我们有IPSec带有 Sonicwall 的 Cisco ASA VPN,但我们会在 8 小时或 10 小时后随机看到。我无法追踪问题所以只是想知道是否有一个简单的设置来自动重新协商隧道或类似的东西?我们想永远保留这个隧道 IP,有什么问题吗?
更新配置
crypto map external_map 100 match address VPN-ACL
crypto map external_map 100 set pfs
crypto map external_map 100 set peer 201.x.xx.xx 96.xx.xx.xx
crypto map external_map 100 set ikev2 ipsec-proposal ESP-AES128-SHA
crypto map external_map 65535 ipsec-isakmp dynamic external_dynamic_map
crypto map external_map interface external
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 28800
tunnel-group 201.xx.xx.xx type ipsec-l2l
tunnel-group 201.xx.xx.xx ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
日志:
2016-09-12 10:36:43 Local4.Warning 172.6.xx.xx fw01 %ASA-4-750003: Local:xx.xx.xxx.xxx:500 Remote:xx.xx.xx.xx:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
命令输出:
IKEv2 SAs:
Session-id:12204, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
992958129 3x.xx.xx.xx/500 172.6.xx.xx/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/22805 sec
Child sa: local selector 172.16.xx.0/0 - 172.16.xx.255/65535
remote selector 192.168.xx.0/0 - 192.168.xx.255/65535
ESP spi in/out: 0x1f9328de/0xa58a697d
fw0# sh crypto ipsec sa peer 172.6.xx.xx
peer address: 172.6.xx.xx
Crypto map tag: external_map, seq num: 100, local addr: 3x.xx.xx.xx
access-list VPN-ACL extended permit ip 172.16.xx.0 255.255.255.0 192.168.xx.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.xx.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0)
current_peer: 172.6.xx.xx
#pkts encaps: 1300384, #pkts encrypt: 1300384, #pkts digest: 1300384
#pkts decaps: 1571043, #pkts decrypt: 1571043, #pkts verify: 1571043
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1300384, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 3x.xx.xx.xx/500, remote crypto endpt.: 172.6.xx.xx/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A58A697D
current inbound spi : 1F9328DE
inbound esp sas:
spi: 0x1F9328DE (529737950)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 113205248, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (3881171/62699)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA58A697D (2777311613)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 113205248, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (3687630/62699)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
satus