Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to keep ipsec permanently

Hi experts.

I configured vpn connection between cisco1841 and ASA.

I want to keep ipsec permanently even if no data packets,

I put commands on 1841 like following.

'crypto isakmp keepalive 30 periodic"

However vpn is disconnected  after a while if no data packets.

Please let me know what commands are missing.

2 REPLIES

Re: how to keep ipsec permanently

Hi,

IPsec VPN is established in two phases.

Phase 1 and phase 2 and each one has its lifetimes.

If there's no data passing and the lifetime for the Security Association expires, the tunnel will be torn down.

I guess you can send some sort of keepalive through the tunnel (perhaps an ICMP packet) to keep the tunnel up even if there's no interesting traffic.

The command that you're describing it to allow DPD (Dead Peer Detection) packets and that's for the device to know that the tunnel is down on the other end, so it can take it down and reestablish it.

Federico.

New Member

Re: how to keep ipsec permanently

Thank you for your reply.

I want to make it clear,

Do you mean I need to put some commands on both sides equipments like following?


for Phase 1
(config-isakmp)#lifetime 86400


for Phase 2
set security-association lifetime seconds 3600

187
Views
0
Helpful
2
Replies