IPSEC clear crypto session - a way of automating this?

Unanswered Question
Oct 6th, 2011

Hi,

I have a GRE tunnel running over IPSEC across the Internet, providing connectivity between a remote site and our central router. Connectivity is intermittently hanging causing loss of connectivity. There is a bit of NAT going on in the middle via a checkpoint firewall (for our central router only), and at one stage the firewall logs reported the remote router was trying to use non-standard ports for IPSEC connecitivity (not 500 and/or 4500) - which were all being dropped. However, this is not currently being seen and the problem remains.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 180

crypto isakmp key xxxxxx address x.x.x.x

crypto isakmp invalid-spi-recovery

!

crypto ipsec security-association idle-time 300 

!

crypto ipsec transform-set xxxxxx_Transform esp-3des esp-md5-hmac

!

crypto ipsec profile VTI

set transform-set xxxxxx_Transform

!

interface Tunnel1

ip address 172.16.122.38 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Dialer1

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

When connectivity is lost to the remote site, the central router still displays an ACTIVE in/outbound IPSEC tunnel (using 'show crypto ipsec sa'). However, clearing the crypto session at the central end forces the IPSEC to renogotiate and come back up (using the default ports 500 / 4500).

I added the "crypto ipsec security-association idle-time 300" line in the hope that after 5 mins of idle-ness this would happen automatically, but this doesn't work.

Is there a way of forcing a reset to IPSEC automatically given a loss of traffic/idle state??

Rgds

Phil

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Thu, 10/06/2011 - 02:55

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

Perhaps a re-occurring script could be run on the router that looks at the crypto stats, and depending on what it "sees", clear the SA.

Richard Burts Thu, 10/06/2011 - 08:46

Phil

Creating a script to issue the clear crypto commands as Joseph suggests would be the easy part. The challenge would be in creating something that would detect when connectivity to the remote was lost. Perhaps there is something in IP SLA that could do this and kick off a script if connectivity goes down.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted October 6, 2011 at 2:30 AM
Stats:
Replies:2 Overall Rating:
Views:7684 Votes:0
Shares:0
Tags: ipsec, crypto
+

Related Content