw-wiz] LAN-LAN VPN using PIXes and a dialup connection

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 06/25/04

  • Next message: Irwin Lazar: "RE: [fw-wiz] VLAN Security" 
    To: "Stefan Pantke" <seaside.ki@mac.com>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 25 Jun 2004 08:48:37 -0400

    > -----Original Message-----
    > I have two LANs which are connected by a IPsec VPN tunnel
    > through 2 PIX 501 which connect to the internet by some
    > dialup line (ISDN).
    >
    > The tunnel itself performs well. Traffic passes correctly.
    >
    > The problem: Even if both LANs are switched off, the dialup
    > routers establish new connections. Since this is traffic on
    > IP protocol 50, it should be related to the IPsec connection.
    >
    > The questions:
    >
    > - Why do the PIXes establish VPN connections, even if no LAN
    > traffic has to be router through the VPN to the ohter LAN?
    >
    > - How to configure the PIXes for a VPN tunnel using a leased line -
    > and not to connect each minute again...

    Why are you so sure that there's no LAN traffic reaching the PIX that
    would trigger the VPN tunnel to come up? It's going to depend on your
    crypto map match access-list, but dumb things like NetBIOS broadcasts,
    routing protocols, routing errors, etc. cause a tunnel to come up and/or
    stay up. If you run 'show crypto ipsec sa' on the PIX after the tunnel
    comes up and you don't think it should've, what SAs are you seeing?
    That ought to help you find the culprit.

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Irwin Lazar: "RE: [fw-wiz] VLAN Security"

    Relevant Pages

    • Fwd: [fw-wiz] LAN-LAN VPN using PIXes and a dialup connection
      ... >> The tunnel itself performs well. ... >> routers establish new connections. ... >> traffic has to be router through the VPN to the ohter LAN? ... > would trigger the VPN tunnel to come up? ...
      (Firewall-Wizards)
    • Re: can internet gateway be on opposite side of a tunnel?
      ... >> Can a machine use a host on the opposite side of an ipip tunnel as its ... >> I have 2 LANs, a gateway in each, and an ipip tunnel between the ... A host in either LAN designates its local tunnel endpoint as ...
      (comp.os.linux.networking)
    • Re: networking hosed after upgrading to 10.04
      ... there is something strange going on with the networking. ... this machine is only connected to my LAN using one ethernet port, ... the KVM setup guide on ubuntu.com somewhere to setup the bridge. ... LAN and bridge connections configured again... ...
      (Ubuntu)
    • Re: How to limit maximum number of TCP connections
      ... Internet at any one time is their ultimate goal. ... LAN ... On the local lan to local lan connections, if any, no such limit is feasible ... The Earthlink timers never ...
      (Fedora)
    • Re: how do I contact a pc behind a router
      ... my home LAN... ... I also use a non-default port for SSH connections into my ... > One way is you can open multiple ports on the router, ie. one to each PC, ... > through the tunnel. ...
      (microsoft.public.windowsxp.work_remotely)