Jump to content

Recommended Posts

Posted

Добрый день!

Есть Giga III с софтом 3.8.5.4 - новее просто нет.

 

GRE туннель с IPSec. В момент IPsec SA rekey происходит пересогласование CHILD_SA

 

После 4х пересогласований IPsec рестартует. В логе появляется запись

 

ndm: IpSec::CryptoMapInfo: "Gre1": too many active IKE/CHILD SA: 0/4.

В моменты пересогласований (lifetime 60 секунд для тестов) в логе такое

 

I [Jan  6 22:29:50] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 1, active CHILD SA: 0.
I [Jan  6 22:29:50] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 1, active CHILD SA: 1.
I [Jan  6 22:30:27] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 1.
I [Jan  6 22:30:27] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 2.
I [Jan  6 22:30:37] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 2.
I [Jan  6 22:30:37] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 2.
I [Jan  6 22:31:01] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 2.
I [Jan  6 22:31:01] ndm: IpSec::CryptoMapInfo: "Gre1": crypto map active IKE SA: 0, active CHILD SA: 3.

 

Такое поведение исправлено в ветке 3.9?

Posted

Одно лечим, другое калечим

 

Версия  4.0 Alpha 2

1. Проблема с 4мя пресогласованиями решена

2. Для GRE интерфейса задан ipsec encryption-level strong, на другой стороне задано AES_CBC_128/HMAC_SHA1_96/MODP_2048. Этот набор согласно документации для пресет strong поддерживается. Но пока не настроишь AES_CBC_128/HMAC_SHA1_96/MODP_1536 - ничего не работает. MODP_2048 для PFS не используется

 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

This site uses cookies. By clicking "I accept" or continuing to browse the site, you authorize their use in accordance with the Privacy Policy.