PIX to PIX Easy VPN: how to make connection persistent / auto-reconnect ??

Discussion in 'Cisco' started by [iMpLoDe], Jan 17, 2005.

  1. [iMpLoDe]

    [iMpLoDe] Guest

    I have the following setup:

    PIX-506 at main office --> 6.3(3)
    PIX-501 at branch office --> 6.3(3)
    The only device behind the 501 is a thin client device (ICA/RDP only, no web browser)

    Easy VPN server was setup successfully on 506.
    Easy VPN client was setup successfully on 501.
    VPN connection created works fine and passes encrypted traffic
    Split tunnelling between both devices works fine.

    Problem 1: the VPN tunnel created by the 501 must be initiated manually via the CLI or by a web browser to trigger the
    Easy VPN client to connect,

    Problem 2: the VPN tunnel created by the 501 to the 506 times out and does not automatically reconnect


    Is there a configuration change that can be made to enable the 501 to automatically connect / reconnect the VPN tunnel
    to the 506? (either when RDP or other 'interesting' traffic destined for the VPN is heard on the 501?)

    I see the 6.3 command ref includes a 'nem-sp-autoconnect' command which may solve my problem, but the CLI on either PIX
    does not recognize this command...

    Regards,
    Chris
    [iMpLoDe], Jan 17, 2005
    #1
    1. Advertising

  2. In article <>,
    [iMpLoDe] <> wrote:
    :pIX-506 at main office --> 6.3(3)
    :pIX-501 at branch office --> 6.3(3)

    :problem 1: the VPN tunnel created by the 501 must be initiated manually via the CLI or by a web browser to trigger the
    :Easy VPN client to connect,

    :problem 2: the VPN tunnel created by the 501 to the 506 times out and does not automatically reconnect

    :Is there a configuration change that can be made to enable the 501 to automatically connect / reconnect the VPN tunnel
    :to the 506? (either when RDP or other 'interesting' traffic destined for the VPN is heard on the 501?)

    That -should- happen automatically. However, I haven't tried configuring
    a PIX using the Easy VPN client, so I do not have practical experience
    with that. It is fairly easy to use PDM to configure an IPSec tunnel
    using a shared secret; I would suggest taking that approach.


    :I see the 6.3 command ref includes a 'nem-sp-autoconnect' command which may solve my problem, but the CLI on either PIX
    :does not recognize this command...

    No such command, but there is 'vpnclient nem-st-autoconnect', but
    that is only of interest when split tunneling is enabled. Urr,
    do you happen to have split tunneling enabled? That would lead to
    connections not automatically being made.
    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
    Walter Roberson, Jan 17, 2005
    #2
    1. Advertising

  3. [iMpLoDe]

    [iMpLoDe] Guest

    On 17 Jan 2005 04:15:13 GMT, -cnrc.gc.ca (Walter Roberson) wrote:

    >In article <>,
    >[iMpLoDe] <> wrote:
    >:pIX-506 at main office --> 6.3(3)
    >:pIX-501 at branch office --> 6.3(3)
    >
    >:problem 1: the VPN tunnel created by the 501 must be initiated manually via the CLI or by a web browser to trigger the
    >:Easy VPN client to connect,
    >
    >:problem 2: the VPN tunnel created by the 501 to the 506 times out and does not automatically reconnect
    >
    >:Is there a configuration change that can be made to enable the 501 to automatically connect / reconnect the VPN tunnel
    >:to the 506? (either when RDP or other 'interesting' traffic destined for the VPN is heard on the 501?)
    >
    >That -should- happen automatically. However, I haven't tried configuring
    >a PIX using the Easy VPN client, so I do not have practical experience
    >with that. It is fairly easy to use PDM to configure an IPSec tunnel
    >using a shared secret; I would suggest taking that approach.
    >
    >
    >:I see the 6.3 command ref includes a 'nem-sp-autoconnect' command which may solve my problem, but the CLI on either PIX
    >:does not recognize this command...
    >
    >No such command, but there is 'vpnclient nem-st-autoconnect', but
    >that is only of interest when split tunneling is enabled. Urr,
    >do you happen to have split tunneling enabled? That would lead to
    >connections not automatically being made.


