Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12016
Views
5
Helpful
4
Replies

IPsec tunnel interface - Keepalive

lemontree_61089
Level 1
Level 1

‎11-15-2016 06:26 AM - edited ‎02-21-2020 09:03 PM

Hi,

I have a question regarding a piece of documentation :

"When the tunnel is configured to operate in IPSec mode, the keepalive parameter must be disabled. By default, keepalive is disabled."

http://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/1_0/software/configuration/guide/security/security_Book/sec_ipsec_cgr1000.html

I understand the keepalive command under the tunnel interface should only be used when using GRE encapsulation. 

I know we can use DPD with IKEv1 or IKEv2, but I was just being curious and wonder why cannot we use keepalive with IPsec?

Thanks!

Thomas

Labels:
0 Helpful
4 Replies 4

mdussana
Level 1
Level 1

‎11-15-2016 06:53 AM

Hi Thomas,

It is mainly because there are two ways to configure a GRE over IPSec tunnel, either using crypto maps or tunnel protection, right? There are some differences between them.

Crypto Map GRE over IPSec:

  1. Encrypted packet reaches the physical interface.
  2. Packet is decrypted and forwarded to the tunnel interface.
  3. Packet is decapsulated and then forwarded to the IP destination in clear text.

Tunnel Protection GRE over IPSec:

  1. Encrypted packet reaches phsyical interface.
  2. Packet is forwarded to the tunnel interface.
  3. Packet is decrypted and decapsulated and then forwarded to the IP destination in clear text.

As you can imagine, sometimes a router will receive a encrypted keepalive when he is just expecting a clear text keepalive, or the router is expecting a encrypted packet but he is receiving a clear text keepalive. Which will make the tunnel to change state to up/down.

lemontree_61089
Level 1
Level 1
In response to mdussana

‎11-16-2016 01:00 AM

Hi  mdussana,

Thanks for your reply. I do understand that part, however what I am missing here is why I can use the keepalive feature with GRE but not with IPsec only.

As you correctly said, we can configure GRE/IPsec tunnel either with crypto map or with a tunnel protection. But we can do the same without GRE. If I chose to use "tunnel mode ipsec ipv4", then it is not going to use GRE encapsulation anymore, or I can use a crypto map without tunnel interface.

So as the documentation clearly stated we can use the keepalive feature with GRE but not with IPsec, I am still wondering why.

Thomas

0 Helpful

tommar
Level 1
Level 1
In response to lemontree_61089

‎05-12-2022 01:52 AM

hi  lemontree

 

dussana wrote clearly to my understanding

with GRE there is no encryption happening so keepalives always come/go unencrypted and are also expected to arrive unencrypted so that makes them reliable and ok to use then. 

with IPSEC it can come encrypted when it was expected unencrypted and vice versa. 

 

..my case i ve set keepalives on ipsec interface and so far i dont see any confusion - interface stays up. so you best try yourself.

0 Helpful

MHM Cisco World
VIP
VIP

‎05-14-2022 09:42 AM

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-00.html#anc7

 

this doc. explain the issue of keep alive with IPSec.

0 Helpful
Customers Also Viewed These Support Documents