Cisco VPN idle time

derleader111 · ‎11-26-2011

Hi,

I configured a Cisco 1841 router as easy VPN server. This is the configuration of the router:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Xgf9$MKt1eImjyrmDwcYnbz0xZ/

enable password 6y5t4r3e2w1q

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto pki trustpoint TP-self-signed-947142914

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-947142914

revocation-check none

rsakeypair TP-self-signed-947142914

!

crypto pki certificate chain TP-self-signed-947142914

certificate self-signed 01

3082023B 308201A4 A0030201 02020101 309D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E45642D 43657274

69666963 6174652D 39343731 34323931 34301E17 0D313131 31323532 30353931

325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 37313432

39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31

C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883

253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85

FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED

02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D

11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283

54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354

CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B

00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F

A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1355EB76 21E72F07 68F76AE3 2F0CB2C6

EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B

F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA

quit

username root privilege 15 password 0 6y5t4r3e2w1q

username admin secret 5 $1$78MV$Yc7sfwt5PoEm.eKmjPlKw1

username test privilege 15 password 0 test_123

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 10 8 periodic

!

crypto isakmp client configuration group cisco

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_client

max-users 1000

netmask 255.255.255.0

!

crypto isakmp client configuration group server_1

key 6y5t4r3e2w1q

dns 8.8.8.8

domain cisco.com

pool SDM_POOL_server_1

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 local-address FastEthernet0/0

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

ip address 172.16.0.1 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.1.130 255.255.255.0

speed auto

full-duplex

no mop enabled

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

no ip address

shutdown

speed auto

full-duplex

no mop enabled

!

ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190

ip local pool SDM_POOL_server_1 10.10.10.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

ip http server

ip http authentication local

ip http secure-server

!

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password 6y5t4r3e2w1q

transport input telnet ssh

!

scheduler allocate 20000 1000

end

One Centos server with VPNC client and several windows clients are connected with the VPN server. Everything works but the problem is that the Centos server with the VPNC clients after arround 30 minutes drops the VPN connection.

I configured the VPNC client with thes option

DPD idle timeout (our side) 0

into the configuration file. But the result is the same. I tried to lower the MTU size but the problem is still there.

Any idea where is the problem?

Regards

Peter

mudjain · ‎11-27-2011

show crypto ipsec sa and show vpn-sessiondb detail type remote filter just before disconnection can help probably..

Please confirm, if the disconnecting Centos server and other clients connecting to the same group and which ones if different.

Are they using same client version?

derleader111 · ‎11-27-2011

Cisco#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 192.168.1.130

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)

current_peer 78.130.133.76 port 4500

PERMIT, flags={}

#pkts encaps: 103481, #pkts encrypt: 103481, #pkts digest: 103481

#pkts decaps: 56223, #pkts decrypt: 56223, #pkts verify: 56223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.130, remote crypto endpt.: 78.130.133.76

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xA5246B6B(2770627435)

inbound esp sas:

spi: 0x912746A(152204394)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3014, flow_id: FPGA:14, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4396027/441)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xA5246B6B(2770627435)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3013, flow_id: FPGA:13, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4271258/438)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/0/0)

current_peer 192.168.1.1 port 44027

PERMIT, flags={}

#pkts encaps: 110066, #pkts encrypt: 110066, #pkts digest: 110066

#pkts decaps: 143170, #pkts decrypt: 143170, #pkts verify: 143170

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 20

local crypto endpt.: 192.168.1.130, remote crypto endpt.: 192.168.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x5A9A6FDB(1520070619)

inbound esp sas:

spi: 0x87F287C(142551164)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3004, flow_id: FPGA:4, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4439753/417)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5A9A6FDB(1520070619)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3003, flow_id: FPGA:3, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4496815/416)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.52/255.255.255.255/0/0)

current_peer 192.168.1.1 port 1031

PERMIT, flags={}

#pkts encaps: 6117, #pkts encrypt: 6117, #pkts digest: 6117

#pkts decaps: 6551, #pkts decrypt: 6551, #pkts verify: 6551

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.130, remote crypto endpt.: 192.168.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xC133DD0F(3241401615)

inbound esp sas:

spi: 0x5AA668F0(1520855280)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3010, flow_id: FPGA:10, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4587967/1551)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC133DD0F(3241401615)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3006, flow_id: FPGA:6, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4587318/1550)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Cisco#

This command don't work -

show vpn-sessiondb detail

The Centos server is in the group 'server_1'. Clients are in the group 'cisco'

The clients use the default Ubuntu vpnc client from the gnome network panel.

I add there lines to the router configuration:

crypto isakmp keepalive 3600 periodic

crypto ipsec security-association idle-time 86400

Is there other idle configuration command that I can add to the router?

Regards

p.s when I added the idle commands I make a infinite ping to all machines. After ~30 minutes the ping dies. It's a problem in the router's configuration.