0

我们的一个客户有一个 Cisco 1841 路由器,它通过 IPSec VPN 隧道连接到另一个网络。一切运行良好,但偶尔 VPN 隧道会掉线并在稍后恢复(有时几分钟或几小时)。

我有一种感觉,如果经过这么多分钟后没有任何网络流量通过它,路由器被配置为丢弃隧道,然后在流量需要通过它时重新建立隧道。

我想做的是配置路由器,以便隧道一直保持正常状态。我看到的文档提到了修改组策略,但路由器没有为此配置,如果可能的话,我想远离这样做。

他们的路由器配置的擦洗副本如下。任何帮助,将不胜感激。

--

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustomerName
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gaBA$wXYb7px.gAAFR05JJ10510
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp relay information option vpn
ip dhcp relay information option
ip dhcp relay information trust-all
!
!
ip domain name CustomerName.us
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
crypto pki trustpoint TP-self-signed-475674154
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-475674154
revocation-check none
rsakeypair TP-self-signed-475674154
!
!
crypto pki certificate chain TP-self-signed-475674154
certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34373536 37343135 34301E17 0D313330 38303132 30303834
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3437 35363734
  31353430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A971CD18 93797FFA EB6BE936 2F3E66C4 8E295883 6C674012 A880FA08 FAE3490A
  B362AB65 670E881C D2250574 720A6641 2A072F83 7A456DBC 0EDBBF4D FA675717
  E45AABF5 3B94F956 8D7D0EDE 57E4048B 0D616B9A 96E2F6A0 5AADC8FB 803A991C
  E0DA0B0B 7644D132 336C3DB3 7FD12D97 E9EF15EF AAC6CF12 4504AC41 C6D4BA1B
  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  11041830 16821441 6C6C7368 6F72652E 616C6C73 686F7265 2E757330 1F060355
  1D230418 30168014 08293177 593054F5 0592E062 1CE0BB17 E3E71990 301D0603
  551D0E04 16041408 29317759 3054F505 92E0621C E0BB17E3 E7199030 0D06092A
  864886F7 0D010104 05000381 81008017 F56757B1 2D716F08 6748811E 2D86D83B
  92288F4B 215BADE9 78BEB571 4E2B5673 15B3DF04 DEE340F5 380B0CA1 E4BEB665
  FE80D4B2 27F302F9 CB7DEB45 5A3B5959 D46127A9 68783C20 B066BEEE 18705DCF
  D26068C7 1F5EA80C 2644ECE2 FB1894EF 6F13CA87 4CD13494 9ADE31AF 5B752C11
  375DEA79 14A3EBE0 F04FBD7E 96B1
  quit
username CustomerName privilege 15 secret 5 $1$FpRX$rOCJ52eTZllenQD5sSUvT1
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key fM579D2i92r3j9tydsanFntyeakB6KWvJDoR7n79yxsWXe8p5o3hhh5N23vkt
v4 address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set red esp-aes 256 esp-sha-hmac
!
crypto map OUTSIDE_MAP 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set red
set pfs group1
match address crypto10
!
!
!
!
interface FastEthernet0/0
description Connected to Cable Modem
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map OUTSIDE_MAP
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 2
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan2
description CustomerName LAN
ip address 10.10.20.1 255.255.255.0
ip helper-address 172.16.3.100
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 184.178.184.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static udp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static tcp 10.10.20.2 5090 184.178.184.16 5090 extendable
ip nat inside source static udp 10.10.20.2 9000 184.178.184.16 9000 extendable
ip nat inside source static udp 10.10.20.2 9001 184.178.184.16 9001 extendable
ip nat inside source static udp 10.10.20.2 9002 184.178.184.16 9002 extendable
ip nat inside source static udp 10.10.20.2 9003 184.178.184.16 9003 extendable
ip nat inside source static udp 10.10.20.2 9004 184.178.184.16 9004 extendable
ip nat inside source static udp 10.10.20.2 9005 184.178.184.16 9005 extendable
!
ip access-list extended crypto10
permit ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!
access-list 101 deny   ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output all
line vty 5 15
privilege level 15
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
end

--

4

1 回答 1

0

我想在这里你可以找到你问题的答案。

http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a00806c1d08.html#wp2551278

IPSec SA 空闲定时器全局配置示例

以下示例全局配置 IPSec SA 空闲计时器以在 600 秒后丢弃非活动对等方的 SA:

Router(config)# crypto ipsec security-association idle-time 600 IPSec

每个加密映射配置示例的 SA 空闲计时器

以下示例为名为“test”的加密映射配置 IPSec SA 空闲计时器,以在 600 秒后丢弃非活动对等方的 SA:

Router(config) # crypto map test 1 ipsec-isakmp
Router(config-crypto-map)# set security-association idle-time 600
于 2013-11-01T21:16:36.410 回答