dynamic vpn keep alive

Discussion in 'Cisco' started by sali, Jun 14, 2009.

  1. sali

    sali Guest

    situation:
    i have cisco 1841 [headq] on static address and cisco 876 [branch office] on
    dynamic adsl address
    it is configured an ipsec vpn tunnel between them so both locations are part
    of corporate network [wan]
    when the tunnel is up, i may reach headq from branch, and branch from headq
    as well, this is ok

    problem:
    but, when 876 adsl address changes [regularly], obviously tunnel is going
    down, and i need incoming call [f.e. ping] from branch office to static
    headq [well known ip] to re-establish the tunnel. it is then ok for next
    period

    current solution:
    at branch office, i have one dedicated workstation allways powered-on that
    serves as ping generator, to keep tunnel to headq on. i was not trying any
    solution based on dyndns or similar.

    question:
    is it possible to configure cisco 876 router to periodicaly issue ping [or
    something similar] on frequent basis [few minutes] to force tunnel
    re-establish after adsl address change


    any suggestions?

    thnx!
     
    sali, Jun 14, 2009
    #1
    1. Advertising

  2. sali

    bod43 Guest

    On 14 June, 22:45, "sali" <> wrote:
    > situation:
    > i have cisco 1841 [headq] on static address and cisco 876 [branch office] on
    > dynamic adsl address
    > it is configured an ipsec vpn tunnel between them so both locations are part
    > of corporate network [wan]
    > when the tunnel is up, i may reach headq from branch, and branch from headq
    > as well, this is ok
    >
    > problem:
    > but, when 876 adsl address changes [regularly], obviously tunnel is going
    > down, and i need incoming call [f.e. ping] from branch office to static
    > headq [well known ip] to re-establish the tunnel. it is then ok for next
    > period
    >
    > current solution:
    > at branch office, i have one dedicated workstation allways powered-on that
    > serves as ping generator, to keep tunnel to headq on. i was not trying any
    > solution based on dyndns or similar.
    >
    > question:
    > is it possible to configure cisco 876 router to periodicaly issue ping [or
    > something similar] on frequent basis [few minutes] to force tunnel
    > re-establish after adsl address change
    >
    > any suggestions?
    >
    > thnx!


    track 1 rtr 101 reachability
    delay down 20 up 20
    ip sla 101
    icmp-echo 10.0.0.1
    timeout 1000
    ip sla schedule 101 life forever start-time now

    Or
    NTP can be used.

    In both cases you are likely to require to set the
    source address for the traffic since you have a vpn.
     
    bod43, Jun 14, 2009
    #2
    1. Advertising

  3. sali

    Martin Guest

    "sali" <> wrote in message
    news:h13qvp$6h9$...
    > situation:
    > i have cisco 1841 [headq] on static address and cisco 876 [branch office]
    > on dynamic adsl address
    > it is configured an ipsec vpn tunnel between them so both locations are
    > part of corporate network [wan]
    > when the tunnel is up, i may reach headq from branch, and branch from
    > headq as well, this is ok
    >
    > problem:
    > but, when 876 adsl address changes [regularly], obviously tunnel is going
    > down, and i need incoming call [f.e. ping] from branch office to static
    > headq [well known ip] to re-establish the tunnel. it is then ok for next
    > period
    >
    > current solution:
    > at branch office, i have one dedicated workstation allways powered-on that
    > serves as ping generator, to keep tunnel to headq on. i was not trying any
    > solution based on dyndns or similar.
    >
    > question:
    > is it possible to configure cisco 876 router to periodicaly issue ping [or
    > something similar] on frequent basis [few minutes] to force tunnel
    > re-establish after adsl address change
    >
    >
    > any suggestions?
    >
    > thnx!

    the post from bod43 looks on the money but I was just wondering how do you
    setup a vpn tunnel when one end is dynamic - I have always had to have
    static IP's at both ends )-:

    Can someone post a config that shows the commands for the static end eg.
    what address do you use on the crypto commands at the static end?

    cheers and thanks martin
     
    Martin, Jun 16, 2009
    #3
  4. sali

    bod43 Guest

    On 16 June, 06:22, "Martin" <> wrote:
    > "sali" <> wrote in message
    >
    > news:h13qvp$6h9$...
    >
    > > situation:
    > > i have cisco 1841 [headq] on static address and cisco 876 [branch office]
    > > on dynamic adsl address
    > > it is configured an ipsec vpn tunnel between them so both locations are
    > > part of corporate network [wan]
    > > when the tunnel is up, i may reach headq from branch, and branch from
    > > headq as well, this is ok

    >
    > > problem:
    > > but, when 876 adsl address changes [regularly], obviously tunnel is going
    > > down, and i need incoming call [f.e. ping] from branch office to static
    > > headq [well known ip] to re-establish the tunnel. it is then ok for next
    > > period

    >
    > > current solution:
    > > at branch office, i have one dedicated workstation allways powered-on that
    > > serves as ping generator, to keep tunnel to headq on. i was not trying any
    > > solution based on dyndns or similar.

    >
    > > question:
    > > is it possible to configure cisco 876 router to periodicaly issue ping [or
    > > something similar] on frequent basis [few minutes] to force tunnel
    > > re-establish after adsl address change

    >
    > > any suggestions?

    >
    > > thnx!

    >
    > the post from bod43 looks on the money but I was just wondering how do you
    > setup a vpn tunnel when one end is dynamic - I have always had to have
    > static IP's at both ends )-:
    >
    > Can someone post a config that shows the commands for the static end eg.
    > what address do you use on the crypto commands at the static end?


    I have the idea that you can do this with DMVPN.
    Dynamic Multipoint...

