02-29-2012 05:22 AM
Hello,
I'm having a problem with an IPSec VPN (3725 -> 3725) re-negotiating before the security-association lifetime expires, this is an issue because I actually want the VPN to expire by design.
I'm basically trying to achieve a dial-on-demand feature, or dial-when-traffic present so I've got the following ACL for traffic matching:
Telnet initiates the VPN:
Extended IP access list VPN-Traffic
10 permit tcp 10.244.1.0 0.0.0.255 10.245.1.0 0.0.0.255 eq telnet
20 permit tcp 10.245.1.0 0.0.0.255 eq telnet 10.244.1.0 0.0.0.255
30 permit tcp 10.245.1.0 0.0.0.255 10.244.1.0 0.0.0.255 eq telnet
40 permit tcp 10.244.1.0 0.0.0.255 eq telnet 10.245.1.0 0.0.0.255 (34 matches)
And the following VPN config:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxx address 193.50.200.2
!
!
crypto ipsec transform-set VPN-A esp-3des esp-sha-hmac
!
crypto map VPN-A 10 ipsec-isakmp
set peer 193.50.200.2
set security-association lifetime seconds 120 //// - Disconnect VPN after 2 minutes of being idle - /////
set transform-set VPN-A
match address VPN-Traffic
reverse-route
It seems to work from time to time, but other times it will successfully re-key / re-negotiate before the sa timer expires:
R2#sh crypto ipsec sa | inc sa timing
sa timing: remaining key lifetime (k/sec): (4452106/39)
sa timing: remaining key lifetime (k/sec): (4452106/39)
R2#sh crypto ipsec sa | inc sa timing
sa timing: remaining key lifetime (k/sec): (4452106/38)
sa timing: remaining key lifetime (k/sec): (4452106/38)
R2#sh crypto ipsec sa | inc sa timing
sa timing: remaining key lifetime (k/sec): (4452106/32)
sa timing: remaining key lifetime (k/sec): (4452106/32)
R2#sh crypto ipsec sa | inc sa timing
sa timing: remaining key lifetime (k/sec): (4452106/31)
sa timing: remaining key lifetime (k/sec): (4452106/31)
R2#sh crypto ipsec sa | inc sa timing
sa timing: remaining key lifetime (k/sec): (4452106/29)
sa timing: remaining key lifetime (k/sec): (4599427/119)
sa timing: remaining key lifetime (k/sec): (4452106/29)
sa timing: remaining key lifetime (k/sec): (4599427/119)
My ultimate objective is to ensure that after 120 seconds the VPN drops and stays down until traffic is present again.
Any thoughts?
Thanks,
Duncan.
03-02-2012 01:37 AM
Hello,
Has anyone been able to sched any light on this, I'm struggling to find any documentation that explains this or if it's a feature where to disable it
Would much appreciate any assistance!
Thanks,
Duncan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide