ezvpn隧道建立。但无法PING 通 拓扑图附件

bnm201

R1
SHOW RUN
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.4.251 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
ip nat pool chengy 12.1.1.1 12.1.1.1 netmask 255.255.255.0
ip nat inside source list 10 pool chengy overload
!
access-list 10 permit 192.168.4.0 0.0.0.255
!
!
control-plane
!
!
!
!
!
!
!
!         
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

r3
SHOW RUN
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login vpnusers local
aaa authorization network vpn-remote-access local
!
aaa session-id common
memory-size iomem 5
!
!         
ip cef   
no ip domain lookup
!         
username user1 password 0 pass1
username user2 password 0 pass2
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20 10
crypto isakmp xauth timeout 20
!
crypto isakmp client configuration group vpngroup1
key myvpnkey
pool remote-pool
!
!
crypto ipsec transform-set vpntransform esp-3des esp-sha-hmac
!
crypto dynamic-map maptemplate 1
set transform-set vpntransform
reverse-route
!
!
crypto map dynmap client authentication list vpnusers
crypto map dynmap isakmp authorization list vpn-remote-access
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic maptemplate
!         
!
!
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 23.1.1.3 255.255.255.0
serial restart-delay 0
crypto map dynmap
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip local pool remote-pool 192.168.3.100 192.168.3.200
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
!
!
!
!
control-plane
!
!
!
!
!         
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

evangelion_03

又是穿越NAT的加密隧道~~，你在PING之后看VPN上show crypto ipsec sa 和show crypto engine connection active看有被加密或者解密的数据出现，若果没有就是还是数据没过来，还是得看NAT那里，可能要在 VPN上开启NAT穿透

hunter_dai

R1:  no aaa new-model
R3:  aaa new-model

tcpdump

把这条access-list 10 改成 access-list 100 permit icmp any any
            access-list 100 permit  ip 192.168.4.0 0.0.0.255  23.1.1.0  0.0.0.255

kivelniu

router-to-router的EZVPN是需要在Server和Client端都做配置的。router-to-PC的EZVPN是只要在Server上做配置，在PC端安装软件即可。
你R1上什么都没做，怎么可能会通。而且ping通23.1.1.3是R1和R3建立EZVPN的基础，必须得通的。这个23.1.1.3相当于是公司的公网IP，肯定首先就要保证能到达这个接口。而且你在R3上的remote-pool是R3环回口的地址块，做通了也是ping通R3的l环回口。
Client端的大致配置，你可以参考一下：
crypto ipsec client ezvpn r1-client          //r1-client是自己定义的名字
group vpngroup1 key myvpnkey        //对用Server端的组名及组密码
peer 23.1.1.3
mode client                                          //ezvpn模式
connect auto                                             
username user1 password  pass1           //用户名密码
xauth userid mode local                     //X认证方式
进入S1/0
crypto ipsec client ezvpn r1-client
进入E0/0
crypto ipsec client ezvpn r1-client inside
最后进入特权模式，配置X认证
crypto ipsec client ezvpn xauth
username:user1
password:pass1

还有一点，R3上最好做一个隧道分离，不然R1连上之后所有流量都走VPN，数据被加密，R2无法识别,可能也会失败

wubixiong

    怎么解决的？ 哥们我遇到的问题跟你一样