    One possible disadvantage is that if someone gets hold of
    a remote router, they can then access your network
    from any IP address. I suppose there will be some mitigations
    available (e.g. restrict IP range to that of one ISP) and I
    suppose that you will be able to turn off a single router's
    access once you find out that it is missing.

    Much guesswork above.
     
    bod43, Jun 17, 2009
    #4
  5. sali

    Uli Link Guest

    bod43 schrieb:

    > One possible disadvantage is that if someone gets hold of
    > a remote router, they can then access your network
    > from any IP address. I suppose there will be some mitigations
    > available (e.g. restrict IP range to that of one ISP) and I
    > suppose that you will be able to turn off a single router's
    > access once you find out that it is missing.


    Revoke the certificate of the spoke router and it can't join the DMVPN
    network any more...
    If you only have two or three spokes you may change the preshared key on
    the remaining ones, if you don't wan't a PKI.


    --
    ULi
     
    Uli Link, Jun 17, 2009
    #5
  6. sali

    sali Guest

    "bod43" <> je napisao u poruci interesnoj
    grupi:...
    > On 14 June, 22:45, "sali" <> wrote:


    >> is it possible to configure cisco 876 router to periodicaly issue ping
    >> [or
    >> something similar] on frequent basis [few minutes] to force tunnel
    >> re-establish after adsl address change

    >
    > track 1 rtr 101 reachability
    > delay down 20 up 20
    > ip sla 101
    > icmp-echo 10.0.0.1
    > timeout 1000
    > ip sla schedule 101 life forever start-time now


    just to say that my netw admin has done something upon your suggestion, and
    since that, vpn-over-adsl is working well for few weeks.

    thnx again!
     
    sali, Jul 20, 2009
    #6
  7. sali

    bod43 Guest

    On 20 July, 21:12, "sali" <> wrote:
    > "bod43" <> je napisao u poruci interesnoj
    > grupi:...
    >
    > > On 14 June, 22:45, "sali" <> wrote:
    > >> is it possible to configure cisco 876 router to periodicaly issue ping
    > >> [or
    > >> something similar] on frequent basis [few minutes] to force tunnel
    > >> re-establish after adsl address change

    >
    > > track 1 rtr 101 reachability
    > > delay down 20 up 20
    > > ip sla 101
    > > icmp-echo 10.0.0.1
    > > timeout 1000
    > > ip sla schedule 101 life forever start-time now

    >
    > just to say that my netw admin has done something upon your suggestion, and
    > since that, vpn-over-adsl is working well for few weeks.
    >
    > thnx again!


    That's good, always nice to hear that I am
    not completely clueless.

    Saying that, I have just faked up NTP in the past:)
    The SLA stuff is not that easy to follow.

    Good luck.
     
    bod43, Jul 21, 2009
    #7
  8. sali

    sali Guest

    "bod43" <> je napisao u poruci interesnoj
    grupi:...
    > On 20 July, 21:12, "sali" <> wrote:
    >> "bod43" <> je napisao u poruci interesnoj
    >> grupi:...
    >>
    >> just to say that my netw admin has done something upon your suggestion,
    >> and
    >> since that, vpn-over-adsl is working well for few weeks.

    >
    > That's good, always nice to hear that I am
    > not completely clueless.


    this cisco-876 is a funny device, i have few of them, and having other
    problems with them too

    there is a branch office with few employees, cisco-876 adsl [but in this
    case, there is static ip, if it counts], and one of computers is not able to
    send mail. cisco passes just the first few hundreds of bytes over port 25
    [smtp] and then stops, so, from that very computer, it is possible to send
    only very short mails. after reseting the cisco 876-router, it sends mail
    correctly for next few days.
    and again, this happens only on *one* of computers, all other whole time
    sends mails [no matter how long they are] without any problem.
    i have noticed this problem in two branch offices, with two different
    cisco-876
    i have checked this problem not just with mail client [you really don't know
    what does mail client is doing], but also with telnet, over port 25. and
    after few lines sent, the traffic realy blocks

    my assumptions were that cisco-876 builds some internal tables based on
    computer's nic mac, and somehow, maybe because of some traffic overload,
    this respective nic mac appears stucked, and its traffic over port 25
    blocked

    have you maybe any clue what can be done to resolve [or further investigate]
    this problem?

    thnx!
     
    sali, Jul 22, 2009
    #8
  9. sali

    alexd Guest

    sali wrote:

    > there is a branch office with few employees, cisco-876 adsl [but in this
    > case, there is static ip, if it counts], and one of computers is not able
    > to send mail. cisco passes just the first few hundreds of bytes over port
    > 25
    > [smtp] and then stops, so, from that very computer, it is possible to send
    > only very short mails. after reseting the cisco 876-router, it sends mail
    > correctly for next few days.


    Check the SMTP inspection settings, although I can't think why it would work
    for a few days then stop.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    14:32:57 up 77 days, 2:41, 2 users, load average: 0.09, 0.10, 0.09
    A few flakes working together can unleash an avalanche of destruction
     
    alexd, Jul 22, 2009
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gordon Abbot

    Does Moz/xe send a keep alive ping?

    Gordon Abbot, Mar 18, 2005, in forum: Firefox
    Replies:
    2
    Views:
    639
    Ed Mullen
    Mar 18, 2005
  2. Mark
    Replies:
    0
    Views:
    2,811
  3. Scott Townsend
    Replies:
    3
    Views:
    13,078
    Hansang Bae
    May 24, 2005
  4. chuckcar

    "Keep connection alive" program

    chuckcar, Apr 23, 2009, in forum: Computer Support
    Replies:
    20
    Views:
    971
  5. Peter
    Replies:
    0
    Views:
    493
    Peter
    Mar 24, 2013
Loading...

Share This Page