Force a Remote Router to keep a VPN Connection Alive?

Discussion in 'Cisco' started by Scott Townsend, May 23, 2005.

  1. I just installed a second 1721 router at a remote site and it connects to HQ
    via IPSec VPN. Works Great when I have a laptop there on site and its
    actively communicating back to the HQ Subnet. There is only one device
    there at the remote location and its just a web server of sorts, so it only
    talks when its spoken to.

    My problem is that since the remote site is on DSL, the VPN drops here and
    there. Since the only device at the remote location does not talk unless
    spoken to, it never tries to bring up the VPN connection.

    Is there a way to make the router keep the VPN connection up even if there
    is no traffic destined to the remote network?

    The DSL Service is a Dynamic IP, so I can't have HQ bring up the connection
    the remote. I was hoping for some keep-alive that I can set up in the
    router to ping the HQ subnet every once in a while.

    I've also been suggested to setup a Routing Protocol to transmit Routing
    Updates. I've tried to setup EIGRP through the VPN, though it wont let me
    set up any neighbors that are not directly connected.

    Any Suggestions would be Great!

    Scott Townsend, May 23, 2005
    1. Advertisements

  2. Establish a GRE tunnel between the two routers and then encapsulate the GRE
    packets with IPSEC. You should then be able to pass whatever routing
    protocol you like across the tunnel.

    Buzz Lightbeer, May 24, 2005
    1. Advertisements

  3. Another useful bit of traffic: Set up NTP and have the router synchronize
    its clock to the VPN peer.

    You might also look at Cisco Cisco SAA (sevice assurance agent) if you have
    that feature to generate monitoring traffic.

    Or, build a GRE tunnel and run a routing protocol over that.

    You might also turn on DPD (Dead Peer Detection) to check for VPN link loss
    due to DSL readdressing (so the VPN device knows to bring up a new
    Phillip Remaker, May 24, 2005
  4. Scott Townsend

    Hansang Bae Guest

    You have a few options.

    1) Maybe the easiest is to enable some type of routing protocol and
    make it part of the crypto ACL. Putting it inside a GRE tunnel would
    even make routing work. Though in this particular case, broadcasting
    RIP packets may be sufficient.

    2) Try to enable Dead Peer Detection. Not sure what IOS version you
    have so it may well fall into "your mileage may vary"

    The key is to keep something chatty into the crypto ACL.



    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    Hansang Bae, May 24, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.