I've implemented a Dynamic to Static Site-to-Site IPSec VPN between a branch office (vessel) ASA5505 and the headquarters. Now, this solution doesn't allow the HQ to initiate the IPsec connection.
There is a router behind the ASA5505. I heard that if I want to keep the tunnel up, so that HQ clients can initiate traffic to remote clients through the tunnel, I'd need to run IP SLA icmp probes on the router behind the ASA.
Could someone explain how to implement it?
Thanks for your help.
The ICMP probe can be done through any devices that is capable of doing ping, not only from the router.
The reason is as long as there is interesting traffic that triggers the traffic to be encrypted through the vpn tunnel, the tunnel will stay up, therefore, you will be able to initiate connection from HQ towards your remote site.
Hope that helps.