RE: [fw-wiz] LAN-LAN VPN using PIXes and a dialup connection

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 06/25/04

  • Next message: Irwin Lazar: "RE: [fw-wiz] VLAN Security" 
    To: "Stefan Pantke" <seaside.ki@mac.com>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 25 Jun 2004 08:48:37 -0400

    > -----Original Message-----
    > I have two LANs which are connected by a IPsec VPN tunnel
    > through 2 PIX 501 which connect to the internet by some
    > dialup line (ISDN).
    >
    > The tunnel itself performs well. Traffic passes correctly.
    >
    > The problem: Even if both LANs are switched off, the dialup
    > routers establish new connections. Since this is traffic on
    > IP protocol 50, it should be related to the IPsec connection.
    >
    > The questions:
    >
    > - Why do the PIXes establish VPN connections, even if no LAN
    > traffic has to be router through the VPN to the ohter LAN?
    >
    > - How to configure the PIXes for a VPN tunnel using a leased line -
    > and not to connect each minute again...

    Why are you so sure that there's no LAN traffic reaching the PIX that
    would trigger the VPN tunnel to come up? It's going to depend on your
    crypto map match access-list, but dumb things like NetBIOS broadcasts,
    routing protocols, routing errors, etc. cause a tunnel to come up and/or
    stay up. If you run 'show crypto ipsec sa' on the PIX after the tunnel
    comes up and you don't think it should've, what SAs are you seeing?
    That ought to help you find the culprit.

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Irwin Lazar: "RE: [fw-wiz] VLAN Security"

    Relevant Pages

    • Fwd: [fw-wiz] LAN-LAN VPN using PIXes and a dialup connection
      ... >> The tunnel itself performs well. ... >> routers establish new connections. ... >> traffic has to be router through the VPN to the ohter LAN? ... > would trigger the VPN tunnel to come up? ...
      (Firewall-Wizards)
    • Re: can internet gateway be on opposite side of a tunnel?
      ... >> Can a machine use a host on the opposite side of an ipip tunnel as its ... >> I have 2 LANs, a gateway in each, and an ipip tunnel between the ... A host in either LAN designates its local tunnel endpoint as ...
      (comp.os.linux.networking)
    • Re: how do I contact a pc behind a router
      ... my home LAN... ... I also use a non-default port for SSH connections into my ... > One way is you can open multiple ports on the router, ie. one to each PC, ... > through the tunnel. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: WRT54GS problem
      ... PC1 - local lan ... Wireless direct to BEFW11S4 ... OK, other than the lack of detail, I now understand your setup. ... It's not unusual for one of these connections ...
      (alt.internet.wireless)
    • Re: how to convigure LAN
      ... And how to to disable file/print sharing for connections coming into our ... LAN(outside connections), ... and switch connected to router. ... Lan must be fully inaccessible to them and for others WAN. ...
      (microsoft.public.windowsxp.general)