Firewall Wizards mailing list archives

Fwd: LAN-LAN VPN using PIXes and a dialup connection

From: Stefan Pantke <seaside.ki () mac com>
Date: Sat, 26 Jun 2004 12:42:20 +0200

Am 25.06.2004 um 14:48 schrieb Melson, Paul:

-----Original Message-----
I have two LANs which are connected by a IPsec VPN tunnel
through 2 PIX 501 which connect to the internet by some
dialup line (ISDN).

The tunnel itself performs well. Traffic passes correctly.

The problem: Even if both LANs are switched off, the dialup
routers establish new connections. Since this is traffic on
IP protocol 50, it should be related to the IPsec connection.

The questions:

- Why do the PIXes establish VPN connections, even if no LAN
traffic has to be router through the VPN to the ohter LAN?

- How to configure the PIXes for a VPN tunnel using a leased line -
   and not to connect each minute again...


Why are you so sure that there's no LAN traffic reaching the PIX that
would trigger the VPN tunnel to come up?


Because I use the nets 192.168.1.0/24 and 192.168.0.0/24 on the
both connected LANs.

Thus, I supposed, NetBIOS broadcasts will not be propagated to
the remote LAN.

Traffic appears as well during nights, when only one Linux Server
is running in each LAN.

On this server, SAMBA, Lotus Notes and BIND.8 are executed:

- the SAMBA servers are not connected to each other
- Lotus Notes does it's replication each 4 hours
- BIND is authoritative for 2 local zones and does not
  answer requests from the internet.

It's going to depend on your
crypto map match access-list, but dumb things like NetBIOS broadcasts,

routing protocols, routing errors, etc. cause a tunnel to come upand/or

stay up.  If you run 'show crypto ipsec sa' on the PIX after the tunnel
comes up and you don't think it should've, what SAs are you seeing?
That ought to help you find the culprit.


Will be done this weekend and then posted...

Stefan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 25)
- <Possible follow-ups>
- Fwd: LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 26)
- Fwd: LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 26)
- RE: LAN-LAN VPN using PIXes and a dialup connection Melson, Paul (Jun 26)
- RE: LAN-LAN VPN using PIXes and a dialup connection Melson, Paul (Jun 28)