cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
5
Helpful
2
Replies

keeping an IPSec tunnel up

tato386
Level 6
Level 6

I have a VPN that is composed of a PIX with a static IP and several IOS routers that have dynamic IPs. As such, IPSec tunnels can only be initiated from the IOS router side. I need to keep these tunnels up during the night when no users are at the remote sites to generate traffic. I was thinking of using either the "service tcp-keepalives-out" or "isakmp keepalive X" command on the IOS router side to accomplish this. Will this work? Is there a better way? Do I need to do something on the PIX side?

Thanks,

Diego

2 Replies 2

mnaveen
Level 1
Level 1

Hi Diego,

You don't have to do anything if you want to keep your tunnels up. By default, once an IPSec tunnel is up (because it saw the interesting traffic), it will be so till its IPSec lifetime expires. This is regardless of traffic generated from either sides. Keepalives are used only when we want to bring the tunnels **down** when there is no response to keepalive messages from the other side. You can't use keepalives to keep the tunnels up. Keepalives requires the tunnel protocol to be up to work.

If once the tunnels are down due to lifetime expiry or becoz of no response to keepalives from other side, it requires again some interesting traffic to trigger the creation of IPSec SAs.

I believe the only possible solution in your case is to have a large ISAKMP and IPSec lifetime. The maximum lifetime period is 24 hrs and this should be sufficient to cover during the night times also.

Thanks,

Naveen

mnaveen@cisco.com

engel
Level 2
Level 2

I propose the following "not a clean" solutions to keep the tunnel up.

1. By syncing the time of the router to the central router through the tunnel using NTP protocol. This can be done by creating a crypto acces-list for UDP port 123 as an interesting traffic. You may want to adjust how frequent the sync timing, compare to the load of the other tunnelled packets , so it will not degrade the whole VPN performance.

2. By periodically sending a syslog message to the central router through the tunnel.

Regards,

Engel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: