12-12-2009 01:34 AM - edited 03-04-2019 06:57 AM
hi guys!
what command should i use to let the tunnel always up using ipsec vpn without initiate any traffic during the idle time on the asa?
Thanks
12-28-2009 12:49 AM
Hello Alsayed,
as in routers the security associations SA have a lifetime based on two factors: time and traffic volume.
see
IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).
https://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042781
Be aware that extending the lifetime exposes to security risk so it is not recommended.
the best way would be to have a GRE tunnel encapsulated in IPSec on the ASA originated and terminated on routers with a routing protocol running on it and high metric so that is not used until primary path is active.
R1 ---- ASA1 ---------------------------- ASA2 --- R2
Hope to help
Giuseppe
12-28-2009 04:35 AM
Hello Giuseppe!
Thanks for ur reply
12-28-2009 05:35 AM
Freind Giuseppe, I need the tunnel to be up all time and ready whenever data to be send or not.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: