dynamic vpn keep alive

situation: i have cisco 1841 [headq] on static address and cisco 876 [branch office] on dynamic adsl address it is configured an ipsec vpn tunnel between them so both locations are part of corporate network [wan] when the tunnel is up, i may reach headq from branch, and branch from headq as well, this is ok

problem: but, when 876 adsl address changes [regularly], obviously tunnel is going down, and i need incoming call [f.e. ping] from branch office to static headq [well known ip] to re-establish the tunnel. it is then ok for next period

current solution: at branch office, i have one dedicated workstation allways powered-on that serves as ping generator, to keep tunnel to headq on. i was not trying any solution based on dyndns or similar.

question: is it possible to configure cisco 876 router to periodicaly issue ping [or something similar] on frequent basis [few minutes] to force tunnel re-establish after adsl address change

any suggestions?

thnx!

Reply to
sali
Loading thread data ...

track 1 rtr 101 reachability delay down 20 up 20 ip sla 101 icmp-echo 10.0.0.1 timeout 1000 ip sla schedule 101 life forever start-time now

Or NTP can be used.

In both cases you are likely to require to set the source address for the traffic since you have a vpn.

Reply to
bod43

the post from bod43 looks on the money but I was just wondering how do you setup a vpn tunnel when one end is dynamic - I have always had to have static IP's at both ends )-:

Can someone post a config that shows the commands for the static end eg. what address do you use on the crypto commands at the static end?

cheers and thanks martin

Reply to
Martin

I have the idea that you can do this with DMVPN. Dynamic Multipoint...

One possible disadvantage is that if someone gets hold of a remote router, they can then access your network from any IP address. I suppose there will be some mitigations available (e.g. restrict IP range to that of one ISP) and I suppose that you will be able to turn off a single router's access once you find out that it is missing.

Much guesswork above.

Reply to
bod43

bod43 schrieb:

Revoke the certificate of the spoke router and it can't join the DMVPN network any more... If you only have two or three spokes you may change the preshared key on the remaining ones, if you don't wan't a PKI.

Reply to
Uli Link

just to say that my netw admin has done something upon your suggestion, and since that, vpn-over-adsl is working well for few weeks.

thnx again!

Reply to
sali

That's good, always nice to hear that I am not completely clueless.

Saying that, I have just faked up NTP in the past:-) The SLA stuff is not that easy to follow.

Good luck.

Reply to
bod43

this cisco-876 is a funny device, i have few of them, and having other problems with them too

there is a branch office with few employees, cisco-876 adsl [but in this case, there is static ip, if it counts], and one of computers is not able to send mail. cisco passes just the first few hundreds of bytes over port 25 [smtp] and then stops, so, from that very computer, it is possible to send only very short mails. after reseting the cisco 876-router, it sends mail correctly for next few days. and again, this happens only on *one* of computers, all other whole time sends mails [no matter how long they are] without any problem. i have noticed this problem in two branch offices, with two different cisco-876 i have checked this problem not just with mail client [you really don't know what does mail client is doing], but also with telnet, over port 25. and after few lines sent, the traffic realy blocks

my assumptions were that cisco-876 builds some internal tables based on computer's nic mac, and somehow, maybe because of some traffic overload, this respective nic mac appears stucked, and its traffic over port 25 blocked

have you maybe any clue what can be done to resolve [or further investigate] this problem?

thnx!

Reply to
sali

Check the SMTP inspection settings, although I can't think why it would work for a few days then stop.

Reply to
alexd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.