IPsec and ISDN backup

From: Brian T. Albert (brian.albert@worldnet.att.net)
Date: Mon Nov 25 2002 - 15:41:21 GMT-3

• Next message: Nobody: "(no subject)"
• Previous message: Giblin Dean L.: "RE: Programming Language for Network Engingeers."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Group,

I have set up a lab scenario where I am backing up a frame-relay connection
with an ISDN connection and have IPSec set up on both links.

First I ping from 12.144.11.129 to 12.144.107.2 with the frame up and issue
the command:

newyork#sh cry eng conn ac

  ID Interface IP-Address State Algorithm Encrypt
Decrypt

   1 <none> <none> set HMAC_SHA+DES_56_CB 0
0

2000 Serial0 12.144.100.3 set DES_56_CBC 0
6

2001 Serial0 12.144.100.3 set DES_56_CBC 6
0

I see that 6 packets got encrypted and decrypted when traversing the
frame-relay. Now I shut down S0 and the ISDN comes up. Here is the routing
table:

newyork#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 12.144.200.5 to network 0.0.0.0

     220.220.220.0/32 is subnetted, 4 subnets
O 220.220.220.5 [110/10000] via 12.144.200.5, 00:00:09, BRI0
O 220.220.220.2 [110/10064] via 12.144.200.5, 00:00:09, BRI0
C 220.220.220.3 is directly connected, Loopback0
O IA 220.220.220.35 [110/10010] via 12.144.200.5, 00:00:09, BRI0
     12.0.0.0/8 is variably subnetted, 9 subnets, 5 masks
O IA 12.146.79.192/27 [110/10073] via 12.144.200.5, 00:00:09, BRI0
C 12.144.11.128/26 is directly connected, Ethernet0
C 12.144.200.4/30 is directly connected, BRI0
O IA 12.144.104.0/24 [110/10010] via 12.144.200.5, 00:00:10, BRI0
O IA 12.144.105.0/24 [110/10010] via 12.144.200.5, 00:00:10, BRI0
O IA 12.144.106.0/24 [110/10010] via 12.144.200.5, 00:00:10, BRI0
O IA 12.144.107.0/26 [110/10009] via 12.144.200.5, 00:00:10, BRI0
O 12.144.100.2/32 [110/10063] via 12.144.200.5, 00:00:12, BRI0
O 12.144.100.5/32 [110/9999] via 12.144.200.5, 00:00:12, BRI0
O IA 192.168.1.0/24 [110/10010] via 12.144.200.5, 00:00:12, BRI0
O*E2 0.0.0.0/0 [110/1] via 12.144.200.5, 00:00:12, BRI0

Again I ping from 12.144.11.129 to 12.144.107.2, this time it goes via ISDN.
I issue the command:

newyork#sh cry eng conn ac

  ID Interface IP-Address State Algorithm Encrypt
Decrypt

   1 <none> <none> set HMAC_SHA+DES_56_CB 0
0

2000 Serial0 12.144.100.3 set DES_56_CBC 0
26

2001 Serial0 12.144.100.3 set DES_56_CBC 26
0

I see another 20 packets enc/decr. But why over the same ID, Interface, and
IP address? Why doesn't the show command reflect the new path the IPSec
tunnel is taking? Let me know if you need to see configs.

TIA

Brian T. Albert
brian.albert@worldnet.att.net

• Next message: Nobody: "(no subject)"
• Previous message: Giblin Dean L.: "RE: Programming Language for Network Engingeers."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:10 GMT-3