Anybody ever wrap a VPN tunnel around an HWIC-3G-GSM module using ATT 3G cellular connectivity? I have decent speeds over their Laptop Connect (3G) service over a VPN client session, just curious how well these cards have worked out for others. Obviously this is a backup so my expectations aren't much.
A colleague of mine has been doing some testing (including a limited field deployment) of LAN to LAN VPN over a HWIC-3G. It has worked reasonable well for us.
I was researching for my company the possibility of using the HWIC-3G-GSM module with AT&T, as a replacement of ISDN for backing up a T1 for WAN connectivity. I've got the config for inernet connectivity using these cards and have it dialing whenever it see's interesting packets (IP); but was wondering if you had a config for the vpn part of it and how it reverts to the 3g link? I was thinking floating static routes??
I do not have the configs right now but probably can get to them when I get back to work. My memory is that the VPN configs were fairly straightforward:
- configure an ISAKMP policy.
- configure crypto keys for preshare key authentication.
- configure a transform set.
- configure a crypto map which specifies
' set the peer address
' set the transform set
' use an access list to specify traffic to be encrypted by IPSec.
As I remember our main challenge was getting the GSM interface working. As I remember part of the challenge was that everything that goes through the GSM interface must have that interface address as its source address. So you need to be sure that nothing leaks through that is not encrypted for VPN.
In our case it was not an issue of revert to GSM because we were using the GSM as the primary link. But I would think that floating statics would work ok to send traffic through the GSM when the T1 goes down and to withdraw that when the T1 returns to service.
I was researching for my company the possibility of using the HWIC-3G-GSM module with AT&T, as a replacement of ISDN for backing up a T1 for WAN connectivity. Were you ever able to find any configs for this. It sounds like we both want the same thing?
The Golden1 Credit Union
Yes, the 3G HWIC worked out. The bandwidth is limited but it's the only other cost effective solution available at this time. I did experience one issue - apparently the first batches of the Cisco HWIC's released had an incorrect country code value set, so there were service issues when the router reboots or interface gets reset. All those issues went away with the correct country code (thanks to Cisco TAC) and the bandwidth/reliability improved drastically.
To answer the backup question - I use a floating static route so that when the interface/BGP drops, the dialer kicks in and activates the Cellular WIC, which kicks off an IPSEC VPN.
Thanks for posting back and confirming that the 3G HWIC is working ok for the IPSec VPN as backup. It helps make the forum more useful when people can read about an issue and can find confirmation of what does really work.
I have the Cellular card working, along with the VPN, and I have put in floating static routes....but wanted to post my config to see if any of you might have any sugestions....reason being is once my t1 drops the cellular comes up but i cant get back to corporate..... any help would be appreciated.
I have looked at the config that you posted. It is a bit difficult to determine how the normal routing decisions are made given that the router is running EIGRP, and BGP, and has static default routes. But pretty clearly if the Frame Relay link fails then EIGRP and BGP stop working and the routing decisions are based on the floating static route. This will get the traffic to the head end which terminates the VPN session.
My guess at the problem is that when the Frame Relay link fails then the head end device may not have a route for your 192.168.0.0 network, or that the network at the head end does not have failover routes that send to the VPN terminating device to get to the remote router. So basically the problem may be that traffic gets from the remote to the head end, but there is no return traffic because of lack of routes back to the remote via VPN.
I would ask about the address translation that you are doing. The configured translation is using access list 121 to identify traffic for translation. But access list has only a single statement which is a deny. So there is no traffic that is permitted by the access list. And that would seem to mean that there is no traffic being translated. If no traffic is being translated, then why is translation configured?
Hi had a question, I wonder if the card HWIC-3G-GSM, you can send traffic using IPsec or PPTP VPN (LAN to LAN or connect to central Site)
both as primary interface as well as secondary interface. not if you could post some configuration to do this, besides m like to know if possible, as is the behavior of bandwidth, thanks.
Yes, IPSEC VPN site to site can run fine, but you will need to find a suitable Internet broadband carrier like ATT or Sprint (in my market.) They have to move your connection profile from the public to a private 'corporate' one and then their custom profile for you can bring up VPN's and static IPs. Sprint also does it with GRE tunnels a bit less secure. ATT engineer also advised to use a few modems with directional antennae pointing to different cell towers for fastest connections not to oversubscribe several modems at once to the same tower. For UDP sensitive traffic use GSM and aviod CDMA or Verizon.