01-20-2006 05:48 AM - edited 02-21-2020 02:13 PM
Hello,
I have recently implemented a site to site dynamic to static VPN between a PIX 500 series 6.3(3), and an 871W router. The PIX is the static side, and the 871W is the dynamic side.
I am having the VPN go down every 24ish hours or so. I believe that I need to do something with DPD, but I haven't been able to find exactly what. Here's part of the config of the 871W-
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address xxxx
!
crypto ipsec security-association lifetime seconds 900
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map xxxvpn 10 ipsec-isakmp
set peer xxxx
set transform-set strong
match address 100
!
bridge irb
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address xxxxx 255.255.255.240
ip access-group 125 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map xxxvpn
!
interface Dot11Radio0
no ip address
!
broadcast-key vlan 1 change 45
!
!
encryption vlan 1 key 1 size 128bit 7 xxxx transmit-key
encryption vlan 1 mode wep mandatory
!
ssid xxxx
vlan 1
authentication open
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
channel 2457
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxx
!
no ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet4 overload
!
access-list 100 remark Tag traffic to be encrypted
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.28.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.24.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 172.29.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 remark Performs NAT against everything but VPN traffic
access-list 110 deny ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255
access-list 110 deny ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255
access-list 110 permit ip 192.168.33.0 0.0.0.255 any
access-list 125 remark Restrict access on external interface fa4
access-list 125 permit udp host xxxx any eq isakmp
access-list 125 permit udp host xxxx eq isakmp any
access-list 125 permit esp host xxxx any
access-list 125 permit icmp any any
access-list 125 permit ip xxxxx 0.0.0.255 any
access-list 125 permit ip 172.28.0.0 0.0.255.255 any
no cdp run
!
control-plane
!
bridge 1 route ip
01-25-2006 09:50 AM
I feel this could be due to the expiration of "Security Association". If there is no user traffic for a duration longer than the SA lifetime, the SA will expire and the new SA will be formed only when there is a user traffic initiated. Look at the logs for more information on why the VPN is breaking.
You can try configuring "keepalives" between the VPN peers so that the VPN is always on and does not timeout.
"crypto isakmp keepalive 10"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: