Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site IOS VPN Will Not Establish.

I have setup a basic site to site VPN, one side dynamic one side static. When using SDM, there is a 'test connecton' button, when I hit that button it tests the VPN, and it says that it works, and the vpn does work. At some point, the VPN will drop, and never re-establish.

The only way to get the VPN to re-establish is to press the test button in SDM on the dynamic side... So I am convinced this is some sort of issue on that side, because the static side doesn't know about the dynamic side until it get's an establish request, which it never gets (did a debug on the static side)

Any ideas? Thanks.

DYNAMIC SIDE

------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key KEY_WENT_HERE address REMOTE_STATIC_PEER

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to REMOTE_STATIC_PEER

set peer REMOTE_STATIC_PEER

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

set pfs group2

match address 102

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 remark access to remote phone vlan

access-list 102 permit ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255

access-list 175 remark SDM_ACL Category=18

access-list 175 remark access to remote phone vlan

access-list 175 deny ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255

access-list 175 remark IPSec Rule

access-list 175 deny ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 175 permit ip 10.5.1.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 175

interface Dialer1

bandwidth 10000000

ip address negotiated

no ip unreachables

ip mtu 1400

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

no fair-queue

ppp authentication pap callin

ppp pap sent-username username password 0

crypto map SDM_CMAP_1

3 REPLIES
Hall of Fame Super Gold

Re: Site to Site IOS VPN Will Not Establish.

Justin

Are there routing statements in the dynamic side router? If so can you post them?

If the tunnel does not normally re-establish on its own, it suggests that there is not interesting traffic. Are you sure that something is attempting to send traffic from the dynamic side to the static side? If so can you describe what that is?

HTH

Rick

Community Member

Re: Site to Site IOS VPN Will Not Establish.

Rick;

This is what I assumed as well, no interesting traffic so the link dropped off. Is there anyway to tell the link to be persistent? I was attempting a ping from the dynamic side to the static side and it wasn't establishing -- until I did an extended ping, and forced it to use the inside interface as it's source address and the tunnel came up.

Because only the dynamic side can establish the link, it would be great if the dynamic side would be persistent.

Hall of Fame Super Gold

Re: Site to Site IOS VPN Will Not Establish.

Justin

In most of the IPSec VPNs that I have done we have run a dynamic routing protocol over the tunnel. The hello traffic of the protocol has been effective in keeping the tunnel active. If you are not running a routing protocol is there something that can be done at the dynamic side to generate periodic traffic (perhaps a cron job that would send a ping)?

HTH

Rick

136
Views
0
Helpful
3
Replies
CreatePlease to create content