Hello,

I have recently implemented a site to site dynamic to static VPN between a PIX 500 series 6.3(3), and an 871W router. The PIX is the static side, and the 871W is the dynamic side.

I am having the VPN go down every 24ish hours or so. I believe that I need to do something with DPD, but I haven't been able to find exactly what. Here's part of the config of the 871W-

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxx address xxxx

!

crypto ipsec security-association lifetime seconds 900

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto map xxxvpn 10 ipsec-isakmp

set peer xxxx

set transform-set strong

match address 100

!

bridge irb

!

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

ip address xxxxx 255.255.255.240

ip access-group 125 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map xxxvpn

!

interface Dot11Radio0

no ip address

!

broadcast-key vlan 1 change 45

!

!

encryption vlan 1 key 1 size 128bit 7 xxxx transmit-key

encryption vlan 1 mode wep mandatory

!

ssid xxxx

vlan 1

authentication open

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

channel 2457

station-role root

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip virtual-reassembly

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 xxxxx

!

no ip http server

no ip http secure-server

ip nat inside source list 110 interface FastEthernet4 overload

!

access-list 100 remark Tag traffic to be encrypted

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.23.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.22.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.24.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.29.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 remark Performs NAT against everything but VPN traffic

access-list 110 deny ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255

access-list 110 deny ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255

access-list 110 permit ip 192.168.33.0 0.0.0.255 any

access-list 125 remark Restrict access on external interface fa4

access-list 125 permit udp host xxxx any eq isakmp

access-list 125 permit udp host xxxx eq isakmp any

access-list 125 permit esp host xxxx any

access-list 125 permit icmp any any

access-list 125 permit ip xxxxx 0.0.0.255 any

access-list 125 permit ip 172.28.0.0 0.0.255.255 any

no cdp run

!

control-plane

!

bridge 1 route ip