我们的一个客户有一个通过IPSec VPN隧道连接到另一个网络的Cisco 1841路由器。一切正常,但偶尔 VPN 隧道会掉线并在稍后(有时在几分钟或几个小时内)恢复。
我有一种感觉,路由器被配置为在这么多分钟后没有任何网络流量通过隧道时丢弃隧道,然后在流量需要通过隧道时重新建立隧道。
我想做的是配置路由器,以便隧道始终保持正常运行。我看到的文档提到了修改组策略,但路由器没有为此配置,如果可能的话,我想远离这样做。
下面是其路由器配置的清理副本。任何帮助将不胜感激。
--
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustomerName
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gaBA$wXYb7px.gAAFR05JJ10510
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp relay information option vpn
ip dhcp relay information option
ip dhcp relay information trust-all
!
!
ip domain name CustomerName.us
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
crypto pki trustpoint TP-self-signed-475674154
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-475674154
revocation-check none
rsakeypair TP-self-signed-475674154
!
!
crypto pki certificate chain TP-self-signed-475674154
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34373536 37343135 34301E17 0D313330 38303132 30303834
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3437 35363734
31353430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A971CD18 93797FFA EB6BE936 2F3E66C4 8E295883 6C674012 A880FA08 FAE3490A
B362AB65 670E881C D2250574 720A6641 2A072F83 7A456DBC 0EDBBF4D FA675717
E45AABF5 3B94F956 8D7D0EDE 57E4048B 0D616B9A 96E2F6A0 5AADC8FB 803A991C
E0DA0B0B 7644D132 336C3DB3 7FD12D97 E9EF15EF AAC6CF12 4504AC41 C6D4BA1B
02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
11041830 16821441 6C6C7368 6F72652E 616C6C73 686F7265 2E757330 1F060355
1D230418 30168014 08293177 593054F5 0592E062 1CE0BB17 E3E71990 301D0603
551D0E04 16041408 29317759 3054F505 92E0621C E0BB17E3 E7199030 0D06092A
864886F7 0D010104 05000381 81008017 F56757B1 2D716F08 6748811E 2D86D83B
92288F4B 215BADE9 78BEB571 4E2B5673 15B3DF04 DEE340F5 380B0CA1 E4BEB665
FE80D4B2 27F302F9 CB7DEB45 5A3B5959 D46127A9 68783C20 B066BEEE 18705DCF
D26068C7 1F5EA80C 2644ECE2 FB1894EF 6F13CA87 4CD13494 9ADE31AF 5B752C11
375DEA79 14A3EBE0 F04FBD7E 96B1
quit
username CustomerName privilege 15 secret 5 $1$FpRX$rOCJ52eTZllenQD5sSUvT1
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key fM579D2i92r3j9tydsanFntyeakB6KWvJDoR7n79yxsWXe8p5o3hhh5N23vkt
v4 address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set red esp-aes 256 esp-sha-hmac
!
crypto map OUTSIDE_MAP 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set red
set pfs group1
match address crypto10
!
!
!
!
interface FastEthernet0/0
description Connected to Cable Modem
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map OUTSIDE_MAP
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 2
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan2
description CustomerName LAN
ip address 10.10.20.1 255.255.255.0
ip helper-address 172.16.3.100
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 184.178.184.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static udp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static tcp 10.10.20.2 5090 184.178.184.16 5090 extendable
ip nat inside source static udp 10.10.20.2 9000 184.178.184.16 9000 extendable
ip nat inside source static udp 10.10.20.2 9001 184.178.184.16 9001 extendable
ip nat inside source static udp 10.10.20.2 9002 184.178.184.16 9002 extendable
ip nat inside source static udp 10.10.20.2 9003 184.178.184.16 9003 extendable
ip nat inside source static udp 10.10.20.2 9004 184.178.184.16 9004 extendable
ip nat inside source static udp 10.10.20.2 9005 184.178.184.16 9005 extendable
!
ip access-list extended crypto10
permit ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!
access-list 101 deny ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output all
line vty 5 15
privilege level 15
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
end
--
我想在这里你可以找到你的问题的答案。
http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a00806c1d08.html#wp2551278
IPSec SA 空闲计时器全局配置示例
以下示例将 IPSec SA 空闲计时器全局配置为 600 秒后删除非活动对等方的 SA:
Router(config)# crypto ipsec security-association idle-time 600 IPSec
每个加密映射配置示例的 SA 空闲计时器
以下示例为 名为"test"的加密映射,用于在 600 之后为非活动对等体删除 SA 秒:
Router(config) # crypto map test 1 ipsec-isakmp Router(config-crypto-map)# set security-association idle-time 600