More IPSec Tunnel help needed
JohnnyBiggles
Member Posts: 273
in CCNA & CCENT
Ok.. I had posted a thread last week sometime about configuring an IPSec tunnel and we ended up having Cisco chime in to verify our end of the IPSec tunnel which was good. It was the other end that needed to make some changes before the tunnel came up. My question now is about the following command line:
crypto ipsec security-association lifetime seconds 86400
Apparently, this is a timer for the security association, but what I'm confused about is what exactly happens once that timer expires and if it in fact breaks the connection as a result of it being idle. What is required to re-establish that connection, if anything?
I ask this because after jumping through rings of fire to finally get the tunnel up with the opposite end, I went home happy with it working on a Friday, then came in Monday to failed pings to the same addresses and the configuration on our end did not change. Could this^^ be the reason why? Because the security association expired? If so, how do I reestablish that connection? Is a new crypto key required each time it expires? Any help/insight would be appreciated. Thanks.
crypto ipsec security-association lifetime seconds 86400
Apparently, this is a timer for the security association, but what I'm confused about is what exactly happens once that timer expires and if it in fact breaks the connection as a result of it being idle. What is required to re-establish that connection, if anything?
I ask this because after jumping through rings of fire to finally get the tunnel up with the opposite end, I went home happy with it working on a Friday, then came in Monday to failed pings to the same addresses and the configuration on our end did not change. Could this^^ be the reason why? Because the security association expired? If so, how do I reestablish that connection? Is a new crypto key required each time it expires? Any help/insight would be appreciated. Thanks.
Comments
-
SteveO86
Member Posts: 1,423
When that timer expires the IPSec tunnel re-keys and re-establishes under a new SPI.
This happens regardless whether the timer expires or the kb tranfer limit is reached. Just make sure the timers and kb limit match on both sides. Usually you only have to worry about this when establishing VPNs tunnel between different vendor equipment.
sh cry ipsec security-association lifetime
Tunnel should re-establish when the timers expire as long as interesting traffic is trying to pass.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
JohnnyBiggles
Member Posts: 273
Thanks for the quick reply.
1) So to be clear, this really shouldn't be the problem then (when sending pings a few days later without any config changes) as long as the timers match on both sides?
2) What is an SPI? -
SteveO86
Member Posts: 1,423
Correct when the timer expires the tunnel should simply re-establish.
The SPI, Security Parameter Index is just an identified used by the IOS to track IPSec connections.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS