Hi all!

For a special reason (I won't detail it now) I have to use the transport mode of IPSec on a PIX515E. The transport mode on PIX can be used only with dynamyc crypto maps but not with static ones. It means that the PIX side of the IPSec connection cannot initialize the IPSec session. It is not a problem, I initialize it from the other side but I cannot guarantee that the session will be kept alive by the other side because of the traffic caracteristics.

How can I manage to keep alive the manually already initialized session for EVER? The session limits have maximum values, the IKE keepalive also does not guarantee 100% the continuous connection :

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm

"When the IKE SA expires, it does not renegotiate MM until a new IPSec SA is required. This means that during this non-IKE-SA period, IKE keepalive is not available to provide a resilience mechanism. In other words, if a new IPSec SA is negotiated [QM] just before the IKE SA expires and the headend router goes down just after it expires, then the far end will send traffic into a black hole for the length of the IPSec SA lifetime (one hour by default) since IKE will not be needed until a new QM is required. This has been identified as a bug and should be addressed in a future release of IOS."

What can I do?

Regards,

Gabor