Vyatta隧道随机退出

Question

我一直在我的VPN隧道随机退出，只有很少发生(~每周两次)，如果我做一个“服务ipsec重新启动”，然后它立即开始工作。非常烦人，因为我试图复制一个大的VM到我们的DR站点和每次隧道下降，我必须重新开始！

配置如下。伙计们有什么想法吗？

esp-group DR {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }


 ike-group DR {
         dead-peer-detection {
             action restart
             interval 15
             timeout 30
         }
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
     }



peer *.*.*.* {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ***
             }
             connection-type initiate
             description "DR Site"
             ike-group DR
             local-address *.*.*.*
             tunnel 2 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group DR
                 local {
                     prefix 192.168.*.0/24
                 }
                 remote {
                     prefix 10.*.0.0/24
                 }
             }
         }

在检查日志之后，日志中似乎满是这样的消息：

Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: received Vendor ID payload [Dead Peer Detection]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: ignoring Vendor ID payload [RFC 3947]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  3 13:23:37 *.*.*.* pluto[20789]: packet from *.*.*.*:500: initial Main Mode message received on *.*.*.*:500 but no connection has been authorized with policy=PSK
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: process_status_message: bad node [****] in message
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG: Dumping message with 12 fields
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[0] : [t=status]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[1] : [st=active]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[2] : [dt=2710]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[3] : [protocol=1]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[4] : [src=****]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[5] : [(1)srcuuid=0x201c570(36 27)]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[6] : [seq=28077b]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[7] : [hg=50b63627]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[8] : [ts=533d60db]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[9] : [ld=0.00 0.01 0.05 1/87 31182]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[10] : [ttl=3]
Apr  3 13:23:39 *.*.*.* heartbeat: [3397]: ERROR: MSG[11] : [auth=1 96fa591a077c1bd3941d450c9c8973d8f0a9440f]

Answer 1

我所发现的帮助隧道稳定的环境是

set vpn ipsec auto-update '60'

我的死点检测间隔和超时时间比您的(分别为30秒和120秒)长，我使用了VTIs，但您的配置在其他方面几乎与我的配置相同。我能够维持400 Mbps通过隧道内的VyOS VM没有问题。

Answer 2

对不起，不能评论，没有真正的回答：

• 您是否试图增加ike-group DR dead-peer-detetion timeout值？
• 是否有可能每周随机出现两次网络使用高峰，使所有可用带宽饱和？