CIsco IOS EZVPN Timeout Issue
mrjoshuap
Member Posts: 8 ■□□□□□□□□□
Hello All,
I have an issue i'm hoping someone can assist me with or provide valuable feedback.
I just got my home router a 2821 configured as a EZVPN server, as of right now i have everything configured to where i can connect and access all my devices on my local lan. However the ISAKMP SA only allows to be connected for 60mins at a time, i tried adjusting the ISAKMP policy lifetime but it turn out that the default max life seem to be only 86400 seconds. Is there a way i can disable the lifetime of the ISAKMP policy so it's always up as long as i have traffic flowing?
Please see below for exact router config;
crypto isakmp policy 10
encr aes
authentication pre-share
hash sha
group 2
crypto isakmp key Pr0Duct1on address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
ip local pool EZVPN_POOL 172.16.1.1 172.16.1.254
!
crypto isakmp client configuration group EZVPN
key Pr0Duct
dns 167.206.7.4 167.206.112.138
domain Production-Network.net
pool EZVPN_POOL
include-local-lan
max-users 10
max-logins 10
netmask 255.255.255.0
!
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list EZVPN_RADIUS
isakmp authorization list GROUP
client configuration address respond
client configuration group EZVPN
virtual-template 1
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
interface Virtual-Template1 type tunnel
description EZVPN_USER_CRYPTO
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
ip nat inside
HQ_BK_E55th_RT1#sh crypto isakmp sa de
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1024 47.0.0.0 152.0.0.0 ACTIVE aes sha 2 00:47:32 CXN
Engine-id:Conn-id = SW:24
I have an issue i'm hoping someone can assist me with or provide valuable feedback.
I just got my home router a 2821 configured as a EZVPN server, as of right now i have everything configured to where i can connect and access all my devices on my local lan. However the ISAKMP SA only allows to be connected for 60mins at a time, i tried adjusting the ISAKMP policy lifetime but it turn out that the default max life seem to be only 86400 seconds. Is there a way i can disable the lifetime of the ISAKMP policy so it's always up as long as i have traffic flowing?
Please see below for exact router config;
crypto isakmp policy 10
encr aes
authentication pre-share
hash sha
group 2
crypto isakmp key Pr0Duct1on address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
ip local pool EZVPN_POOL 172.16.1.1 172.16.1.254
!
crypto isakmp client configuration group EZVPN
key Pr0Duct
dns 167.206.7.4 167.206.112.138
domain Production-Network.net
pool EZVPN_POOL
include-local-lan
max-users 10
max-logins 10
netmask 255.255.255.0
!
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list EZVPN_RADIUS
isakmp authorization list GROUP
client configuration address respond
client configuration group EZVPN
virtual-template 1
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
interface Virtual-Template1 type tunnel
description EZVPN_USER_CRYPTO
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
ip nat inside
HQ_BK_E55th_RT1#sh crypto isakmp sa de
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1024 47.0.0.0 152.0.0.0 ACTIVE aes sha 2 00:47:32 CXN
Engine-id:Conn-id = SW:24
Comments
-
networker050184
Mod Posts: 11,962 Mod
The default ISAKMP lifetime is 86,400 seconds which is 24hrs so that probably has nothing to do with your getting kicked off in one hour. I think the IPSEC lifetime defaults to around half that so probably not your problem either. There is also a traffic timeout which I don't remember off the top of my head so maybe you can look into that.An expert is a man who has made all the mistakes which can be made. -
mrjoshuap
Member Posts: 8 ■□□□□□□□□□
Thanks for in the insight, it helped pointing me in the right direction to the IPsec Profile. I would need to apply set security-association lifetime seconds to specify the lifetime of the tunnel. However for Mac devices such as laptop, ipad, ipohones and Mac desktops all default to a lifetime of 1 hour (3600 seconds). I spend all day yesterday trying to figure out why i was only able to keep the tunnel up for 1 hour.
Below i have the article i used to help me figure out what the problem was. I hope some Apple users find this very useful.
Link ---> https://discussions.apple.com/thread/3275811
Thanks. -
networker050184
Mod Posts: 11,962 Mod
Glad you got it sorted and thanks for posting your solution!An expert is a man who has made all the mistakes which can be made.