IPSEC VPN Tunnels disconnect after inactivity, and can't be brought up from inside. Only traffic sent from the other side of the tunnel will open the tunnel again.
We have a Cisco 851 router at a small office location. It connects back to a Cisco 1811 at our head office through VPN. Every night, since there is no activity, the tunnel shuts down. In the morning, the users in the remote office cannot generate traffic that will open the tunnel. As soon as someone pings from our head office network however, the tunnel comes right back up. I'm looking for either a way to have the tunnel alive all the time, or have the one side be able to bring the tunnel up based on traffic.
On a side note, although the VPN connects to head office, we have two subnets here. If I ping from subnet A to bring the tunnel up, the remote office can access subnet A over the VPN but not B. I have to ping from both A and B to give them access to both. This is a single VPN tunnel. Any help is greatly appreciated.
vpn tunnel always come up when there is some interesting traffic. I think on your head office end you have declared the traffic towards the remote end as the interesting traffic but on the remote end, traffic towards the head office is not declared as interesting. you have to declare the interesting traffic on the remote site.
secondly you can increase the phase 1 and phase 2 ipsec timmers to 1 day or more as requied to keep the tunnel up even if there is no interesting traffic.
thirdly, as you have said that tunnel always up from the headoffice and if you send traffic from subnet A, then only the remote end can send the traffic to that subnet only, not to the subnet B. you need to define proper ACL for both sites which cover all type of interesting trafffic from each end. I hope this will solve your problem. if not, then send me the configuration and i will get back to you with possible solution,
I was thinking that it was something with defining interesting traffic. Do you know the commands to do this? I don't need anything exact, but the command would be helpful.
the interesting traffic is defined in an access list and than this access list is associated with the VPN tunnel, in the VPN profile you will see a command 'match addresss 101 or 102 or anyother number or name' this number or name is that of your access list which defines traffic tat you want to send over your VPN tunnel. for example to send all traffic of subnet 192.168.2.0 to 192.168.3.0, i wud create access list as below access list 101 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 if you are using router you wud use wildcards instead of subnet mask in access list Once you have defined the right traffic access list, your vpn will start working as u need it.
