Anybody has any input on how to keep a VPN tunnel up and running even though there's no interesting traffic ? I'd like to get the IPSec and ISAKMP always up. Is that possible ?
You can setup the isakmp/ipsec lifetimes to be a large number and not turn on any keepalives. That would help to keep it up for a long time without any traffic.
If the SA is up, it will stay up without interesting traffic until the lifetimes expire. The only reason a tunnel comes down with no interesting traffic is that the lifetimes expire, and because there's no traffic, a new one is not built. They're not actually torn down in the middle of a lifetime because of no inteesting traffic
Just increase your lifetimes to the max and you should be fine. They will eventually come down, but at least it'll be every few days instead of every day.
Have your routers peer using ntp from addresses covered by your SA. The traffic volume isn't large and is regular enough that with long SA lifetimes you'll hardly ever have a tunnel not defined
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
