IOS 12.3 : How to make VPN Tunnel Permanent UP ?
Tags:
- LAN
- Tunnel
- Cisco
- Command Prompt
- Networking
Last response: in Networking
Anonymous
April 12, 2004 1:58:20 PM
Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)
Hello,
I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
just want to know if there is a command to keep the tunnel up. When
it's unused the tunnel drop.
I try the crypto isakmp keepalive 20 command, but it does nothing.
Thanks.
Hello,
I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
just want to know if there is a command to keep the tunnel up. When
it's unused the tunnel drop.
I try the crypto isakmp keepalive 20 command, but it does nothing.
Thanks.
More about : ios make vpn tunnel permanent
Anonymous
April 12, 2004 9:12:40 PM
Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)
"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>
Well, you could write a little script that has a machine send a ping every
few minutes to keep the tunnel up. This is probably the easisest.
You could also configure the tunnel to use "manual" ISAKMP; where you
manually define the keying information for the tunnel on both sides; this
isn't recommended because the keys are never refreshed; another side affect
is that you can't use certificates for authentication and your crypto ACL
can only have one permit statement. So configuring and maintaining this is a
bear.
I would recommend option 1, given the problems of option 2.
> Thanks.
Not a problem
Cheers!
Richard
"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>
Well, you could write a little script that has a machine send a ping every
few minutes to keep the tunnel up. This is probably the easisest.
You could also configure the tunnel to use "manual" ISAKMP; where you
manually define the keying information for the tunnel on both sides; this
isn't recommended because the keys are never refreshed; another side affect
is that you can't use certificates for authentication and your crypto ACL
can only have one permit statement. So configuring and maintaining this is a
bear.
I would recommend option 1, given the problems of option 2.
> Thanks.
Not a problem
Cheers!
Richard
Anonymous
April 12, 2004 9:12:41 PM
Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)
In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
Richard Deal <rdeal2 @ cfl.rr.com> wrote:
>
>"Nicko" <nicko1977@hotmail.com> wrote in message
>news:8dafe04b.0404120858.7e718160@posting.google.com...
>> Hello,
>>
>> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
>> just want to know if there is a command to keep the tunnel up. When
>> it's unused the tunnel drop.
>>
>> I try the crypto isakmp keepalive 20 command, but it does nothing.
>>
>
>Well, you could write a little script that has a machine send a ping every
>few minutes to keep the tunnel up. This is probably the easisest.
Or easier yet - set up NTP across the link. You end up with two benefits:
1. The clocks are in sync.
2. The vpn stays up.
Just be certain to twiddle with the source-interface of your NTP process
so it will traverse the link and not try to run from the un-encrypted
side...
--
Daniel J McDonald CCIE # 2495, CNX
Visit my website: http://www.austinnetworkdesign.com
In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
Richard Deal <rdeal2 @ cfl.rr.com> wrote:
>
>"Nicko" <nicko1977@hotmail.com> wrote in message
>news:8dafe04b.0404120858.7e718160@posting.google.com...
>> Hello,
>>
>> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
>> just want to know if there is a command to keep the tunnel up. When
>> it's unused the tunnel drop.
>>
>> I try the crypto isakmp keepalive 20 command, but it does nothing.
>>
>
>Well, you could write a little script that has a machine send a ping every
>few minutes to keep the tunnel up. This is probably the easisest.
Or easier yet - set up NTP across the link. You end up with two benefits:
1. The clocks are in sync.
2. The vpn stays up.
Just be certain to twiddle with the source-interface of your NTP process
so it will traverse the link and not try to run from the un-encrypted
side...
--
Daniel J McDonald CCIE # 2495, CNX
Visit my website: http://www.austinnetworkdesign.com
Anonymous
April 13, 2004 11:52:11 AM
Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)
djmcdona@fnord.io.com (Daniel J McDonald) wrote in message news:<JdSdneodK8yJRefdRVn-uw@io.com>...
> In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
> Richard Deal <rdeal2 @ cfl.rr.com> wrote:
> >
> >"Nicko" <nicko1977@hotmail.com> wrote in message
> >news:8dafe04b.0404120858.7e718160@posting.google.com...
> >> Hello,
> >>
> >> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> >> just want to know if there is a command to keep the tunnel up. When
> >> it's unused the tunnel drop.
> >>
> >> I try the crypto isakmp keepalive 20 command, but it does nothing.
> >>
> >
> >Well, you could write a little script that has a machine send a ping every
> >few minutes to keep the tunnel up. This is probably the easisest.
>
> Or easier yet - set up NTP across the link. You end up with two benefits:
> 1. The clocks are in sync.
> 2. The vpn stays up.
>
> Just be certain to twiddle with the source-interface of your NTP process
> so it will traverse the link and not try to run from the un-encrypted
> side...
Daniel,
Excellant idea, I actually wrote the script to ping across the link to
keep it up, but your idea makes way better sense.
Chad
djmcdona@fnord.io.com (Daniel J McDonald) wrote in message news:<JdSdneodK8yJRefdRVn-uw@io.com>...
> In article <c6Aec.463605$Po1.358660@twister.tampabay.rr.com>,
> Richard Deal <rdeal2 @ cfl.rr.com> wrote:
> >
> >"Nicko" <nicko1977@hotmail.com> wrote in message
> >news:8dafe04b.0404120858.7e718160@posting.google.com...
> >> Hello,
> >>
> >> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> >> just want to know if there is a command to keep the tunnel up. When
> >> it's unused the tunnel drop.
> >>
> >> I try the crypto isakmp keepalive 20 command, but it does nothing.
> >>
> >
> >Well, you could write a little script that has a machine send a ping every
> >few minutes to keep the tunnel up. This is probably the easisest.
>
> Or easier yet - set up NTP across the link. You end up with two benefits:
> 1. The clocks are in sync.
> 2. The vpn stays up.
>
> Just be certain to twiddle with the source-interface of your NTP process
> so it will traverse the link and not try to run from the un-encrypted
> side...
Daniel,
Excellant idea, I actually wrote the script to ping across the link to
keep it up, but your idea makes way better sense.
Chad
Anonymous
April 13, 2004 5:36:09 PM
Archived from groups: comp.dcom.sys.cisco,comp.dcom.xdsl,comp.dcom.wan (More info?)
Nicko,
I am not sure if this is any use but it may help trying the below command.
(Note the extra 5).
crypto isakmp keepalive 20 5
HTH
"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>
> Thanks.
Nicko,
I am not sure if this is any use but it may help trying the below command.
(Note the extra 5).
crypto isakmp keepalive 20 5
HTH
"Nicko" <nicko1977@hotmail.com> wrote in message
news:8dafe04b.0404120858.7e718160@posting.google.com...
> Hello,
>
> I have several Cisco 837 with standard IPSEC Vpn (done with SDM). I
> just want to know if there is a command to keep the tunnel up. When
> it's unused the tunnel drop.
>
> I try the crypto isakmp keepalive 20 command, but it does nothing.
>
> Thanks.
Read discussions in other Networking categories
!