want Ezvpn to torn down after some inactivity

nareh84 · ‎10-16-2010

hi,

I am testing ezvpn. i have configured ezvpn server on one router and configured ezvpn client on another router. in ezvpn client i gave the name infront of "peer" command. The name is resolving fine and the connection is established. but when i shut the interface connected towards ezvpn server the "show crypto isakmp sa" still shows QM_IDLE state. I want the vpn to torn down ezvpn after some time of inactivity. what command should i use..my second question is that can i run routing protocol b/w ezcpn client site and ezvpn server site as we can do in gre based site to site vpn.

Regards

Nareh

Jitendriya Athavale · ‎10-16-2010

the problem here is you are using ezvpn... and most of the times customers use it as connect auto since they want to use it as plug and play... so bcoz of this even if the tunnel is torn down it reinitiates the tunnel automatically

now coming to your second query of routing protocols, yeah you can use ipsec/gre for that and this will not be possible on ezvpn

i assume the reason yu are using ezvpn is bcoz ur pub ip is dynamic and is not static, why dont you try using DMVPN if you have more than one routers which have such a requirement

also again the prob here for you would be that since routing updates are always exchanged the tunnel is always up

i hope this answers all your queries

nareh84 · ‎10-17-2010

hi,

Yes i am using Ezvpn becaues the hub router ip is dynamic. but i think i cant use dmvpn for this purpose. Can u tell me the what the best possible vpn in this case. i want to run routing protocol and my hub router ip is changing..

Regards

Nareh

Jitendriya Athavale · ‎10-17-2010

hi Nareh,

you have two options

1. DMVPN - i am not sure why you think this wont work for this setup, do you have any specific concerns, as long as your hub ip does not change it is not a problem

2. this is a little complicated - create a loopback ip on this router and make that as the tunnel source on your side and on the hub side your tunnel destination will be this loopback ip on your local router. And on the local end use a static crypto map with your crypto acl being from tunnel source(loopback ip) to tunnel destination. And on the hub site use a dynamic crypto map

i feel dmvpn would be a easy option and also is a scalable option

nareh84 · ‎10-17-2010

..

hi,

yup every site ip changes after reboot of router. so there is no fixed ip on any site. now in this case what vpn will be the best solution. i think i cant define hostname in dmvpn. can you tell me which vpn is best solution.

Regards

Nareh

Jitendriya Athavale · ‎10-17-2010

i dont quite understand your concerns about using host name, let your router identify itself using ip address itself

it really doesnt matter you can use either of the solution i have mentioned above but i would prefer dmvpn

nareh84 · ‎10-17-2010

hi,

can i mention hostname on spoke router for hub router in case of dmvpn. can you tell me the command.

Regards

Nareh

Jitendriya Athavale · ‎10-17-2010

please use this as reference

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml

in the isakmp profile give the match identity as hostname in hub

match identity host

and on spoke give this command

crypto isakmp identity hostname