Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn ipsec issue

I'm trying to configure a L2L IPSEC VPN between a Cisco 7200 router and a Microsoft ISA Server 2006 with service pack 1.

The VPN is up and running but every 2 hr the isakmp goes down for a few minutes (2 or 3).

We changed the lifetimes (matching both sides) and no matter what value we set up into the policy the isakmp always comes up with 2 hr as lifetime value.

Do you have any idea?

6 REPLIES
Hall of Fame Super Silver

Re: vpn ipsec issue

Judith

There is a lifetime for ISAKMP and a lifetime for IPSec/ESP. Are you changing the ISAKMP lifetimes or the IPSec/ESP lifetimes?

Perhaps it would be helpful if you would post the related parts of your config with indications of what specifically you have changed so that we can see the details of how it is set up.

HTH

Rick

New Member

Re: vpn ipsec issue

Hi,

Here is my configuration:

crypto isakmp policy 320

encr 3des

hash md5

authentication pre-share

group 2

lifetime 43200

crypto isakmp key address 12.123.45.6 no-xauth

crypto ipsec transform-set 3DES-MD5-TFORM esp-3des esp-md5-hmac

crypto map CRYPTO-MAP 320 ipsec-isakmp

set peer 12.123.45.6

set transform-set 3DES-MD5-TFORM

match address HOUSTON_CMAP

I've been changing the isakmp lifetime and kept the default value for ipsec lifetime.

thanks

Re: vpn ipsec issue

try a debug crypto isakmp during your production's off peak hours. post it here and lets analyze.

Hall of Fame Super Silver

Re: vpn ipsec issue

Judith

Thanks for posting the information that I asked about. I do not see any particular issue in the config and it certainly should get ISAKMP past 2 hours. I wonder if the issue may be in the way that the Microsoft ISA Server 2006 is setting ISAKMP lifetime on its end. Perhaps John's suggestion of running debug for ISAKMP would show the negotiation and clarify where the 2 hours is coming from.

HTH

Rick

New Member

Re: vpn ipsec issue

Thanks all for your advices.

I used to have other policies definitions before this one and when I moved it to top of the list the VPN came up with the right configuration.

regards,

judith

Hall of Fame Super Silver

Re: vpn ipsec issue

Judith

Thank you for posting back to this thread that you have solved the problem and what you did that solved the problem. It helps make the forum more useful when people can read about a problem and can read what was done that solved the problem.

I am glad that you found a solution to this problem.

HTH

Rick

171
Views
0
Helpful
6
Replies