Hi guys!
hope there is someone who could shed some light on this problem that someone must have experienced before me. The problem is that the ipsec-tunnel is sending some sync-info every 14th sec on and keeps the line up regardless if there is any traffic or not going over the dialer. I have to specify the ipsec as interesting traffic in ACL 120, because the MS TS traffic (3389) is encrypted before sending it out on the bri, or else the line never goes up when a terminal server session is initiated. Beside this problem everything is fine.
i've tried to change the software on both routers, the caller and the called.
Any suggestions greatly appreciated.
here is the config from the caller router:
Current configuration : 2895 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
aaa new-model
enable secret xxx
enable password xxx
!
username xxx password xxx
username xxx password xxx
ip subnet-zero
ip dhcp excluded-address 192.168.x.xx 192.168.x.xx
!
ip dhcp pool IP-Pool
network 192.168.x.xx 255.255.255.240
domain-name xxx
dns-server 192.168.x.xx
default-router 192.168.x.xx
netbios-name-server 192.168.x.xx
lease 2
!
ip domain-name xxx
ip ssh time-out 120
ip ssh authentication-retries 3
isdn switch-type basic-net3
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxx address 172.28.x.xx
crypto isakmp keepalive 15 3
!
!
crypto ipsec transform-set xxx esp-des esp-md5-hmac
!
crypto map xxx local-address dialer1
crypto map xxx 21 ipsec-isakmp
set peer 172.28.x.xx
set transform-set xxx
match address 120
!
!
!
!
interface Ethernet0
ip address 192.168.x.xx 255.255.255.240
!
interface BRI0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap
!
interface Dialer1
ip address 172.28.x.xx 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name xxx
dialer idle-timeout 300
dialer string xxx
dialer-group 1
fair-queue
ppp authentication chap
crypto map xxx
!
no ip http server
ip classless
ip route 192.168.x.x 255.255.255.0 Dialer1
ip route 192.168.x.x 255.255.255.0 Dialer1
ip route 192.168.x.x 255.255.255.0 Dialer1
ip pim bidir-enable
!
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 1494
access-list 101 permit tcp any any eq 3389
access-list 101 deny ip any any
access-list 120 remark *** crypto ***
access-list 120 permit tcp any eq telnet host 172.28.x.x
access-list 120 permit tcp any eq telnet 192.168.x.0 0.0.0.255
access-list 120 permit tcp any 192.168.x.0 0.0.0.255 eq 3389
dialer-list 1 protocol ip list 101
!
line con 0
exec-timeout 5 0
stopbits 1
line vty 0 4
exec-timeout 5 0
password xxx
!
no rcapi server
!
!
end
hope there is someone who could shed some light on this problem that someone must have experienced before me. The problem is that the ipsec-tunnel is sending some sync-info every 14th sec on and keeps the line up regardless if there is any traffic or not going over the dialer. I have to specify the ipsec as interesting traffic in ACL 120, because the MS TS traffic (3389) is encrypted before sending it out on the bri, or else the line never goes up when a terminal server session is initiated. Beside this problem everything is fine.
i've tried to change the software on both routers, the caller and the called.
Any suggestions greatly appreciated.
here is the config from the caller router:
Current configuration : 2895 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
aaa new-model
enable secret xxx
enable password xxx
!
username xxx password xxx
username xxx password xxx
ip subnet-zero
ip dhcp excluded-address 192.168.x.xx 192.168.x.xx
!
ip dhcp pool IP-Pool
network 192.168.x.xx 255.255.255.240
domain-name xxx
dns-server 192.168.x.xx
default-router 192.168.x.xx
netbios-name-server 192.168.x.xx
lease 2
!
ip domain-name xxx
ip ssh time-out 120
ip ssh authentication-retries 3
isdn switch-type basic-net3
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxx address 172.28.x.xx
crypto isakmp keepalive 15 3
!
!
crypto ipsec transform-set xxx esp-des esp-md5-hmac
!
crypto map xxx local-address dialer1
crypto map xxx 21 ipsec-isakmp
set peer 172.28.x.xx
set transform-set xxx
match address 120
!
!
!
!
interface Ethernet0
ip address 192.168.x.xx 255.255.255.240
!
interface BRI0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap
!
interface Dialer1
ip address 172.28.x.xx 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name xxx
dialer idle-timeout 300
dialer string xxx
dialer-group 1
fair-queue
ppp authentication chap
crypto map xxx
!
no ip http server
ip classless
ip route 192.168.x.x 255.255.255.0 Dialer1
ip route 192.168.x.x 255.255.255.0 Dialer1
ip route 192.168.x.x 255.255.255.0 Dialer1
ip pim bidir-enable
!
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 1494
access-list 101 permit tcp any any eq 3389
access-list 101 deny ip any any
access-list 120 remark *** crypto ***
access-list 120 permit tcp any eq telnet host 172.28.x.x
access-list 120 permit tcp any eq telnet 192.168.x.0 0.0.0.255
access-list 120 permit tcp any 192.168.x.0 0.0.0.255 eq 3389
dialer-list 1 protocol ip list 101
!
line con 0
exec-timeout 5 0
stopbits 1
line vty 0 4
exec-timeout 5 0
password xxx
!
no rcapi server
!
!
end
