Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Keeping Site to Site VPN Tunnel up

Anybody has any input on how to keep a VPN tunnel up and running even though there's no interesting traffic ? I'd like to get the IPSec and ISAKMP always up. Is that possible ?

5 REPLIES
Cisco Employee

Re: Keeping Site to Site VPN Tunnel up

Hi,

You can setup the isakmp/ipsec lifetimes to be a large number and not turn on any keepalives. That would help to keep it up for a long time without any traffic.

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

Community Member

Re: Keeping Site to Site VPN Tunnel up

Hi,

That's what I thought of trying, but how long will the tunnel stays up without any interesting traffic flowing ?

Also, will this open up any security holes ?

Thanks in adavance for any info.

Cisco Employee

Re: Keeping Site to Site VPN Tunnel up

If the SA is up, it will stay up without interesting traffic until the lifetimes expire. The only reason a tunnel comes down with no interesting traffic is that the lifetimes expire, and because there's no traffic, a new one is not built. They're not actually torn down in the middle of a lifetime because of no inteesting traffic

Just increase your lifetimes to the max and you should be fine. They will eventually come down, but at least it'll be every few days instead of every day.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fipsencr/srfipsec.htm#xtocid3

Community Member

Re: Keeping Site to Site VPN Tunnel up

Thanks for the input !!

It helps on my planning !

Community Member

Re: Keeping Site to Site VPN Tunnel up

Have your routers peer using ntp from addresses covered by your SA. The traffic volume isn't large and is regular enough that with long SA lifetimes you'll hardly ever have a tunnel not defined

299
Views
0
Helpful
5
Replies
CreatePlease to create content