    Walter:

    Greetings from Edmonton. Thanks. the line should have read vpnclient nem..., and yes, I am using split tunneling. the
    problem I suspect may be the use of the Easy VPN technology resulting in the headend treating the remotes like 'clients'
    which are subject to idle timeouts.

    If I use IPSec tunnels, should the connections automatically be created and re-created or be indefinitely persistent?

    If so, can you point me towards a sample config that may help guide me?

    Thanks in advance,
    Chris
    [iMpLoDe], Jan 17, 2005
    #3
  4. In article <>,
    [iMpLoDe] <> wrote:
    :If I use IPSec tunnels, should the connections automatically be created and re-created or be indefinitely persistent?

    If you use IPSec, the tunnels will be automatically created and created
    at need. Tunnel recreation is fairly fast, unless you happen to be
    using a dynamic IP address that has changed in previous few minutes.

    Tunnels always persist for an integer multiple of the tunnel 'lifetime'
    that you configure, and do not time out until a complete 'lifetime' has
    gone by.

    For example, if you configure the lifetime as one hour,
    and use the tunnel for five minutes, at the end of the first hour
    the tunnel will see that it had traffic at -some- point during that
    hour and so will renew the tunnel for another hour. At the end of
    the second hour, it would note that nothing went by during that full
    hour and so would allow the tunnel to die -- two -full- lifetimes.
    For greater certainty: the tunnel would NOT expire one lifetime
    after the last traffic -- it would last 2 hours, not 1 hour and
    5 minutes in this example.

    :If so, can you point me towards a sample config that may help guide me?

    Here is a complete configuration suitable for the case where the
    506 side has a server and a user, both of which are allowed to start
    connections to the one user on the 501 side. The 501 user in this
    example is allowed to start connections to the 506 server but not
    to the 506 user. Private IP address space is used on each side, and
    network address translation is not used when communicating between
    the two sides.

    The 506 server is also allowed to receive outside email in this example,
    and the 506 server is allowed to do name resolution.
    [I tossed that in to show the network address translation parts.]


    : -------------- 501 side ----------------
    names
    name AAA.BBB.CCC.DDD net501_outside
    name EEE.FFF.GGG.HHH net506_outside

    name 192.168.10.0 net501
    name 192.168.10.1 net501_inside
    name 192.168.10.2 net501_user1

    name 192.168.20.0 net506
    name 192.168.20.1 net506_inside
    name 192.168.20.2 net506_user1
    name 192.168.20.3 net506_server

    ip address outside net501_outside 255.255.25.0
    ip address inside net501_inside 255.255.255.0

    access-list outside-acl permit ip host net506_server host net501_user1
    access-list outside-acl permit ip host net506_user1 host net501_user1
    access-group outside-acl in interface outside

    access-list inside-acl permit ip host net501_user1 host net506_server
    access-group inside-acl in interface inside

    access-list vpn-acl permit ip net501 255.255.255.0 net506 255.255.255.0

    nat (inside) 0 access-list vpn-acl

    crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac

    crypto map vpn-map 1000 ipsec-isakmp
    crypto map vpn-map 1000 match address vpn-acl
    crypto map vpn-map 1000 set peer net506_outside
    crypto map vpn-map 1000 set transform-set vc-ea256s
    crypto map vpn-map interface outside

    isakmp enable outside
    isakmp identity hostname

    isakmp key THIS-IS!MY-&SHARED@SeCrEt address net506_outside netmask 255.255.255.255 no-xauth no-config-mode

    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 5
    isakmp policy 7 lifetime 86400

