IPSEC VPN连接建立不成功
本帖最后由 bocaccio 于 2019-7-24 13:56 编辑想通过IPSEC VPN实现两个网络的通信,但是VPN一直建立不起来,提示如下:
00:20:42: %OSPF-5-ADJCHG: Process 2, Nbr 56.10.17.1 on Tunnel23 from LOADING to FULL, Loading Done
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23, changed state to down
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
00:20:47: %OSPF-5-ADJCHG: Process 2, Nbr 56.10.17.1 on Tunnel23 from FULL to DOWN, Neighbor Down: Interface down or detached
不知道这是什么意思。求各位大神分析一下。
两个路由配置如下:
R1#sh run
hostname R1crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key test123 address 56.10.17.1
crypto ipsec transform-set Phase2 esp-des esp-md5-hmac
crypto map map1 10 ipsec-isakmp
set peer 56.123.9.1
set transform-set Phase2
match address 100
interface Tunnel23ip address 56.123.9.13 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 56.123.9.1
interface FastEthernet0/0ip address 56.10.17.1 255.255.255.252
duplex auto
speed auto
crypto map map1
interface FastEthernet0/1 ip address 192.168.1.254 255.255.255.0
router ospf 2 router-id 56.10.17.1 log-adjacency-changes redistribute connected subnets network 56.123.9.12 0.0.0.3 area 0
ip route 0.0.0.0 0.0.0.0 56.10.17.2 access-list 100 permit gre host 56.0.17.1 host 56.123.9.1
*************************************************************************************R3#sh runcrypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 5
crypto isakmp key test123 address 56.10.17.1
crypto ipsec transform-set Phase2 esp-des esp-md5-hmac
crypto map map1 10 ipsec-isakmp set peer 56.10.17.1set transform-set Phase2 match address 100interface Tunnel23ip address 56.123.9.14 255.255.255.252
tunnel source FastEthernet0/0tunnel destination 56.10.17.1interface FastEthernet0/0ip address 56.123.9.1 255.255.255.248crypto map map1
interface FastEthernet0/1 ip address 192.168.2.254 255.255.255.0
router ospf 2 router-id 56.123.9.1 log-adjacency-changes redistribute static subnets network 56.123.9.12 0.0.0.3 area 0
ip route 0.0.0.0 0.0.0.0 56.123.9.2
access-list 100 permit gre host 56.23.9.1 host 56.10.17.1
你这OSPF配置的不对,把OSPF去了,两边只留默认路由就能起来。
或者好好配置OSPF,你这两个路由器属于不同的网络,却都在用area 0。如果你的拓扑是R1-R2-R3的话,把R2配置成OSPF area 0, 1, 3之间的ABR,R1配置area 1,R3配置area 3就可以了。 分几步去检查吧 Hi bocaccio
請注意 log 顯示: %TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
發生 recursive routing loop
方法一: 寫一筆靜態路由,給 VPN Peer IP
CLI :
R1ip route 56.123.9.1 255.255.255.255 56.10.17.2
R2ip route 56.10.17.1 255.255.255.255 56.123.9.2
方法二: Ospf 的 再發佈 請先過濾 tunnel source prefix (使用 route-map 就很方便了)
不舉例
因為兩個site 點的vpn peer IP 是透過 default route 到達的 (tunnel 建立以前),
Tunnel 建立之後,從動態路由 OSPF 的再發佈學到 vpn peer IP (specific route),
這時更明確的路由會被選來建立 Tunnel,過程如下:
IP Loop up->o 56.123.9.0 via 56.123.9.14, 00:14:26, Tunnel23
得知是透過Tunnel23
這時會發生遞歸(recursive routing)查找需要封裝的下一跳Layer2資訊:
經由 Tunnel 的設定得知需封裝的下一跳為 56.123.9.1,
而這筆路由又是透過 OSPF學到,....就這樣Loop
直到 OSPF 的 Neighbor 關係斷了(Hold time out ),明確路由老化後,預設路由又再度被使用,
Tunnel 又再次建立起來,OSPF 鄰居又再次建立,明確路由又學進來 ,recursive routing loop再次發生.
页:
[1]