Router (Dynamic IP) to PIX (static) VPN, how to force router to connect?

I just installed a second 1721 router at a remote site and it connects to HQ
via IPSec VPN. Works Great when I have a laptop there on site and its
actively communicating back to the HQ Subnet. There is only one device
there at the remote location and its just a web server of sorts, so it only
talks when its spoken to.

My problem is that since the remote site is on DSL, the VPN drops here and
there. Since the only device at the remote location does not talk unless
spoken to, it never tries to bring up the VPN connection.

Is there a way to make the router keep the VPN connection up even if there
is no traffic destined to the remote network?

The DSL Service is a Dynamic IP, so I can have HQ bring up the connection to
the remote. I was hoping for some keep-alive that I can set up in the
router to ping the HQ subnet every once in a while.

Thanks,
Scott<-

 

hey scott

how about setting up a routing-protocol inside of
the tunnel? - so the remotrouter tries to reach its
neighbour and opens the connection

greetz, curtis

 

Hmmm... that's a thought. We have EIGRP at HQ. I should be able to
configure that....

Though How do I set it up so it does not include the Outside Interface, but
then still passes the Traffic back to the HQ Subnet?

Thanks!

Scott<-

 

there is a command called "passive-interface". That shoudl get the job
done. If I understan you correctly.

Frank

 

So I'm Setup As Follows:

10.10.1.1 - Core Router @ HQ
10.10.1.2 - PIX @ HQ, Connects to outside/Internet

SBC/DSL Dynamic IP Outside E0
10.20.1.1 Inside Interface @ Remote Site

On the Both the Core and Remote Routers I have:
router eigrp 2
network 10.0.0.0
default-metric 1000 100 255 1 1500
no auto-summary
no eigrp log-neighbor-changes

Though doing a Show Ip Route, does not give me information about the other
ends from either router.
If I try to add a neighbor, it wants it to be on a Subnet that is directly
connected to the router. Is there another way to tell it who one if its
neighbors is?

Thanks,
Scott<-

 

Hey Curtis,

I've looked at a few Routing Protocols and Tried to get EIGRP to do what I
want though I can only configure a Neighbor that is Directly Connected.

Any Suggestions?

Thanks,
Scott<-

 

IPSec doesn't forward multicast traffic, which most routing protocols use (you
could use BGP). However, an alternative might be to configure NTP in the remote
router and specify the local ethernet interface as the source of the NTP traffic
and an NTP server at HQ, that may be enough to keep the tunnel up, even if
there's not really an NTP server at HQ.

HTH - Good luck!