You can use IPSec backup with PIXen so long as you get the routes for the peers okay via ISDN. The IPSec tunnels are reliant on the routes for your tunnel peers. So you can use whatever backup method you want backup int/dialer watch/floating static/DC, and include those in your routing protocol like ospf. Make sure you make the path through the isdn less prefered if you are using ospf demand circuit, in case your link comes backup. The link below demonstrates this:
You can dial backup an IPSec VPN defined by the PIXes, but you can't use the configuration referenced in the previous message. That requires the exchange of OSPF multicast hello packets across a common LAN link and does the IPSec encryption on the routers rather than in the PIXen.
Because the two routers are not adjacent, you need to either set up a GRE tunnel over the IPSec tunnel so you can run a normal routing protocol, or you can use BGP to detect when the link is down and floating static routes to redirect traffic to the ISDN link when needed. BGP does not require routing peers to be adjacent, so it has no trouble going through the VPN between the PIXen.
There are several examples of routing through GRE over a VPN on www.cisco.com, but I have yet to see a published config for the BGP approach, although I have implemented it for several of my clients. One of these years, I'll get ahead a bit and finish the white paper describing the technique so I can add it to my web site. In the meantime, it is a simplification of the BGP routing approach described in the "Redundant Routing through Firewalls" white paper which is available on my web site, so if you can work your way through that one and understand how it works, it will be easy for you to do arbitrary VPN topologies which don't require NAT.
> 1. For curiousity: The command "neighbor" can be used also in RIP and
> IGRP, as far as I know. Is BGP still the only routing protocol that works
> without adjacent routing peers ?
RIP, IGRP, EIGRP and OSPF (you missed two) use the neighbors command to specify adjacent neighbor addresses when using non-broadcast multiple access physical networks. I have cheated with RIP, because it only checks that the neighbor is in the same major network, but that is cheating.
However, BGP is not your only choice. You should be able to use the antique EGP, but I would not recommend it.
> 2. Will this configuration do it, assuming the dialer profile and the tunnel
> are correctly defined ?
Sorry, no! That is, unless you have configured the other end to set the next hop for 192.168.2.0/255 to be . By default it will be 10.10.10.2. And this assumes you are only using the VPN to reach 192.168.2.0/24. There may be more problems, but my time for providing "free" advice is limited so I stopped looking.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.