05-01-2015 10:13 AM
Dear All,
I have a site to site vpn von the HQ to the Branch Office.
As soon as they are no more clients connected behind the BranchRouter, I have no way to connect to the Branch Router, but the VPN remember open.
My Branch Router Config:
service tcp-keepalives-in service tcp-keepalives-out no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.1.5.1 10.1.6.4 ip dhcp excluded-address 10.1.5.14 ip dhcp excluded-address 10.4.5.1 ! ip dhcp pool Produktion-LAN network 10.1.5.0 255.255.255.240 default-router 10.1.5.1 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key MyKEY address 99.99.99.99 ! ! crypto ipsec transform-set MYRemote-SET esp-3des esp-md5-hmac ! crypto map MyLocal-MAP 10 ipsec-isakmp description HQ set peer 99.99.99.99 set transform-set MYRemote-SET match address 110 ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 1 ! ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ADSL-WAN - OUTSIDE$$ES_WAN$ no ip redirects no ip unreachables no ip proxy-arp pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description UPLINK zu SWITCH switchport mode trunk ! interface FastEthernet1 switchport access vlan 2 ! ! interface Vlan1 description $PRODUKTION-LAN - INSIDE$ ip address 10.1.5.1 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1200 ! interface Vlan2 description $VISIORAMA - INSIDE$ ip address 10.2.5.1 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1200 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname User ppp chap password Password crypto map MyLocal-MAP ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! kron occurrence backup at 1:00 1 recurring policy-list backup ! kron policy-list backup cli archive config !
Here some outputs:
RTR#show crypto isakmp peers Peer: 99.99.99.99 Port: 500 Local: 88.88.88.88 Phase1 id: 99.99.99.99
RTR#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 99.99.99.99 88.88.88.88 QM_IDLE 2001 0 ACTIVE
What can i do to have the connection always open even if they are no device online behind the router.
Thanks for your help.
05-04-2015 10:58 AM
HI there,
You can force the security association to max value.
crypto map MyLocal-MAP 10 ipsec-isakmp
set security-association lifetime 86400
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide