I have a VPN that is composed of a PIX with a static IP and several IOS routers that have dynamic IPs. As such, IPSec tunnels can only be initiated from the IOS router side. I need to keep these tunnels up during the night when no users are at the remote sites to generate traffic. I was thinking of using either the "service tcp-keepalives-out" or "isakmp keepalive X" command on the IOS router side to accomplish this. Will this work? Is there a better way? Do I need to do something on the PIX side?
You don't have to do anything if you want to keep your tunnels up. By default, once an IPSec tunnel is up (because it saw the interesting traffic), it will be so till its IPSec lifetime expires. This is regardless of traffic generated from either sides. Keepalives are used only when we want to bring the tunnels **down** when there is no response to keepalive messages from the other side. You can't use keepalives to keep the tunnels up. Keepalives requires the tunnel protocol to be up to work.
If once the tunnels are down due to lifetime expiry or becoz of no response to keepalives from other side, it requires again some interesting traffic to trigger the creation of IPSec SAs.
I believe the only possible solution in your case is to have a large ISAKMP and IPSec lifetime. The maximum lifetime period is 24 hrs and this should be sufficient to cover during the night times also.
I propose the following "not a clean" solutions to keep the tunnel up.
1. By syncing the time of the router to the central router through the tunnel using NTP protocol. This can be done by creating a crypto acces-list for UDP port 123 as an interesting traffic. You may want to adjust how frequent the sync timing, compare to the load of the other tunnelled packets , so it will not degrade the whole VPN performance.
2. By periodically sending a syslog message to the central router through the tunnel.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :