Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
0
Helpful
1
Replies

Cisco Site to Site VPN connection loos

Naegeli Adrian
Level 1
Level 1

‎05-01-2015 10:13 AM

Dear All,

 

I have a site to site vpn von the HQ to the Branch Office.

 

As soon as they are no more clients connected behind the BranchRouter, I have no way to connect to the Branch Router, but the VPN remember open.

 

My Branch Router Config:

service tcp-keepalives-in
service tcp-keepalives-out

no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.5.1 10.1.6.4
ip dhcp excluded-address 10.1.5.14
ip dhcp excluded-address 10.4.5.1
!
ip dhcp pool Produktion-LAN
   network 10.1.5.0 255.255.255.240
   default-router 10.1.5.1
!

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key MyKEY address 99.99.99.99
!
!
crypto ipsec transform-set MYRemote-SET esp-3des esp-md5-hmac
!
crypto map MyLocal-MAP 10 ipsec-isakmp
 description HQ
 set peer 99.99.99.99
 set transform-set MYRemote-SET
 match address 110

!

ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ADSL-WAN - OUTSIDE$$ES_WAN$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description UPLINK zu SWITCH
 switchport mode trunk
!
interface FastEthernet1
 switchport access vlan 2
!
!
interface Vlan1
 description $PRODUKTION-LAN - INSIDE$
 ip address 10.1.5.1 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
!
interface Vlan2
 description $VISIORAMA - INSIDE$
 ip address 10.2.5.1 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
!
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname User
 ppp chap password Password
 crypto map MyLocal-MAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
kron occurrence backup at 1:00 1 recurring
 policy-list backup
!
kron policy-list backup
 cli archive config
!

 

Here some outputs:

 

RTR#show crypto isakmp peers
Peer: 99.99.99.99 Port: 500 Local: 88.88.88.88
 Phase1 id: 99.99.99.99

 

RTR#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                    src                 state                    conn-id     slot      status
99.99.99.99    88.88.88.88  QM_IDLE           2001         0         ACTIVE

 

What can i do to have the connection always open even if they are no device online behind the router.

 

Thanks for your help.

 

Labels:
0 Helpful
1 Reply 1

rizwanr74
Level 7
Level 7

‎05-04-2015 10:58 AM

HI there,

 

You can force the security association to max value.

 

crypto map MyLocal-MAP 10 ipsec-isakmp
 set security-association lifetime 86400

 

thanks

 

0 Helpful
Customers Also Viewed These Support Documents