How to start tunnels without the need of pinging a remote host

Answered Question
Sep 4th, 2008

That's the big question !

How do you tunnels without the need of pinging a remote host in the target network ? Our costumers get hanged on a regular base because of this issue. 10 points to the first answer !

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 4 months ago

You do not need to authenticate ( its optional )Just use ntp server command.

also in "ntp server 10.0.6.5 key 1 source outside"

use source as inside.

i think you will also have to enable "management-access inside" to make it work .

Correct Answer by singhsaju about 8 years 4 months ago

Check the following example for PIX to PIX Ipsec-NTP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801d449c.shtml

You can make a Router in your network as ntp master and sync clocks on PIX and other non-cisco devices to the router.

HTH

Saju

Correct Answer by singhsaju about 8 years 4 months ago

Hello,

You can setup keepalives on VPN end .

For example

On PIX

isakmp keepalive 30 2

On IOS

crypto isakmp keepalive 10 periodic

If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).

HTH

Saju

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Correct Answer
singhsaju Thu, 09/04/2008 - 12:02

Hello,

You can setup keepalives on VPN end .

For example

On PIX

isakmp keepalive 30 2

On IOS

crypto isakmp keepalive 10 periodic

If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).

HTH

Saju

godzilla0 Thu, 09/04/2008 - 23:54

We have a lot of non-cisco peers. Can you put some detail on how to configure NTP ? Thanks.

godzilla0 Fri, 09/05/2008 - 06:46

ntp authentication-key 1 md5 ********

ntp trusted-key 1

ntp server 10.0.6.5 key 1 source outside

As I see, this is the only parameters you have to configure ?

Why do you need that key to auth ?

What is the ntp trusted-key 1 ?

Correct Answer
singhsaju Fri, 09/05/2008 - 07:19

You do not need to authenticate ( its optional )Just use ntp server command.

also in "ntp server 10.0.6.5 key 1 source outside"

use source as inside.

i think you will also have to enable "management-access inside" to make it work .

godzilla0 Fri, 09/05/2008 - 08:08

ok, I managed to make it work. But, I'm looking for a better solution. I mean, we don't care if the tunnels go down but we need them up when the customers start to send interesting traffic through the tunnel. I don't know why the customers can't start the tunnels when initiating a SIP connection but we can bring up the tunnel making a ping to their networks. Is there a way to make the tunnel go up when, for example the customer start working on monday morning ( a call center for example ) they start the first call and then the tunnel get up by their side ? Thanks !

singhsaju Fri, 09/05/2008 - 09:18

Thanks for the rating!

You can consider writing a script to Ping regularly across the tunnel.

Richard Burts Sun, 09/07/2008 - 04:01

Xavier

Your description sounds like the tunnel does start when there is traffic from your end but does not start when there is traffic from the remote. Is this correct?

The symptom of starting only from one side is common when one side has a fixed IP address and the other side has a dynamic IP. Is this perhaps the case that the remote side has a dynamic IP address?

Perhaps if we could see some configuration details we might understand the issue better and be able to give you better answers.

HTH

Rick

godzilla0 Mon, 09/08/2008 - 05:30

No, the Ip's are static at both ends. It's really necessary stay generating traffic all the time to get the tunnels always up ?

Richard Burts Mon, 09/08/2008 - 08:18

Xavier

If you want the tunnel to be always up then yes you need some kind of traffic being generated all the time. I frequently accomplish that by running a routing protocol through the tunnel and the routing protocol hello messages help to keep the tunnel up. Running NTP through the tunnel would also be a good way to do this.

The tunnel should initialize when there is interesting traffic. Your description of the symptoms sounds like the tunnel does initialize when there is traffic from your side, but not when there is traffic from the other side. Is that the case? That would seem to indicate some issue in the configuration of the VPN tunnel. Can you post the configurations from both ends?

HTH

Rick

godzilla0 Mon, 09/08/2008 - 08:27

yes I can do that . . but the config file is so big . . . that's only happening with point to point VPN's. The client to server VPN's are working fine. Please tell me what part of the config you want to check and I will post it. Thanks.

Richard Burts Mon, 09/08/2008 - 08:48

Xavier

I could tell you more easily what part if I knew on what platform you are running the VPN. On a router I would want to see the crypto map entry and the access list which is referred to in the crypto map to identify traffic. If it was on PIX/ASA I would want the crypto map, the crypto access-list referred to in the map, and the nonat rule.

HTH

Rick

godzilla0 Mon, 09/08/2008 - 08:54

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to212.78.144.13

set peer 212.78.144.13

set security-association lifetime seconds 86400

set transform-set REUS

match address 104

------------------------------------------------

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.241.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.236.0 0.0.3.255

We haven't any nonat rules. All the cryptomaps are the same. Thanks !

Richard Burts Mon, 09/08/2008 - 09:16

Xavier

Thanks for posting the crypto map and the access list. Would I be correct in assuming that this is from your router? Can you also post the crypto map and the access list from the remote router?

HTH

Rick

godzilla0 Mon, 09/08/2008 - 23:24

Yes this is from our router. I can't post the remote router config cause it's totally private. It's the customer's end.

Actions

This Discussion