Howdy,
We have been using the MT routers since about 2.7.2. Our current confg consists of 1 MT(2.7.12) as a central VPN endpoint for many MT’s in the field (2.7.19-2.8.26)
All traffice between the routers is being encrypted by IPSEC.
The problem I seem to be having is that the tunnels are periodically timing out/dropping traffic.
It looks like the phase1 of the tunnels are timing out, and phase2 doesn’t seem to care. It just keeps trying to send traffic without re-establishing the link.
Many times, the only way to fix the problem is to disable the peers on my central MT and flush all the installed-SA’s. Is there anything I can do to keep this from occurring, or maybe even a better way to make the MT’s re-establish the links?
Also…I’ve tried to set up L2TP tunneling on our central MT, but I cannot get a tunnel to stay up when any amount of traffic (other than basic ping) is sent over it. Is this a version problem with 2.7.12?
Eugene
April 18, 2005, 2:44pm
2
A lot of time passed since 2.7.something. You have to upgrade to the newest version and check if the problem persists.
Ok, my Centralized MT is now 2.8.26. I am still having issues with intermitten downtime between ALL of my remote locations.
Any help here would be greatly appreciated.
Here is a sample of my config between my central MT and a branch that is also running 2.8.26.
Central MT:
ip ipsec policy>
0 src-address='CentralPrivateSubnet'/16:any dst-address='BranchPrivateSubnet'/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address='CentralPublicIP' sa-dst-address='BranchPbulicIP'
proposal=default manual-sa=none dont-fragment=clear
1 src-address='CentralPrivateSubnet'/16:any dst-address='BranchPublicIP'/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address='CentralPublicIP' sa-dst-address='BranchPublicIP'
proposal=default manual-sa=none dont-fragment=clear
2 src-address='CentralPublicIP'/32:any dst-address='BranchPrivateSubnet'/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address='CentralPublicIP' sa-dst-address='BrachPublicIP'
proposal=default manual-sa=none dont-fragment=clear
ip ipsec peer>
address='BranchPublicIP'/32:500 secret="*****" generate-policy=yes
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=15m
lifebytes=0
ip ipsec proposal>
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=15m lifebytes=0 pfs-group=modp1024
Branch MT:
[admin@Bedias] ip ipsec policy> pr
Flags: X - disabled, D - dynamic, I - invalid
0 src-address='BranchPrivateSubnet'/24:any dst-address='CentralPrivateSubnet'/16:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address='BranchPublicIP' sa-dst-address='CentralPublicIP'
proposal=default manual-sa=none dont-fragment=clear
1 src-address='BranchPublicIP'/32:any dst-address='CentralPrivateSubnet'/16:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address='BranchPublicIP' sa-dst-address='CentralPublicIP'
proposal=default manual-sa=none dont-fragment=clear
2 src-address='BranchPrivateSubnet'/24:any dst-address='CentralPublicIP'/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address='BranchPublicIP' sa-dst-address='CentralPublicIP' proposal=default manual-sa=none dont-fragment=clear
[admin@Bedias] ip ipsec peer> pr
Flags: X - disabled
0 address=xxx.xxx.xxx.xxx/32:500 secret="******" generate-policy=yes
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=15m
lifebytes=0
[admin@Bedias] ip ipsec proposal> pr
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=15m lifebytes=0 pfs-group=modp1024