Does a site-to-site IPSEC vpn need an always on connection?

Question

Does a site-to-site IPSEC vpn needs an always on connection/tunnel with keepalives or is it possible to only encrypts packets when needed (when it matches a route or something like that)?

Answer 1

You can do opportunistic encryption (that is, only bringing up the tunnel when needed), with a couple of caveats:

• You will need to actively maintain the access-list for what traffic is consider "interesting"
• You will necessarily cause route flapping, as a path appears and disappears in your RIB and is then propagated throughout both sites via whatever routing protocol you use to communicate between routers; dampening will be your friend, to keep from slowly confusing and burning up your routers
• Your monitoring discipline will have to mature, as you can no longer just look at "is the tunnel interface up?", you'll need to look at "is the tunnel interface up, and did I expect it to be up?"
• Lastly, because of tunnel initialization time, you will only want to use opportunistic encryption for reliable services, as there is a likelihood of the first packet of a communication timing out or being lost as it waits for the tunnel to come into being and a route to the far-side to be available
• To mitigate most of these, configure it to stay up for several minutes after the last "interesting" packet, so if another "interesting" conversation starts shortly after, you have a pathway for it already.

It might not hurt to find an old Cisco BCRAN textbook and read up on the implications of Dial-On-Demand-Routing; this is essentially the same thing, only using crypto instead of PSTN/ISDN.

Out of curiosity, what is the driver for having the tunnel interface down and only establishing it when it is needed? Since the tunnle is essentially free (not tarriffed per minute like old PSTN/ISDN/PRI),having it nailed-up and a periodic heartbeet to keep it up is probably cheaper in terms of maintenance and support.