cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
819
Views
0
Helpful
16
Replies

How to start tunnels without the need of pinging a remote host

godzilla0
Level 1
Level 1

That's the big question !

How do you tunnels without the need of pinging a remote host in the target network ? Our costumers get hanged on a regular base because of this issue. 10 points to the first answer !

3 Accepted Solutions

Accepted Solutions

singhsaju
Level 4
Level 4

Hello,

You can setup keepalives on VPN end .

For example

On PIX

isakmp keepalive 30 2

On IOS

crypto isakmp keepalive 10 periodic

If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).

HTH

Saju

View solution in original post

Check the following example for PIX to PIX Ipsec-NTP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801d449c.shtml

You can make a Router in your network as ntp master and sync clocks on PIX and other non-cisco devices to the router.

HTH

Saju

View solution in original post

You do not need to authenticate ( its optional )Just use ntp server command.

also in "ntp server 10.0.6.5 key 1 source outside"

use source as inside.

i think you will also have to enable "management-access inside" to make it work .

View solution in original post

16 Replies 16

singhsaju
Level 4
Level 4

Hello,

You can setup keepalives on VPN end .

For example

On PIX

isakmp keepalive 30 2

On IOS

crypto isakmp keepalive 10 periodic

If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).

HTH

Saju

We have a lot of non-cisco peers. Can you put some detail on how to configure NTP ? Thanks.

Check the following example for PIX to PIX Ipsec-NTP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801d449c.shtml

You can make a Router in your network as ntp master and sync clocks on PIX and other non-cisco devices to the router.

HTH

Saju

ntp authentication-key 1 md5 ********

ntp trusted-key 1

ntp server 10.0.6.5 key 1 source outside

As I see, this is the only parameters you have to configure ?

Why do you need that key to auth ?

What is the ntp trusted-key 1 ?

You do not need to authenticate ( its optional )Just use ntp server command.

also in "ntp server 10.0.6.5 key 1 source outside"

use source as inside.

i think you will also have to enable "management-access inside" to make it work .

ok, I managed to make it work. But, I'm looking for a better solution. I mean, we don't care if the tunnels go down but we need them up when the customers start to send interesting traffic through the tunnel. I don't know why the customers can't start the tunnels when initiating a SIP connection but we can bring up the tunnel making a ping to their networks. Is there a way to make the tunnel go up when, for example the customer start working on monday morning ( a call center for example ) they start the first call and then the tunnel get up by their side ? Thanks !

Thanks for the rating!

You can consider writing a script to Ping regularly across the tunnel.

Xavier

Your description sounds like the tunnel does start when there is traffic from your end but does not start when there is traffic from the remote. Is this correct?

The symptom of starting only from one side is common when one side has a fixed IP address and the other side has a dynamic IP. Is this perhaps the case that the remote side has a dynamic IP address?

Perhaps if we could see some configuration details we might understand the issue better and be able to give you better answers.

HTH

Rick

HTH

Rick

No, the Ip's are static at both ends. It's really necessary stay generating traffic all the time to get the tunnels always up ?

Xavier

If you want the tunnel to be always up then yes you need some kind of traffic being generated all the time. I frequently accomplish that by running a routing protocol through the tunnel and the routing protocol hello messages help to keep the tunnel up. Running NTP through the tunnel would also be a good way to do this.

The tunnel should initialize when there is interesting traffic. Your description of the symptoms sounds like the tunnel does initialize when there is traffic from your side, but not when there is traffic from the other side. Is that the case? That would seem to indicate some issue in the configuration of the VPN tunnel. Can you post the configurations from both ends?

HTH

Rick

HTH

Rick

yes I can do that . . but the config file is so big . . . that's only happening with point to point VPN's. The client to server VPN's are working fine. Please tell me what part of the config you want to check and I will post it. Thanks.

Xavier

I could tell you more easily what part if I knew on what platform you are running the VPN. On a router I would want to see the crypto map entry and the access list which is referred to in the crypto map to identify traffic. If it was on PIX/ASA I would want the crypto map, the crypto access-list referred to in the map, and the nonat rule.

HTH

Rick

HTH

Rick

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to212.78.144.13

set peer 212.78.144.13

set security-association lifetime seconds 86400

set transform-set REUS

match address 104

------------------------------------------------

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.241.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.236.0 0.0.3.255

We haven't any nonat rules. All the cryptomaps are the same. Thanks !

Xavier

Thanks for posting the crypto map and the access list. Would I be correct in assuming that this is from your router? Can you also post the crypto map and the access list from the remote router?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: