Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
5
Replies

Site-To-Site VPN tunnel

branko
Level 1
Level 1

‎12-28-2006 12:19 AM

Hi,

I have configured VPN tunnel between branch office and central site (Cisco 876 and Cisco 2811 routers) and it's working fine.

Branch office has dynamic IP address from ADSL, and central office has static public IP address.

Question is: Is it possible to keep this VPN tunnel alive, even if there is no interesting traffic from branch office?

Sometimes, when there is no interesting traffic from remote site, the tunnel goes down, and in that case, if central site LAN user want to communicate with branch user, he cant't do that until branch user do ping or something else to establish a tunnel.

Thanks.

Labels:
0 Helpful
5 Replies 5

kamal-learn
Level 4
Level 4

‎12-28-2006 12:42 AM

hi

how did you specify the 800 router as peer in your crypto map ,since it has an ip address that is not garanted to be the same every time specificaly after a reboot or an expiration of the DHCP bail ???

0 Helpful

branko
Level 1
Level 1
In response to kamal-learn

‎12-28-2006 02:24 AM

"Central site"

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key ****

crypto isakmp profile L2L

description LAN-TO-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

crypto dynamic-map rtpmap 10

set transform-set rtpset

set isakmp-profile L2L

crypto map clientmap 10 ipsec-isakmp dynamic rtpmap

interface Serial1/0:0

ip address PUBLIC_IP_ADDRESS

crypto map clientmap

So, with this configuration, any IP address with correct pre-share key will be accepted.

At Remote site, crypto map referencing to this static public IP address of central router.

And, becouse remote site has IP address which is periodically change, only that site can initiate VPN connection.

I just need some mechanism which will keep this VPN connection alive. (Simple, but irritating solution is to make batch file on one of the remote site host, which will periodically ping the other LAN's address)

0 Helpful

jmia
Level 7
Level 7
In response to branko

‎12-28-2006 05:15 AM

Branko,

Check that your router IOS supports DPD (Dead Peer Detection) also known as IKE Keepalives, take a look here for further explanation:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455afd.html

Hope this helps and please rate posts if it does!!

Regards,

0 Helpful

branko
Level 1
Level 1
In response to jmia

‎12-28-2006 05:43 AM

I already tried something with command

crypto isakmp keepalive 10 periodic

but with no success.

But, I'll try again, maybe I miss something.

Thanks for replay anyway.

0 Helpful

5220
Level 4
Level 4
In response to branko

‎01-03-2007 01:30 PM

Hi,

Why not creating a standard site-to-site connection? You can do that if you your branches have static IP in the Internet.

If not, an elegant solution is to create GRE interfaces both on branch and hub and set the VPN between them. The "keepalive" option on the GRE interface will make sure the tunnel will never go down due to the lack of traffic.

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Check GRE over IPSEC section.

If this helped, please rate.

0 Helpful
Customers Also Viewed These Support Documents