Site to Site IOS VPN Will Not Establish.

justincohen · ‎10-20-2008

I have setup a basic site to site VPN, one side dynamic one side static. When using SDM, there is a 'test connecton' button, when I hit that button it tests the VPN, and it says that it works, and the vpn does work. At some point, the VPN will drop, and never re-establish.

The only way to get the VPN to re-establish is to press the test button in SDM on the dynamic side... So I am convinced this is some sort of issue on that side, because the static side doesn't know about the dynamic side until it get's an establish request, which it never gets (did a debug on the static side)

Any ideas? Thanks.

DYNAMIC SIDE

------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key KEY_WENT_HERE address REMOTE_STATIC_PEER

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 10

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to REMOTE_STATIC_PEER

set peer REMOTE_STATIC_PEER

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

set pfs group2

match address 102

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 remark access to remote phone vlan

access-list 102 permit ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255

access-list 175 remark SDM_ACL Category=18

access-list 175 remark access to remote phone vlan

access-list 175 deny ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255

access-list 175 remark IPSec Rule

access-list 175 deny ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 175 permit ip 10.5.1.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 175

interface Dialer1

bandwidth 10000000

ip address negotiated

no ip unreachables

ip mtu 1400

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

no fair-queue

ppp authentication pap callin

ppp pap sent-username username password 0

crypto map SDM_CMAP_1

Richard Burts · ‎10-20-2008

Justin

Are there routing statements in the dynamic side router? If so can you post them?

If the tunnel does not normally re-establish on its own, it suggests that there is not interesting traffic. Are you sure that something is attempting to send traffic from the dynamic side to the static side? If so can you describe what that is?

HTH

Rick

HTH

Rick

justincohen · ‎10-20-2008

Rick;

This is what I assumed as well, no interesting traffic so the link dropped off. Is there anyway to tell the link to be persistent? I was attempting a ping from the dynamic side to the static side and it wasn't establishing -- until I did an extended ping, and forced it to use the inside interface as it's source address and the tunnel came up.

Because only the dynamic side can establish the link, it would be great if the dynamic side would be persistent.

Richard Burts · ‎10-23-2008

Justin

In most of the IPSec VPNs that I have done we have run a dynamic routing protocol over the tunnel. The hello traffic of the protocol has been effective in keeping the tunnel active. If you are not running a routing protocol is there something that can be done at the dynamic side to generate periodic traffic (perhaps a cron job that would send a ping)?

HTH

Rick

HTH

Rick