Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPsec over dialup

Hi,

I have a network problem that requires a secure link between to locations and I think IPSec will do the job, but I would like some guidance form people who know better than me

Problem

PC1 at Site A will be sending UDP data packets to PC2 at Site B via a dial up link, occasionally PC2 will reply to PC1 again via UDP. PC1 and PC2 are the only systems that will pass data over the Link.

I intend to have a 2801 fitted with an analogy modem card (WIC-2AM-V2) at each site and configure dial-on-demand routing, IPSec and Firewall but not to use a VPN.

Is this setup OK or have I missed something?

Thanks

gnich

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: IPsec over dialup

Graham

If you need an ecrypted secure link then IPSec is the way to go.

I get the sense that you are thinking of IPSec and of VPN as separate things. Generally when we configure IPSec we are doing it to create a VPN connection. So for most of us the terms are pretty interchangeable.

It depends on what feature set of the IOS is installed on your router. If it is the Advanced Security or Advanced Services it will include the software to do IPSec. If it is the IP Base or IP plus feature sets then it does not have the ability to run IPSec.

[edit] one other thing occurs to me to mention. IPSec does not really care what media it runs over as long as it has IP connectivity between the 2 IPSec peers. So in that sense running IPSec over dialup should be fine. But assuming that you are talking about normal dialup the dial link will be down most of the time. When the application attempts to send data it will need to bring up the dial link. It will have to initialize, call, and authenticate before it is ready to pass traffic. Then the routers will have to negotiate ISAKMP Security Associations and then IPSec Security Associations. So there will be some amount of delay before the application traffic starts to flow. Will that delay create any issues with the application?

HTH

Rick

5 REPLIES
Hall of Fame Super Gold

Re: IPsec over dialup

gnich

I am a bit confused about part of your post. You say:

"configure dial-on-demand routing, IPSec and Firewall but not to use a VPN"

how will you configure IPSec and not use VPN?

In your first sentence you say that you require a secure link. Since dial up is a point to point connection through telco facilities, many people would already consider that fairly secure since it cettainly minimizes any opportunity for anyone to observe or tamper with the traffic. But if your requirements are for more secure than that then IPSec does give you a way to encrypt the data and that is highly secure.

I suggest that you think some about how you will assure that traffic between the PCs always goes through the dial up link and to assure that no other traffic goes through the dial up link. If the dial up is really only for the PCs then why not put the analog modem connected to the PCs and have the PCs dial?

HTH

Rick

New Member

Re: IPsec over dialup

Rick

I do need an encrypted secure link, more than I would get from a normal dial up, so I can not use a modem. That is why I thought of IPSec.

You can see I'm not to sure on how IPSec works in practice (I've done some reading but probably not enough). I take it I need to create a VPN, can this be done in the router as I don't have any VPN software on the clients.

As for data flow, Site A will only have 1 PC so there is no other traffic that could use the dial-up, at site B I intend to use fixed IP routes to manage what traffic passes over the dial up link, I think this should be OK.

Graham

Hall of Fame Super Gold

Re: IPsec over dialup

Graham

If you need an ecrypted secure link then IPSec is the way to go.

I get the sense that you are thinking of IPSec and of VPN as separate things. Generally when we configure IPSec we are doing it to create a VPN connection. So for most of us the terms are pretty interchangeable.

It depends on what feature set of the IOS is installed on your router. If it is the Advanced Security or Advanced Services it will include the software to do IPSec. If it is the IP Base or IP plus feature sets then it does not have the ability to run IPSec.

[edit] one other thing occurs to me to mention. IPSec does not really care what media it runs over as long as it has IP connectivity between the 2 IPSec peers. So in that sense running IPSec over dialup should be fine. But assuming that you are talking about normal dialup the dial link will be down most of the time. When the application attempts to send data it will need to bring up the dial link. It will have to initialize, call, and authenticate before it is ready to pass traffic. Then the routers will have to negotiate ISAKMP Security Associations and then IPSec Security Associations. So there will be some amount of delay before the application traffic starts to flow. Will that delay create any issues with the application?

HTH

Rick

New Member

Re: IPsec over dialup

Rick

Thanks for clearing this up, I was thinking IPSec and VPN were differnt things, but now I'll look at them as one.

I'm going to use 2801's with the Advanced Secruity and a 2 port moden card.

The time delay to initialise the like over the dialup will be OK as it will be brought up in a morning and then stay connected for a few hours before being dropped. The actual data flow will not start untill the link is established, so the data will be OK.

Thanks again

Graham

PS

When they get delivered I might be back for more help !!!

Hall of Fame Super Gold

Re: IPsec over dialup

Graham

I am glad that my responses helped you to understand this better. If you have more questions we will be here.

Thank you for using the rating system to indicate that your question was resolved (and thanks for the ratings). It makes the forum more useful when people can read a question and can know that there were responses which were able to resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

414
Views
5
Helpful
5
Replies
CreatePlease to create content