As long as traffic pass through the tunnel it will not be torn down, you can go ahead and set the lifetime to 86400 seconds which cause the tunnel not to renew the key for 24 hours. But if there is no activity the tunnel will always go down at least on Cisco devices. ASA AFAIK has the featuer to set the lifetime for IKE to 0 which will not bring down the IKE tunnel but IPSEC is what has to rekey and I am not sure how the other vendors will support that. Pix won't support it.
Keepalives are a mechanism to detect whether the peer is active or not, this will not keep a tunnel up, it will actually do the opposite: bring down the tunnel when the remote peer does not respond to DPD (keepalive) packets
This is a bit old, but I am going through this issue right now. I have a site to site VPN between two sites. One location has a sonicwall and the other has a ASA5505. I have found that the tunnel stays up but when I have a client session open to the remote side's AS400 system, after about 5 minutes of inactivity on the AS400 client access window, the session is terminated. I do not mind this, but 5 minutes is a bit short. Is there a way to change this?
Steven is correct, changing the ISAKMP Keepalive will only change the intervals of the DPD checks (Dead Peer Detection). These do not count as "interesting" traffic and therefore do not reset idle timeoutes or serve to rebuild a tunnel after it has been tore down.
You do have the option to remove the idle timeout on VPN connections. See code below:
You would then apply this group-policy to your site-site tunnel-group:
tunnel-group 126.96.36.199 general-attributes
However, do realize this will simply remove the idle timeout. It can not do anything about tunnel re-keys. If your tunnel rekeys when no interesting traffic is occuring, the tunnel will not rebuild until interesting traffic is seen. There is no way around that.
I guess you could create a script on a server in your encryption domain to send a ping every few minutes to a host on the other side. But at least from the Firewall, there is no way of forcing the tunnel to rebuild after a rekey.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :