关于ipsec的问题

gonezhang

[url=]图片[/url]
我使用iou做ipsec实验，配置都配置完成的，就是局域网不能通，还有通过#show crypto isakmp sa  没有信息，下面是配置的内容，请帮忙看看，谢谢
配置步骤

1、配置路由器R1和R2，使R1和R2能够正常访问互联网，并互相能够ping通。

2、在R1配置静态IPSEC VPN隧道

（1）配置ipsec感兴趣流

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255  //指定感兴趣流为源地址192.168.0.0/24，目的地址为192.168.1.0/24的网段。

（2）配置isakmp策略

crypto isakmp keepalive 5 periodic  //配置IPSEC DPD探测功能

crypto isakmp policy 1//创建新的isakmp策略

authentication pre-share         //指定认证方式为“预共享密码”，如使用数字证书配置“authentication rsa-sig”，如使用数字信封配置“authentication digital-email”。

group 2     //

encryption 3des//指定使用3DES进行加密

（3）配置预共享密钥

crypto isakmp key 0 ruijie address 10.0.0.2  //指定peer 10.0.0.1的预共享密钥为“ruijie”，对端也必须配置一致的密钥。如使用数字证书/信封认证则无需配置。

（4）配置ipsec加密转换集

crypto ipsec transform-set myset  esp-des esp-md5-hmac //指定ipsec使用esp封装des加密、MD5检验

（5）配置ipsec加密图

crypto map mymap 5 ipsec-isakmp //新建名称为“mymap”的加密图

set peer 10.0.0.2//指定peer地址

set transform-set myset//指定加密转换集“myset”

match address 101//指定感兴趣流为ACL 101

（6）将加密图应用到接口

interface e0/0

crypto map mymap

3、在R1配置路由，

       ip route 192.168.1.0 255.255.255.0 10.0.0.2

4、在R2配置静态IPSEC VPN隧道

（1）配置ipsec感兴趣流

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255  //指定感兴趣流为源地址192.168.1.0/24，目的地址为192.168.0.0/24的网段。

（2）配置isakmp策略

crypto isakmp policy 1//创建新的isakmp策略

authentication pre-share         //指定认证方式为“预共享密码”，如使用数字证书配置“authentication rsa-sig”，如使用数字信封配置“authentication digital-email”。

encryption 3des//指定使用3DES进行加密

（3）配置预共享密钥

crypto isakmp key 0 ruijie address 10.0.0.1  //指定peer 10.0.0.1的预共享密钥为“ruijie”，对端也必须配置一致的密钥。如使用数字证书/信封认证则无需配置。

（4）配置ipsec加密转换集

crypto ipsec transform-set myset  esp-des esp-md5-hmac //指定ipsec使用esp封装des加密、MD5检验

（5）配置ipsec加密图

crypto map mymap 5 ipsec-isakmp //新建名称为“mymap”的加密图

set peer 10.0.0.1//指定peer地址

set transform-set myset//指定加密转换集“myset”

match address 101//指定感兴趣流为ACL 101

（6）将加密图应用到接口

interface e0/0

crypto map mymap

5、在R2配置路由

       ip route 192.168.0.0 255.255.255.0 10.0.0.1

燃灯大师

你需要从源地址到目标地址ping一次，就会有SA了

gonezhang

ping过了，不通，也没有信息，pc1可以ping通R2的10.0.0.2，但是不能ping通192.168.1.2

gonezhang

清帮忙下，谢谢

gonezhang

调试一下，发现第一阶段出错，但是看不出来那里错
*Mar 27 15:01:20.608: ISAKMP0): SA request profile is (NULL)
*Mar 27 15:01:20.608: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Mar 27 15:01:20.608: ISAKMP: New peer created peer = 0xF2932778 peer_handle = 0x80000008
*Mar 27 15:01:20.608: ISAKMP: Locking peer struct 0xF2932778, refcount 1 for isakmp_initiator
*Mar 27 15:01:20.608: ISAKMP: local port 500, remote port 500
*Mar 27 15:01:20.608: ISAKMP: set new node 0 to QM_IDLE
*Mar 27 15:01:20.608: ISAKMP0):insert sa successfully sa = F2931C50
*Mar 27 15:01:20.608: ISAKMP0):Can not start Aggressive mode, trying Main mode.
*Mar 27 15:01:20.608: ISAKMP0):found peer pre-shared key matching 10.0.0.2
*Mar 27 15:01:20.608: ISAKMP0): constructed NAT-T vendor-rfc3947 ID
*Mar 27 15:01:20.608: ISAKMP0): constructed NAT-T vendor-07 ID
*Mar 27 15:01:20.608: ISAKMP0): constructed NAT-T vendor-03 ID
*Mar 27 15:01:20.608: ISAKMP0): constructed NAT-T vendor-02 ID
*Mar 27 15:01:20.608: ISAKMP0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 27 15:01:20.608: ISAKMP0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar 27 15:01:20.608: ISAKMP0): beginning Main Mode exchange
*Mar 27 15:01:20.608: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:20.608: ISAKMP0):Sending an IKE IPv4 Packet.
*Mar 27 15:01:20.610: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 27 15:01:20.610: ISAKMP0):Notify has no hash. Rejected.
*Mar 27 15:01:20.610: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Mar 27 15:01:20.610: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 27 15:01:20.610: ISAKMP0):Old State = IKE_I_MM1  New State = IKE_I_MM1

IOU1#
*Mar 27 15:01:20.610: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.2
IOU1#
*Mar 27 15:01:30.614: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:30.614: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 27 15:01:30.614: ISAKMP0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:01:30.614: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:30.615: ISAKMP0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:01:40.622: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:40.622: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 27 15:01:40.622: ISAKMP0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:01:40.622: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:40.622: ISAKMP0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:01:50.614: ISAKMP: set new node 0 to QM_IDLE
*Mar 27 15:01:50.614: ISAKMP0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.1, remote 10.0.0.2)
*Mar 27 15:01:50.614: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 27 15:01:50.614: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 27 15:01:50.623: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:50.623: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 27 15:01:50.623: ISAKMP0): retransmitting phase 1 MM_NO_STATE
IOU1#
*Mar 27 15:01:50.623: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:50.623: ISAKMP0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:00.633: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:00.633: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 27 15:02:00.633: ISAKMP0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:02:00.633: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:02:00.633: ISAKMP0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:10.639: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:10.639: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 27 15:02:10.639: ISAKMP0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:02:10.639: ISAKMP0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:02:10.639: ISAKMP0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:20.646: ISAKMP0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:20.646: ISAKMP0):peer does not do paranoid keepalives.

*Mar 27 15:02:20.646: ISAKMP0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.0.0.2)
*Mar 27 15:02:20.646: ISAKMP0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.0.0.2)
*Mar 27 15:02:20.646: ISAKMP: Unlocking peer struct 0xF2932778 for isadb_mark_sa_deleted(), count 0
*Mar 27 15:02:20.646: ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: F2932778
*Mar 27 15:02:20.646: ISAKMP0):deleting node -240535528 error FALSE reason "IKE deleted"
IOU1#
*Mar 27 15:02:20.646: ISAKMP0):deleting node -259996762 error FALSE reason "IKE deleted"
*Mar 27 15:02:20.646: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 27 15:02:20.646: ISAKMP0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

IOU1#
*Mar 27 15:03:10.651: ISAKMP0):purging node -240535528
*Mar 27 15:03:10.651: ISAKMP0):purging node -259996762
IOU1#
*Mar 27 15:03:20.653: ISAKMP0):purging SA., sa=F2931C50, delme=F2931C50

gonezhang

我调通了，发现只能一边ping通，另一边不能ping通

AWEI-HHLT

配置ipsec前检查全网通

zhenglxd

你发纯配置 我们还能帮你对比 你发这种看的眼睛都花了