    : -------------- 506 side ----------------
    names
    name AAA.BBB.CCC.DDD net501_outside
    name EEE.FFF.GGG.HHH net506_outside

    name 192.168.10.0 net501
    name 192.168.10.1 net501_inside
    name 192.168.10.2 net501_user1

    name 192.168.20.0 net506
    name 192.168.20.1 net506_inside
    name 192.168.20.2 net506_user1
    name 192.168.20.3 net506_server

    ip address outside net506_outside 255.255.25.0
    ip address inside net506_inside 255.255.255.0

    access-list outside-acl permit ip host net501_user1 host net506_server
    access-list outside-acl permit tcp any interface outside eq smtp
    access-group outside-acl in interface outside

    access-list inside-acl permit ip host net506_server host net501_user1
    access-list inside-acl permit ip host net506_user1 host net501_user1
    access-list inside-acl permit udp host net506_server any eq domain
    access-list inside-acl permit tcp host net506_server any eq domain
    access-group inside-acl in interface inside

    access-list vpn-acl permit ip net506 255.255.255.0 net501 255.255.255.0

    static (inside, outside) tcp interface smtp net506_server smtp 0 0
    nat (inside) 0 access-list vpn-acl
    nat (inside) 1 net506 255.255.255.0
    global (outside) 1 interface

    crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac

    crypto map vpn-map 1000 ipsec-isakmp
    crypto map vpn-map 1000 match address vpn-acl
    crypto map vpn-map 1000 set peer net501_outside
    crypto map vpn-map 1000 set transform-set vc-ea256s
    crypto map vpn-map interface outside

    isakmp enable outside
    isakmp identity hostname

    isakmp key THIS-IS!MY-&SHARED@SeCrEt address net501_outside netmask 255.255.255.255 no-xauth no-config-mode

    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 5
    isakmp policy 7 lifetime 86400
    --
    Those were borogoves and the momerathsoutgrabe completely mimsy.
    Walter Roberson, Jan 17, 2005
    #4
  5. [iMpLoDe]

    [iMpLoDe] Guest

    On 17 Jan 2005 05:08:02 GMT, -cnrc.gc.ca (Walter Roberson) wrote:

