Site-to-Site DSL VPN with ISDN Backup

Unanswered Question
Jun 17th, 2009

Hello everybody,

i'm a little bit stucked here so i hope someone can point me into the right direction.

We have 2 1841 routers with ISDN BRI interfaces.

One Router (master) has two Ethernet interfaces pointing to LAN and WAN. The WAN interface is a public static IP.

The Router (slave) dials with a pppoe client into DSL an builds up a IPSec tunnel with the (master) peer. Works well

No i've configured a tracking object on the slave (a IP address behind the IPsec tunnel) so when the tunnel fails the ISDN Backup is triggerd. This works as well.

I have a problem though: on the master i have only one static route WAN interface so the packets send from the slave never come back because of the default route.

How can i manage to insert another static route say dialer2 (ISDN) only when the tunnel isn't available?

Thank you...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
syntaxmonster Wed, 06/17/2009 - 06:23

Hi, thank you for your reply. Does this mean i have to use ospf as a routing protocol?

The IP Adress of the Dialer 1 (pppoe interface) is negotiated and dynamic.

Paolo Bevilacqua Wed, 06/17/2009 - 06:25

Not necessarily, but in many cases routing makes things easier.

How do you obtain address also doesn't matter.

Note this kind of configurations are better done by a professional, if you never did it before it can take a lot of trial and error to get it 100% right.

syntaxmonster Wed, 06/17/2009 - 06:40

"Note this kind of configurations are better done by a professional, if you never did it before it can take a lot of trial and error to get it 100% right."

:) you're so right, now this is the 3rd day of trial and there where more errors :)

I cannot see any CLI commands any more :(

OK, i'll try to figure this out.

slmansfield Wed, 06/17/2009 - 09:44

CCO contains so much information on how to set up dial backup with floating statics and/or routing protocols, you might want to check out these examples instead of spending additional time with trial and error.

This example has a serial connection as the primary path, but it could as easily be a VPN tunnel.

Paolo Bevilacqua Wed, 06/17/2009 - 10:19

I'm glad that you recognize my point.

Unfortunately many people refuse to see the point of paying $200 to have it done professionally.

At least, that is what I would charge.

syntaxmonster Thu, 06/18/2009 - 00:10

I agree with you to pay professionals but lets face the facts: people are spending a couple of hours to digg deep into the documetation to finaly find out that the documentation isn't quite suitable for them (outdated, wrong requirements, etc).

Now there's two kind of people:professionals and professionals. One professional is very good in doing WAN Routers, the other only LAN Switching etc.

We are 3 people here and have to run a network (LAN/WAN/VPN/Firewall/ etc) with over 1300 employees and 1500 customers.

So you see its not the point of paying 200$ or 2000$ for a professional, this is given.

Its the point of having a very easy/basic setup (Site-to-Site VPN with ISDN Backup) and you need a little hint how to do it.

To cut a long story short: i've managed to fix it.

In the attachement are the configs of the two router and a network plan of the setup.


This Discussion