Firewall Wizards mailing list archives
RE: LAN-LAN VPN using PIXes and a dialup connection
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Fri, 25 Jun 2004 08:48:37 -0400
-----Original Message----- I have two LANs which are connected by a IPsec VPN tunnel through 2 PIX 501 which connect to the internet by some dialup line (ISDN). The tunnel itself performs well. Traffic passes correctly. The problem: Even if both LANs are switched off, the dialup routers establish new connections. Since this is traffic on IP protocol 50, it should be related to the IPsec connection. The questions: - Why do the PIXes establish VPN connections, even if no LAN traffic has to be router through the VPN to the ohter LAN? - How to configure the PIXes for a VPN tunnel using a leased line - and not to connect each minute again...
Why are you so sure that there's no LAN traffic reaching the PIX that would trigger the VPN tunnel to come up? It's going to depend on your crypto map match access-list, but dumb things like NetBIOS broadcasts, routing protocols, routing errors, etc. cause a tunnel to come up and/or stay up. If you run 'show crypto ipsec sa' on the PIX after the tunnel comes up and you don't think it should've, what SAs are you seeing? That ought to help you find the culprit. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 25)
- <Possible follow-ups>
- Fwd: LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 26)
- Fwd: LAN-LAN VPN using PIXes and a dialup connection Stefan Pantke (Jun 26)
- RE: LAN-LAN VPN using PIXes and a dialup connection Melson, Paul (Jun 26)
- RE: LAN-LAN VPN using PIXes and a dialup connection Melson, Paul (Jun 28)