Asa5510 + CheckPoint + rekeying

From

Andrew Lutov (2:5080/1003)

To

All (2:5054/37.63)

Date

2009-08-20T16:50:22Z

Area

RU.CISCO

Hello, All!

А как она себя ведет под IPsec на версии :

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"



Потому как все валится как-то странно и приводит вот к этому:

asa5510# sh cry isa sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 192.168.14.11
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2
2   IKE Peer: 192.168.14.11
    Type    : L2L             Role    : initiator
    Rekey   : yes             State   : MM_ACTIVE_REKEY
asa5510#

Притом время жизни уж очень маленькое.


Кто-нибудь что-то может посоветовать для улучшения работы IPsec на ASA?

Конфиг вот такой (еще на ней терминируется EasyVPN, но здесь этого куска не 
видно):


interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.1.0.10 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif REGU
 security-level 100
 ip address 172.16.2.1 255.255.255.0
!
same-security-traffic permit inter-interface

object-group network IPSec
 network-object host 172.16.1.243
 network-object host 172.16.1.245
 network-object host 172.16.2.244

access-list noNAT extended permit ip object-group IPSec host 192.168.220.15
access-list noNAT extended permit ip object-group IPSec host 192.168.220.2

access-list noNATregu extended permit ip object-group IPSec host 
192.168.220.15
access-list noNATregu extended permit ip object-group IPSec host 
192.168.220.2

access-list IPSecFTC extended permit icmp object-group IPSec host 
192.168.220.15
access-list IPSecFTC extended permit icmp object-group IPSec host 
192.168.220.2
access-list IPSecFTC extended permit ip object-group IPSec host 
192.168.220.15
access-list IPSecFTC extended permit ip object-group IPSec host 
192.168.220.2

mtu outside 1500
mtu inside 1500
mtu REGU 1500

nat-control

nat (inside) 0 access-list noNAT
nat (REGU) 0 access-list noNATregu

route outside 0.0.0.0 0.0.0.0 10.1.0.2 1
route outside 192.168.14.11 255.255.255.255 10.1.0.4 1

no sysopt connection permit-vpn

crypto ipsec transform-set STRONG-DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto ipsec df-bit clear-df REGU

crypto map PMAP 10 match address IPSecFTC
crypto map PMAP 10 set pfs
crypto map PMAP 10 set peer 192.168.14.11
crypto map PMAP 10 set transform-set STRONG-DES

crypto map PMAP interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify

tunnel-group 192.168.14.11 type ipsec-l2l
tunnel-group 192.168.14.11 ipsec-attributes
 pre-shared-key *


-- 
А5 увидимся е2 ли 


--- Microsoft Outlook Express 6.00.2900.5843
 * Origin: (http://news.cca.usart.ru/) USURT's FidoNET<->Internet (2:5080/1003)
SEEN-BY: 46/50 450/186 1024 451/30 452/25 154 463/68 469/418 4614/20 4615/21
SEEN-BY: 5000/5000 5001/100 5001 5003/58 5004/58 5010/126 5011/13 5012/9 30 46
SEEN-BY: 5015/28 5019/26 5020/175 400 545 715 758 830 1042 1641 2238 4441
SEEN-BY: 5021/29 5022/128 5023/11 5025/3 750 5026/49 5027/12 5029/60 5030/115
SEEN-BY: 5030/500 830 966 1256 1900 5035/38 5042/12 13 5045/7 5049/96 5052/4
SEEN-BY: 5054/1 4 8 9 28 30 36 37 67 75 81 89 5058/42 999 5059/37 5062/10
SEEN-BY: 5063/3 5070/156 5075/35 5077/70 5080/31 68 80 111 237 1003 5083/1
SEEN-BY: 5084/9 5085/13 45 131 5090/108 5093/55 5095/20 5096/18 6001/10 6004/3
SEEN-BY: 6009/3 6055/2 6083/12

PATH: 5080/1003 5020/4441 545 5054/1 37