Cisco 3845 IPsec

[myst]

Доброго времени суток уважаемые.

Некая структура с 3845 и IPIP туннелями до Mikrotik RB1100AHx2.

IPIP туннели работают поверх IPSEC.

 

Столкнулся с ОЧЕНЬ (десятки минут) медленным поднятием IPSEC после релоада циски.

 

Конфигурация следующая:

 

!
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MYKEY address 213.85.148.xxx no-xauth 
crypto isakmp key MYKEY address 109.73.33.xxx no-xauth 
crypto isakmp key MYKEY address 178.210.43.xxx no-xauth 
crypto isakmp key MYKEY address 109.195.49.xxx no-xauth 
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 3 periodic

!
!
crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac 
mode transport
crypto ipsec transform-set transform-2 esp-3des esp-md5-hmac 
mode transport
!
crypto map Kom 10 ipsec-isakmp 
description Kom_Crypto_Map
set peer 109.73.33.xxx
set peer 109.195.49.xxx
set security-association lifetime seconds 86400
set transform-set transform-1 
set pfs group2
match address Kom_Permit
!
crypto map Link 20 ipsec-isakmp 
description Link_Crypto_Map
set peer 213.85.148.xxx
set peer 178.210.43.xxx
set security-association lifetime seconds 86400
set transform-set transform-2 
set pfs group2
match address Link_Permit
!
interface Tunnel10301
description # Kom_00 #
ip address 172.23.0.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip ospf network broadcast
ip ospf cost 10
ip ospf priority 255
tunnel source 85.95.149.xxx
tunnel mode ipip
tunnel destination 109.73.33.xxx
!
interface Tunnel10302
description # Link_00 #
ip address 172.23.0.5 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip ospf network broadcast
ip ospf cost 40
ip ospf priority 255
tunnel source 109.126.9.xxx
tunnel mode ipip
tunnel destination 213.85.148.xxx
!
interface Tunnel10401
description # Kom_10l #
ip address 172.24.0.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip ospf network broadcast
ip ospf cost 10
ip ospf priority 255
tunnel source 85.95.149.xxx
tunnel mode ipip
tunnel destination 109.195.49.xxx
!
interface Tunnel10402
description # Link_10 #
ip address 172.24.0.5 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip ospf network broadcast
ip ospf cost 40
ip ospf priority 255
tunnel source 109.126.9.xxx
tunnel mode ipip
tunnel destination 178.210.43.xx
!
ip access-list extended Kom_Permit
permit ip host 85.95.149.xxx host 109.73.33.xxx 
permit ip host 85.95.149.xxx host 109.195.49.xxx 
!
ip access-list extended Link_Permit
permit ip host 109.126.9.xxx host 213.85.148.xxx 
permit ip host 109.126.9.xxx host 178.210.43.xxx 

!
ip route 109.195.49.xx 255.255.255.255 85.95.149.x
ip route 109.73.33.xxx 255.255.255.255 85.95.149.x 
ip route 178.210.43.xxx 255.255.255.255 109.126.9.x 
ip route 213.85.148.xxx 255.255.255.255 109.126.9.x 
!

(количесво туннелей обрезано, их очень много)

 

Причем, что характерно, Поднимаются хосты именно в порядке следования Туннелей в конфигурации.

Тоесть, сначала поднимается сторона куда смотрит туннель interface Tunnel10301, затем interface Tunnel10302

 

c3845-adventerprisek9-mz.151-4.M4.bin

 

Буду рад любым подсказкам. Спасибо.

Edited October 25, 2012 by myst