02-03-2008 11:13 PM - edited 02-21-2020 03:31 PM
Friends,
I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.
Best Regards
Rameez
02-04-2008 12:58 AM
There are few ways to keep tunnel open
-Periodic isakmp keepalives
crypto isakmp keepalive
-How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime
isakmp policy 20 lifetime
crypto ipsec security-association lifetime
-Running NTP between the 2 routers thru the ipsec tunnel
I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up
M.
02-05-2008 07:11 AM
I have a quick question. I have an ipsec tunnel between a pix515 and pix501 and have encounter this many times where the tunnel gets torn down after so many minutes (idle time).
Does the crypto isakmp keepalive need to be configured on both devices or just the side initiating the vpn connect (in this case the pix501 is at our remote site and the pix515 is at our corporate office).
Thanks
DKanzler
02-05-2008 11:52 PM
Friends,
Can someone tell me any cisco website link or any configuration that can help me to create a permanent tunnel.
Waiting...........
Best Regards
02-11-2008 03:26 PM
Still Waiting.........
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide