Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
2
Replies

how to keep ipsec permanently

moonviewingjp
Level 1
Level 1

‎11-24-2010 11:15 AM - edited ‎02-21-2020 04:59 PM

Hi experts.

I configured vpn connection between cisco1841 and ASA.

I want to keep ipsec permanently even if no data packets,

I put commands on 1841 like following.

'crypto isakmp keepalive 30 periodic"

However vpn is disconnected  after a while if no data packets.

Please let me know what commands are missing.

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-24-2010 11:20 AM

Hi,

IPsec VPN is established in two phases.

Phase 1 and phase 2 and each one has its lifetimes.

If there's no data passing and the lifetime for the Security Association expires, the tunnel will be torn down.

I guess you can send some sort of keepalive through the tunnel (perhaps an ICMP packet) to keep the tunnel up even if there's no interesting traffic.

The command that you're describing it to allow DPD (Dead Peer Detection) packets and that's for the device to know that the tunnel is down on the other end, so it can take it down and reestablish it.

Federico.

0 Helpful

moonviewingjp
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-25-2010 02:23 AM

Thank you for your reply.

I want to make it clear,

Do you mean I need to put some commands on both sides equipments like following?


for Phase 1
(config-isakmp)#lifetime 86400


for Phase 2
set security-association lifetime seconds 3600

0 Helpful
Customers Also Viewed These Support Documents