IPSEC SA Timeout And / OR Route multiple Networks via EasyVPN

Unanswered Question
Jul 20th, 2008

I have a site that is currently using a L2L VPN tunnel to access our main site.

The remote site is an ASA 5505. The remote site has a PTP T1 to a 2nd site that we need to monitor. So the remote site actually has 3 subnets that need to be routed across the VPN:

Remote site main: 10.200.54.0 /24

Remote site T1 PTP Subnet: 10.200.254.0 /40

Remote site Other site: 10.200.55.0 /24

The ASA 5505 at the remote site is configured as such:

access-list 101 extended permit ip 10.200.54.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 101 extended permit ip 10.200.55.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 101 extended permit ip 10.200.254.0 255.255.255.252 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.200.54.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list nonat extended permit ip 10.200.55.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list nonat extended permit ip 10.200.254.0 255.255.255.252 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set tangoset esp-3des esp-md5-hmac

crypto map tangomap 10 match address 101

crypto map tangomap 10 set peer *

crypto map tangomap 10 set transform-set tangoset

crypto map tangomap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

My MAIN / CENTRAL site concentrator is an ASA5520 with 7.2(4) with a dynamic map with numerous EasyVPN / L2L VPNs terminating on it.

crypto ipsec transform-set mySET esp-3des esp-md5-hmac

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto dynamic-map myDYN-MAP 5 set reverse-route

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

crypto map myMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65530

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

We poll from our datacenter network (10.1.1.0/24) to the 10.200.254.1 IP every 60 seconds just to monitor UP/DOWN status of the T1. Our monitoring software stops monitoring from Midnight to 5:30 am, so we dont get alerts etc. I have the problem of the SA not being established when monitoring resumes due to the timeout. Because of the central site using an dynamic map, I can't reestablish the SA. I have to telnet to the T1 router and ping the monitoring server with a source of the 10.200.254.1 interface to restablish then all is well.

Is there any other way to keep the SA active? I know with EasyVPN I can use the nem-st-autoconnect option to keep all the SAs up, Is this an option for ann L2L tunnel?

I would prefer to have the site use EasyVPN but is it possible to route the 3 necessary networks across the EasyVPN connection? How would that config look? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rtjensen4 Sun, 07/20/2008 - 18:18

No worries, I just created a static VPN. This shouldnt be an issue anymore.

Actions

This Discussion