I have a GRE tunnel running over IPSEC across the Internet, providing connectivity between a remote site and our central router. Connectivity is intermittently hanging causing loss of connectivity. There is a bit of NAT going on in the middle via a checkpoint firewall (for our central router only), and at one stage the firewall logs reported the remote router was trying to use non-standard ports for IPSEC connecitivity (not 500 and/or 4500) - which were all being dropped. However, this is not currently being seen and the problem remains.
crypto isakmp policy 10
crypto isakmp key xxxxxx address x.x.x.x
crypto isakmp invalid-spi-recovery
crypto ipsec security-association idle-time 300
crypto ipsec transform-set xxxxxx_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set xxxxxx_Transform
ip address 172.16.122.38 255.255.255.252
ip mtu 1400
tunnel source Dialer1
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
When connectivity is lost to the remote site, the central router still displays an ACTIVE in/outbound IPSEC tunnel (using 'show crypto ipsec sa'). However, clearing the crypto session at the central end forces the IPSEC to renogotiate and come back up (using the default ports 500 / 4500).
I added the "crypto ipsec security-association idle-time 300" line in the hope that after 5 mins of idle-ness this would happen automatically, but this doesn't work.
Is there a way of forcing a reset to IPSEC automatically given a loss of traffic/idle state??