I am having ezvpn remote network extension mode connecting to ezvpn server using pre-shared key authentication. The remote router in network extension mode is on dynamic IP. Now, each time the IP address changes on the remote router the ISAKMP SAs stay in QM_IDLE state even with the peers that were the previous IP addresses of the remote router. When I connect with a VPN software client to ezvpn server the tunnel for this client tears down as soon as the clients disconnects.
How can I do the same for the remote router in network extension mode?
Having this problem with the remote network extension it could easily exhaust my ezvpn resources (only 10 IPSec tunnels allowed) if the IP address changes pretty often on the remote router.
Many thanks for your help.
Looks like a bug. Use "sh cry isa sa det" to see if keepalives are indeed active and "deb cry isa" to see they are sent (you need the "periodic" option to verify this). Are IPSec SAs deleted when IP address changes? Verify with "sh cry ipsec sa".