The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
remain active on the spokes.
As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in ‘Invalid SPI errors’
on the Hub with no connectivity as such.
I resolve this problem manually by clearing crypto sessions on the spokes.
I would like to know if there is a way to let the spokes time-out their SA
sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.