12-28-2006 12:19 AM
Hi,
I have configured VPN tunnel between branch office and central site (Cisco 876 and Cisco 2811 routers) and it's working fine.
Branch office has dynamic IP address from ADSL, and central office has static public IP address.
Question is: Is it possible to keep this VPN tunnel alive, even if there is no interesting traffic from branch office?
Sometimes, when there is no interesting traffic from remote site, the tunnel goes down, and in that case, if central site LAN user want to communicate with branch user, he cant't do that until branch user do ping or something else to establish a tunnel.
Thanks.
12-28-2006 12:42 AM
hi
how did you specify the 800 router as peer in your crypto map ,since it has an ip address that is not garanted to be the same every time specificaly after a reboot or an expiration of the DHCP bail ???
12-28-2006 02:24 AM
"Central site"
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key ****
crypto isakmp profile L2L
description LAN-TO-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
crypto dynamic-map rtpmap 10
set transform-set rtpset
set isakmp-profile L2L
crypto map clientmap 10 ipsec-isakmp dynamic rtpmap
interface Serial1/0:0
ip address PUBLIC_IP_ADDRESS
crypto map clientmap
So, with this configuration, any IP address with correct pre-share key will be accepted.
At Remote site, crypto map referencing to this static public IP address of central router.
And, becouse remote site has IP address which is periodically change, only that site can initiate VPN connection.
I just need some mechanism which will keep this VPN connection alive. (Simple, but irritating solution is to make batch file on one of the remote site host, which will periodically ping the other LAN's address)
12-28-2006 05:15 AM
Branko,
Check that your router IOS supports DPD (Dead Peer Detection) also known as IKE Keepalives, take a look here for further explanation:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455afd.html
Hope this helps and please rate posts if it does!!
Regards,
12-28-2006 05:43 AM
I already tried something with command
crypto isakmp keepalive 10 periodic
but with no success.
But, I'll try again, maybe I miss something.
Thanks for replay anyway.
01-03-2007 01:30 PM
Hi,
Why not creating a standard site-to-site connection? You can do that if you your branches have static IP in the Internet.
If not, an elegant solution is to create GRE interfaces both on branch and hub and set the VPN between them. The "keepalive" option on the GRE interface will make sure the tunnel will never go down due to the lack of traffic.
http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html
Check GRE over IPSEC section.
If this helped, please rate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide