ipsec vpn为什么不通
我用模拟器配置了IPsec 但一直没达到效果求大神解释R1:
hostname R1
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
crypto isakmp key test address 111.111.111.2
crypto ipsec security-association lifetime seconds 18000
crypto ipsec transform-set test ah-sha-hmac esp-3des
crypto map cisco 100 ipsec-isakmp
set peer 111.111.111.2
set pfs group1
set security-association lifetime seconds 18000
set transform-set test
match address vpn
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 125.64.39.1 255.255.255.0
ip nat outside
clock rate 64000
crypto map cisco
!
interface Serial0/3/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 10 interface Serial0/3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 125.64.39.2
!
!
access-list 10 permit any
ip access-list extended vpn
permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
end
R2:
hostname R2
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key test address 125.64.39.1
!
crypto ipsec security-association lifetime seconds 18000
!
crypto ipsec transform-set test ah-sha-hmac esp-3des
!
crypto map cisco 100 ipsec-isakmp
set peer 125.64.39.1
set pfs group1
set security-association lifetime seconds 18000
set transform-set test
match address vpn
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 111.111.111.2 255.255.255.0
ip nat outside
crypto map cisco
!
interface Serial0/3/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 10 interface Serial0/3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 111.111.111.1
!
!
ip access-list extended vpn
permit tcp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 10 permit any
end
R3:
hostname R3
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 125.64.39.2 255.255.255.0
!
interface Serial0/3/1
ip address 111.111.111.1 255.255.255.0
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0/3/0
ip route 172.16.1.0 255.255.255.0 Serial0/3/1
end
你做了NAT,要将NAT流量与VPN流量做区分,意思就是VPN中流量你不要做NAT 本帖最后由 szmabcd 于 2014-12-29 22:04 编辑
你做了NAT,要将NAT流量与VPN流量做区分,意思就是VPN中流量你不要做NAT
R2应该还缺少路由,到对站点R1的
nat的问题,这段感兴趣流要no-nat 拿分走人呵呵,楼下继续! NAT的问题,因为NAT会重新增加新的IP报头,导致数据数据包中的HASH值发生改变,对方在进行数据完整性校验时回失败。 有没有报什么错误 路过打酱油,{:6_264:} szmabcd 发表于 2014-12-29 22:00
你做了NAT,要将NAT流量与VPN流量做区分,意思就是VPN中流量你不要做NAT
对了 谢谢 谢谢各位,确实是NAT的问题 怎么区分额??楼主,我同样在学额 {:6_267:}{:6_267:}{:6_267:}{:6_267:}{:6_267:}
页:
[1]