IOS 12.3 : How to make VPN Tunnel Permanent UP ?

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)

Hello,

I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
just want to know if there is a command to keep the tunnel up. When
it's unused the tunnel drop.

I try the crypto isakmp keepalive 20 command, but it does nothing.

Thanks.

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)

"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>

Well, you could write a little script that has a machine send a ping every
few minutes to keep the tunnel up. This is probably the easisest.

You could also configure the tunnel to use "manual" ISAKMP; where you
manually define the keying information for the tunnel on both sides; this
isn't recommended because the keys are never refreshed; another side affect
is that you can't use certificates for authentication and your crypto ACL
can only have one permit statement. So configuring and maintaining this is a
bear.

I would recommend option 1, given the problems of option 2.

> Thanks.

Not a problem

Cheers!

Richard

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)

In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
Richard Deal <rdeal2 @ cfl.rr.com> wrote:
>
>"Nicko" <nicko1977@hotmail.com> wrote in message
>news:8dafe04b.0404120858.7e718160@posting.google.com...
>> Hello,
>>
>> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
>> just want to know if there is a command to keep the tunnel up. When
>> it's unused the tunnel drop.
>>
>> I try the crypto isakmp keepalive 20 command, but it does nothing.
>>
>
>Well, you could write a little script that has a machine send a ping every
>few minutes to keep the tunnel up. This is probably the easisest.

Or easier yet - set up NTP across the link. You end up with two benefits:
1. The clocks are in sync.
2. The vpn stays up.

Just be certain to twiddle with the source-interface of your NTP process
so it will traverse the link and not try to run from the un-encrypted
side...


--
Daniel J McDonald CCIE # 2495, CNX
Visit my website: http://www.austinnetworkdesign.com

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)

djmcdona@fnord.io.com (Daniel J McDonald) wrote in message news:<JdSdneodK8yJRefdRVn-uw@io.com>...
> In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
> Richard Deal <rdeal2 @ cfl.rr.com> wrote:
> >
> >"Nicko" <nicko1977@hotmail.com> wrote in message
> >news:8dafe04b.0404120858.7e718160@posting.google.com...
> >> Hello,
> >>
> >> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> >> just want to know if there is a command to keep the tunnel up. When
> >> it's unused the tunnel drop.
> >>
> >> I try the crypto isakmp keepalive 20 command, but it does nothing.
> >>
> >
> >Well, you could write a little script that has a machine send a ping every
> >few minutes to keep the tunnel up. This is probably the easisest.
>
> Or easier yet - set up NTP across the link. You end up with two benefits:
> 1. The clocks are in sync.
> 2. The vpn stays up.
>
> Just be certain to twiddle with the source-interface of your NTP process
> so it will traverse the link and not try to run from the un-encrypted
> side...


Daniel,

Excellant idea, I actually wrote the script to ping across the link to
keep it up, but your idea makes way better sense.


Chad

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)

Nicko,

I am not sure if this is any use but it may help trying the below command.
(Note the extra 5).

crypto isakmp keepalive 20 5

HTH

"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>
> Thanks.