Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring a timeout for an IPSEC tunnel

With a site-to-site VPN connection between two Cisco 837s, is there a way that I can configure the IPSEC tunnel to be torn down after a period of inactivity and then the tunnel is built again when further traffic is passed?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Configuring a timeout for an IPSEC tunnel

Hi mitchen

One way (but probably not what you are searching for), to "timeout" the IPSEC Session, is to use the IPSEC SA-lifetime.

If connectivity is still needed (crypto acl are triggered) the connection will be re-established, else it will be torn down.

SA-lifetime is no idle-timeout but used to "re-authenticate/re-establish /provide more security" for the IPSEC tunnel on a regular basis.

With a "Newer" IOS there is a feature called:

crypto ipsec security-association idle-time seconds

this can be created globally or specified per peer.

You will find all details here:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541d4.html#wp1027129

"Don't forget to rate useful posts"

Greetings

Jarle

Greetings

Jarle

2 REPLIES
New Member

Re: Configuring a timeout for an IPSEC tunnel

Hi mitchen

One way (but probably not what you are searching for), to "timeout" the IPSEC Session, is to use the IPSEC SA-lifetime.

If connectivity is still needed (crypto acl are triggered) the connection will be re-established, else it will be torn down.

SA-lifetime is no idle-timeout but used to "re-authenticate/re-establish /provide more security" for the IPSEC tunnel on a regular basis.

With a "Newer" IOS there is a feature called:

crypto ipsec security-association idle-time seconds

this can be created globally or specified per peer.

You will find all details here:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541d4.html#wp1027129

"Don't forget to rate useful posts"

Greetings

Jarle

Greetings

Jarle

New Member

Re: Configuring a timeout for an IPSEC tunnel

Hi Jarle,

yes, I found the "crypto ipsec security-association idle-time seconds" command did what I was looking for.

Thanks.

4718
Views
0
Helpful
2
Replies