    >In article <>,
    >[iMpLoDe] <> wrote:
    >:If I use IPSec tunnels, should the connections automatically be created and re-created or be indefinitely persistent?
    >
    >If you use IPSec, the tunnels will be automatically created and created
    >at need. Tunnel recreation is fairly fast, unless you happen to be
    >using a dynamic IP address that has changed in previous few minutes.
    >
    >Tunnels always persist for an integer multiple of the tunnel 'lifetime'
    >that you configure, and do not time out until a complete 'lifetime' has
    >gone by.
    >
    >For example, if you configure the lifetime as one hour,
    >and use the tunnel for five minutes, at the end of the first hour
    >the tunnel will see that it had traffic at -some- point during that
    >hour and so will renew the tunnel for another hour. At the end of
    >the second hour, it would note that nothing went by during that full
    >hour and so would allow the tunnel to die -- two -full- lifetimes.
    >For greater certainty: the tunnel would NOT expire one lifetime
    >after the last traffic -- it would last 2 hours, not 1 hour and
    >5 minutes in this example.
    >
    >:If so, can you point me towards a sample config that may help guide me?
    >
    >Here is a complete configuration suitable for the case where the
    >506 side has a server and a user, both of which are allowed to start
    >connections to the one user on the 501 side. The 501 user in this
    >example is allowed to start connections to the 506 server but not
    >to the 506 user. Private IP address space is used on each side, and
    >network address translation is not used when communicating between
    >the two sides.
    >
    >The 506 server is also allowed to receive outside email in this example,
    >and the 506 server is allowed to do name resolution.
    >[I tossed that in to show the network address translation parts.]
    >
    >
    >: -------------- 501 side ----------------
    >names
    >name AAA.BBB.CCC.DDD net501_outside
    >name EEE.FFF.GGG.HHH net506_outside
    >
    >name 192.168.10.0 net501
    >name 192.168.10.1 net501_inside
    >name 192.168.10.2 net501_user1
    >
    >name 192.168.20.0 net506
    >name 192.168.20.1 net506_inside
    >name 192.168.20.2 net506_user1
    >name 192.168.20.3 net506_server
    >
    >ip address outside net501_outside 255.255.25.0
    >ip address inside net501_inside 255.255.255.0
    >
    >access-list outside-acl permit ip host net506_server host net501_user1
    >access-list outside-acl permit ip host net506_user1 host net501_user1
    >access-group outside-acl in interface outside
    >
    >access-list inside-acl permit ip host net501_user1 host net506_server
    >access-group inside-acl in interface inside
    >
    >access-list vpn-acl permit ip net501 255.255.255.0 net506 255.255.255.0
    >
    >nat (inside) 0 access-list vpn-acl
    >
    >crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac
    >
    >crypto map vpn-map 1000 ipsec-isakmp
    >crypto map vpn-map 1000 match address vpn-acl
    >crypto map vpn-map 1000 set peer net506_outside
    >crypto map vpn-map 1000 set transform-set vc-ea256s
    >crypto map vpn-map interface outside
    >
    >isakmp enable outside
    >isakmp identity hostname
    >
    >isakmp key THIS-IS!MY-&SHARED@SeCrEt address net506_outside netmask 255.255.255.255 no-xauth no-config-mode
    >
    >isakmp policy 7 authentication pre-share
    >isakmp policy 7 encryption aes-256
    >isakmp policy 7 hash sha
    >isakmp policy 7 group 5
    >isakmp policy 7 lifetime 86400
    >
    >: -------------- 506 side ----------------
    >names
    >name AAA.BBB.CCC.DDD net501_outside
    >name EEE.FFF.GGG.HHH net506_outside
    >
    >name 192.168.10.0 net501
    >name 192.168.10.1 net501_inside
    >name 192.168.10.2 net501_user1
    >
    >name 192.168.20.0 net506
    >name 192.168.20.1 net506_inside
    >name 192.168.20.2 net506_user1
    >name 192.168.20.3 net506_server
    >
    >ip address outside net506_outside 255.255.25.0
    >ip address inside net506_inside 255.255.255.0
    >
    >access-list outside-acl permit ip host net501_user1 host net506_server
    >access-list outside-acl permit tcp any interface outside eq smtp
    >access-group outside-acl in interface outside
    >
    >access-list inside-acl permit ip host net506_server host net501_user1
    >access-list inside-acl permit ip host net506_user1 host net501_user1
    >access-list inside-acl permit udp host net506_server any eq domain
    >access-list inside-acl permit tcp host net506_server any eq domain
    >access-group inside-acl in interface inside
    >
    >access-list vpn-acl permit ip net506 255.255.255.0 net501 255.255.255.0
    >
    >static (inside, outside) tcp interface smtp net506_server smtp 0 0
    >nat (inside) 0 access-list vpn-acl
    >nat (inside) 1 net506 255.255.255.0
    >global (outside) 1 interface
    >
    >crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac
    >
    >crypto map vpn-map 1000 ipsec-isakmp
    >crypto map vpn-map 1000 match address vpn-acl
    >crypto map vpn-map 1000 set peer net501_outside
    >crypto map vpn-map 1000 set transform-set vc-ea256s
    >crypto map vpn-map interface outside
    >
    >isakmp enable outside
    >isakmp identity hostname
    >
    >isakmp key THIS-IS!MY-&SHARED@SeCrEt address net501_outside netmask 255.255.255.255 no-xauth no-config-mode
    >
    >isakmp policy 7 authentication pre-share
    >isakmp policy 7 encryption aes-256
    >isakmp policy 7 hash sha
    >isakmp policy 7 group 5
    >isakmp policy 7 lifetime 86400



    Walter:
    Thank you, thank you, thank you! I sincerely appreciate your help and lightning-fast replies.

    Cheers,
    Chris
    [iMpLoDe], Jan 17, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sascha E. Pollok

    Cisco dialer-persistent reconnect delay

    Sascha E. Pollok, Mar 20, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,166
  2. Replies:
    2
    Views:
    541
  3. Tom

    Mapped drive auto reconnect

    Tom, Nov 15, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    2,629
    Lady Chatterly
    Nov 15, 2004
  4. Tom

    Map drive auto reconnect

    Tom, Nov 15, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    456
  5. er
    Replies:
    0
    Views:
    671
Loading...

Share This Page