vpn ipsec issue

Unanswered Question
Nov 11th, 2008

I'm trying to configure a L2L IPSEC VPN between a Cisco 7200 router and a Microsoft ISA Server 2006 with service pack 1.

The VPN is up and running but every 2 hr the isakmp goes down for a few minutes (2 or 3).

We changed the lifetimes (matching both sides) and no matter what value we set up into the policy the isakmp always comes up with 2 hr as lifetime value.

Do you have any idea?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 11/11/2008 - 13:37

Judith

There is a lifetime for ISAKMP and a lifetime for IPSec/ESP. Are you changing the ISAKMP lifetimes or the IPSec/ESP lifetimes?

Perhaps it would be helpful if you would post the related parts of your config with indications of what specifically you have changed so that we can see the details of how it is set up.

HTH

Rick

yuya25 Wed, 11/12/2008 - 06:53

Hi,

Here is my configuration:

crypto isakmp policy 320

encr 3des

hash md5

authentication pre-share

group 2

lifetime 43200

crypto isakmp key address 12.123.45.6 no-xauth

crypto ipsec transform-set 3DES-MD5-TFORM esp-3des esp-md5-hmac

crypto map CRYPTO-MAP 320 ipsec-isakmp

set peer 12.123.45.6

set transform-set 3DES-MD5-TFORM

match address HOUSTON_CMAP

I've been changing the isakmp lifetime and kept the default value for ipsec lifetime.

thanks

johnlloyd_13 Wed, 11/12/2008 - 07:41

try a debug crypto isakmp during your production's off peak hours. post it here and lets analyze.

Richard Burts Wed, 11/12/2008 - 08:13

Judith

Thanks for posting the information that I asked about. I do not see any particular issue in the config and it certainly should get ISAKMP past 2 hours. I wonder if the issue may be in the way that the Microsoft ISA Server 2006 is setting ISAKMP lifetime on its end. Perhaps John's suggestion of running debug for ISAKMP would show the negotiation and clarify where the 2 hours is coming from.

HTH

Rick

yuya25 Mon, 11/17/2008 - 09:27

Thanks all for your advices.

I used to have other policies definitions before this one and when I moved it to top of the list the VPN came up with the right configuration.

regards,

judith

Richard Burts Mon, 11/17/2008 - 09:39

Judith

Thank you for posting back to this thread that you have solved the problem and what you did that solved the problem. It helps make the forum more useful when people can read about a problem and can read what was done that solved the problem.

I am glad that you found a solution to this problem.

HTH

Rick

Actions

This Discussion