Re: IPSEC VPN Initiator vs Responder

henokk601 · ‎06-01-2022

HI All

I configure IPsec VPN and working fine however I have an issue every time the connection become Idle and when I ping a traffic the VPN become Active. is there any option to make the VPN Active always for example by making one end Initiator and the other end router Responder. If there is any specific command to do so please tell me ?

Rob Ingram · ‎06-01-2022

@henokk601 yes you can set the VPN headend device (either ASA or router, you don't say which you are using) to respond only....but that doesn't solve your issue. If you always want the tunnel up, either always generate some interesting traffic to ensure the tunnels does not timeout via a ping script from your NMS or using a route based VPN (VTI), which does not require interesting traffic to stay up.

Kasun Bandara · ‎06-01-2022

you need to keep traffic going through the VPN to keep it active or it will go down after lifetime. also as a second option you can use sVTI VPN to keep tunnel interface based VPN always up and use routing to pass traffic.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

MHM Cisco World · ‎06-01-2022

use IP SLA and send traffic always to other Peer this is like auto ping and it make your tunnel always active.

Oscar Castillo · ‎07-30-2022

Yes, there is one. In phase 2, IPSec Transform-set, Y runs under 2 modes, Tunnel Mode and Transport Mode. Tunnel Mode keeps the tunnel up while interesting traffic passes through the tunnel, Once the traffic stop passing, the tunnel will drop. Transport Mode, it will remain up regardless of traffic traverses or not. Now the connection will be from end to end devices.