Home
Certification Preparation
Cisco
CCNP
CCNP Security
CIsco IOS EZVPN Timeout Issue
mrjoshuap
Hello All,
I have an issue i'm hoping someone can assist me with or provide valuable feedback.
I just got my home router a 2821 configured as a EZVPN server, as of right now i have everything configured to where i can connect and access all my devices on my local lan. However the ISAKMP SA only allows to be connected for 60mins at a time, i tried adjusting the ISAKMP policy lifetime but it turn out that the default max life seem to be only 86400 seconds. Is there a way i can disable the lifetime of the ISAKMP policy so it's always up as long as i have traffic flowing?
Please see below for exact router config;
crypto isakmp policy 10
encr aes
authentication pre-share
hash sha
group 2
crypto isakmp key Pr0Duct1on address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
ip local pool EZVPN_POOL 172.16.1.1 172.16.1.254
!
crypto isakmp client configuration group EZVPN
key Pr0Duct
dns 167.206.7.4 167.206.112.138
domain Production-Network.net
pool EZVPN_POOL
include-local-lan
max-users 10
max-logins 10
netmask 255.255.255.0
!
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list EZVPN_RADIUS
isakmp authorization list GROUP
client configuration address respond
client configuration group EZVPN
virtual-template 1
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
interface Virtual-Template1 type tunnel
description EZVPN_USER_CRYPTO
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
ip nat inside
HQ_BK_E55th_RT1#sh crypto isakmp sa de
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime
Cap.
1024 47.0.0.0 152.0.0.0 ACTIVE aes sha 2
00:47:32
CXN
Engine-id:Conn-id = SW:24
Find more posts tagged with
Comments
networker050184
The default ISAKMP lifetime is 86,400 seconds which is 24hrs so that probably has nothing to do with your getting kicked off in one hour. I think the IPSEC lifetime defaults to around half that so probably not your problem either. There is also a traffic timeout which I don't remember off the top of my head so maybe you can look into that.
mrjoshuap
Thanks for in the insight, it helped pointing me in the right direction to the IPsec Profile. I would need to apply
set security-association lifetime
seconds
to specify the lifetime of the tunnel. However for Mac devices such as laptop, ipad, ipohones and Mac desktops all default to a lifetime of 1 hour (3600 seconds). I spend all day yesterday trying to figure out why i was only able to keep the tunnel up for 1 hour.
Below i have the article i used to help me figure out what the problem was. I hope some Apple users find this very useful.
Link --->
https://discussions.apple.com/thread/3275811
Thanks.
networker050184
Glad you got it sorted and thanks for posting your solution!
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
