我们正在尝试与供应商建立 IPSEC 隧道。一位工程师创建了加密地图，但无法建立连接。我编辑了条目以更改 diffie-hillman 组和生命周期。SA 表没有显示这些参数的变化。我是否需要在加密映射中删除该条目然后重新创建它？

这是现在的加密地图：

Crypto Map IPv4 "ToVendor" 18 ipsec-isakmp
Description: To_Monitor
Peer = x.x.x.x
Extended IP access list 123
access-list 123 permit ip host 10.175.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.162.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.174.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.174.239.240 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.51.239.10 192.168.200.0 0.0.3.255
Current peer: x.x.x.x
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
**PFS (Y/N): Y
DH group: group5**
Mixed-mode : Disabled
Transform sets={
ESP-AES-256-SHA256: { esp-256-aes esp-sha256-hmac } ,
}
Interfaces using crypto map ToVendor:
GigabitEthernet0/1

 

这是 crytpo ipsec sa 的缩短输出：

protected vrf: (none)
local ident (addr/mask/prot/port): (10.174.239.239/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.252.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
**PFS (Y/N): N, DH group: none**

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas: