cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7915
Views
0
Helpful
2
Replies

Configuring a timeout for an IPSEC tunnel

mitchen
Level 2
Level 2

With a site-to-site VPN connection between two Cisco 837s, is there a way that I can configure the IPSEC tunnel to be torn down after a period of inactivity and then the tunnel is built again when further traffic is passed?

1 Accepted Solution

Accepted Solutions

jsteffensen
Level 1
Level 1

Hi mitchen

One way (but probably not what you are searching for), to "timeout" the IPSEC Session, is to use the IPSEC SA-lifetime.

If connectivity is still needed (crypto acl are triggered) the connection will be re-established, else it will be torn down.

SA-lifetime is no idle-timeout but used to "re-authenticate/re-establish /provide more security" for the IPSEC tunnel on a regular basis.

With a "Newer" IOS there is a feature called:

crypto ipsec security-association idle-time seconds

this can be created globally or specified per peer.

You will find all details here:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541d4.html#wp1027129

"Don't forget to rate useful posts"

Greetings

Jarle

Greetings

Jarle

View solution in original post

2 Replies 2

jsteffensen
Level 1
Level 1

Hi mitchen

One way (but probably not what you are searching for), to "timeout" the IPSEC Session, is to use the IPSEC SA-lifetime.

If connectivity is still needed (crypto acl are triggered) the connection will be re-established, else it will be torn down.

SA-lifetime is no idle-timeout but used to "re-authenticate/re-establish /provide more security" for the IPSEC tunnel on a regular basis.

With a "Newer" IOS there is a feature called:

crypto ipsec security-association idle-time seconds

this can be created globally or specified per peer.

You will find all details here:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541d4.html#wp1027129

"Don't forget to rate useful posts"

Greetings

Jarle

Greetings

Jarle

Hi Jarle,

yes, I found the "crypto ipsec security-association idle-time seconds" command did what I was looking for.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: