Solved: EZVPN Remote Network Extension Mode

remi-reszka · ‎11-13-2008

Hi everyone,

I am having ezvpn remote network extension mode connecting to ezvpn server using pre-shared key authentication. The remote router in network extension mode is on dynamic IP. Now, each time the IP address changes on the remote router the ISAKMP SAs stay in QM_IDLE state even with the peers that were the previous IP addresses of the remote router. When I connect with a VPN software client to ezvpn server the tunnel for this client tears down as soon as the clients disconnects.

How can I do the same for the remote router in network extension mode?

Having this problem with the remote network extension it could easily exhaust my ezvpn resources (only 10 IPSec tunnels allowed) if the IP address changes pretty often on the remote router.

Many thanks for your help.

regards,

Remi

ovt · ‎11-14-2008

Looks like a bug. Use "sh cry isa sa det" to see if keepalives are indeed active and "deb cry isa" to see they are sent (you need the "periodic" option to verify this). Are IPSec SAs deleted when IP address changes? Verify with "sh cry ipsec sa".

View solution in original post

ovt · ‎11-14-2008

Try

crypto isakmp keepalive secs retries-secs [periodic]

on both sides

remi-reszka · ‎11-14-2008

Hi,

I had keepalives set before but without "periodic" option. I changed now to include periodic and still no help. Below I have a proof. As you can see, the ezvpn server maintains tunnels even to dead peers hence exhausting VPN resources...

crypto isakmp keepalive 20 3 periodic (on both peers)

Remote router in NEM after change of dynamic IP address:

ezvpn_nem#sh cry isa sa

dst src state conn-id slot status

172.30.17.5 172.30.20.4 QM_IDLE 5 0 ACTIVE

EZVPN Server router:

ezvpn_srv#sh cry isa sa

dst src state conn-id slot status

172.30.17.5 172.30.20.3 QM_IDLE 1 0 ACTIVE

172.30.17.5 172.30.20.4 QM_IDLE 2 0 ACTIVE

Thanks very much for yoru help.

Remi

ovt · ‎11-14-2008

Looks like a bug. Use "sh cry isa sa det" to see if keepalives are indeed active and "deb cry isa" to see they are sent (you need the "periodic" option to verify this). Are IPSec SAs deleted when IP address changes? Verify with "sh cry ipsec sa".

remi-reszka · ‎11-14-2008

Hi,

Thanks for checking this up for me. Here I have the answers:

On both peers I receive packets from each other DPD/R_U_THERE every 20sec so keepalives work. Checked that with "deb cry isa".

In regards to "sh cry isa sa det" it looks like the ezvpn_srv keeps the tunnel up until IKE lifetime expires = 24h but even for the dead peer. Take a look below:

ezvpn_nem#sh cry isa sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

7 172.30.20.4 172.30.17.5 ACTIVE 3des sha 2 23:22:56 CDX

Connection-id:Engine-id = 7:2(hardware)

ezvpn_srv#sh cry isa sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1 172.30.17.5 172.30.20.3 ACTIVE 3des sha 2 21:06:35 CDX

Connection-id:Engine-id = 1:1(software)

4 172.30.17.5 172.30.20.4 ACTIVE 3des sha 2 23:21:48 CDX

Connection-id:Engine-id = 4:1(software)

Also there are no SAs for the dead peer on ezvpn_srv. Only for the active one.

I am clearing all ISAKMP SAs and trying all over again. I will get back to you on that.

Thanks,

Remi

remi-reszka · ‎11-14-2008

I have a next update. I looks like it started to work. The ezvpn_srv deletes SAs for the dead peers. I just had to "clear cry isa" and now any SAs for the peers that are no longer active (with the old IP addresses) are marked as deleted and eventually they clear from the "sh cry isa sa" list.

This one that could not clear off was probably the previous one before I implemented "cry isa keepalive 20 3 periodic".

It looks like "cry isa keepalive 20 3 periodic" did the job.

Thanks a lot for your help. If you don't mind I'll get back to you should I still have some troubles.

Remi