Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-To-Site VPN tunnel

Hi,

I have configured VPN tunnel between branch office and central site (Cisco 876 and Cisco 2811 routers) and it's working fine.

Branch office has dynamic IP address from ADSL, and central office has static public IP address.

Question is: Is it possible to keep this VPN tunnel alive, even if there is no interesting traffic from branch office?

Sometimes, when there is no interesting traffic from remote site, the tunnel goes down, and in that case, if central site LAN user want to communicate with branch user, he cant't do that until branch user do ping or something else to establish a tunnel.

Thanks.

5 REPLIES
Bronze

Re: Site-To-Site VPN tunnel

hi

how did you specify the 800 router as peer in your crypto map ,since it has an ip address that is not garanted to be the same every time specificaly after a reboot or an expiration of the DHCP bail ???

New Member

Re: Site-To-Site VPN tunnel

"Central site"

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key ****

crypto isakmp profile L2L

description LAN-TO-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

crypto dynamic-map rtpmap 10

set transform-set rtpset

set isakmp-profile L2L

crypto map clientmap 10 ipsec-isakmp dynamic rtpmap

interface Serial1/0:0

ip address PUBLIC_IP_ADDRESS

crypto map clientmap

So, with this configuration, any IP address with correct pre-share key will be accepted.

At Remote site, crypto map referencing to this static public IP address of central router.

And, becouse remote site has IP address which is periodically change, only that site can initiate VPN connection.

I just need some mechanism which will keep this VPN connection alive. (Simple, but irritating solution is to make batch file on one of the remote site host, which will periodically ping the other LAN's address)

Gold

Re: Site-To-Site VPN tunnel

Branko,

Check that your router IOS supports DPD (Dead Peer Detection) also known as IKE Keepalives, take a look here for further explanation:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455afd.html

Hope this helps and please rate posts if it does!!

Regards,

New Member

Re: Site-To-Site VPN tunnel

I already tried something with command

crypto isakmp keepalive 10 periodic

but with no success.

But, I'll try again, maybe I miss something.

Thanks for replay anyway.

Re: Site-To-Site VPN tunnel

Hi,

Why not creating a standard site-to-site connection? You can do that if you your branches have static IP in the Internet.

If not, an elegant solution is to create GRE interfaces both on branch and hub and set the VPN between them. The "keepalive" option on the GRE interface will make sure the tunnel will never go down due to the lack of traffic.

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Check GRE over IPSEC section.

If this helped, please rate.

146
Views
0
Helpful
5
Replies
CreatePlease to create content