求助site-site vpn和ezvpn 互通问题

doudouxiaoji

拓扑

自己用ＧＮＳ３搭的拓扑结构，R2模拟Internet，R1和R3用的是Site-Site的vpn，R1和R5用的是ezvpn（R1是服务器，R5为客户端）现在这2个vpn是正常使用的，但我想知道如何才能使R3和R5也正常通讯。

wsyzk

R1到R3之间VPN用动态加密映射，只要通过R1到R3之间的GRE走的流量全部加密，这个R5就可以通过R1访问R3

xuexue705

除了VPN流量之外的做NAT。
一、Ezvpn直接做隧道分离
二、site to site做个Router map.
比如：
access-list 100 permit ip 3.3.3.0 0.0.0.255 5.5.5.0 0.0.0.255(ipsec感兴趣流量)
access-list 110 deny ip 3.3.3.0 0.0.0.255 5.5.5.0 0.0.0.255
access-list 110 permit ip any any
route-map NAT 1000
match ip address 110
ip nat inside source route-map NAT interface Serial0/1 overload

doudouxiaoji

wsyzk 发表于 2013-6-5 15:48
R1到R3之间VPN用动态加密映射，只要通过R1到R3之间的GRE走的流量全部加密，这个R5就可以通过R1访问R3

不是很理解您说的意思 能详细点吗

doudouxiaoji

xuexue705 发表于 2013-6-5 15:58
除了VPN流量之外的做NAT。
一、Ezvpn直接做隧道分离
二、site to site做个Router map.

我定义过，但好像还是不行，搞不清楚为什么

doudouxiaoji

R1.cfg
aaa new-model
aaa authentication login ezvpn local
aaa authorization network ezvpn local
username cisco privilege 15 password 0 cisco
crypto keyring cisco
  pre-shared-key address 23.1.1.3 key cisco
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp client configuration group ezvpngroup
key ezvpngroup
pool localpool
acl split-tunneling
crypto isakmp profile PRO
   keyring cisco
   match identity address 23.1.1.3 255.255.255.255
crypto isakmp profile ez
   match identity group ezvpngroup
   client authentication list ezvpn
   isakmp authorization list ezvpn
   client configuration address respond
crypto ipsec transform-set SET esp-3des esp-md5-hmac
crypto dynamic-map ezvpnmap 10
set transform-set SET
set isakmp-profile ez
reverse-route
crypto map site-to-site 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set SET
set isakmp-profile PRO
match address vpn
crypto map site-to-site 20 ipsec-isakmp dynamic ezvpnmap
interface Serial1/0
ip address 14.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
serial restart-delay 0
interface Serial1/1
ip address 12.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
crypto map site-to-site
ip local pool localpool 14.1.1.100 14.1.1.105
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.1.1.2
ip route 4.4.4.0 255.255.255.0 14.1.1.4
ip nat inside source list nat interface Serial1/1 overload
ip access-list extended nat
deny   ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
deny   ip 14.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
deny   ip 14.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255
deny   ip 14.1.1.0 0.0.0.255 14.1.1.0 0.0.0.255
deny   ip 3.3.3.0 0.0.0.255 5.5.5.0 0.0.0.255
permit ip 14.1.1.0 0.0.0.255 any
ip access-list extended split-tunneling
permit ip 14.1.1.0 0.0.0.255 any
permit ip 4.4.4.0 0.0.0.255 any
ip access-list extended vpn
permit ip 14.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
permit ip 5.5.5.0 0.0.0.255 3.3.3.0 0.0.0.255

doudouxiaoji

R3.cfg
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set SET esp-3des esp-md5-hmac
crypto map site-to-site 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set SET
match address VPN
interface FastEthernet0/0
ip address 3.3.3.3 255.255.255.0
duplex auto
speed auto
interface Serial1/2
ip address 23.1.1.3 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
crypto map site-to-site
ip route 0.0.0.0 0.0.0.0 23.1.1.2
ip nat inside source list nat interface Serial1/2 overload
ip access-list extended VPN
permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
permit ip 3.3.3.0 0.0.0.255 14.1.1.0 0.0.0.255
permit ip 3.3.3.0 0.0.0.255 5.5.5.0 0.0.0.255
ip access-list extended nat
deny   ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
deny   ip 3.3.3.0 0.0.0.255 14.1.1.0 0.0.0.255
deny   ip 3.3.3.0 0.0.0.255 5.5.5.0 0.0.0.255
permit ip 3.3.3.0 0.0.0.255 any

doudouxiaoji

贴上3个配置，还请兄弟们指点迷津

doudouxiaoji

R5.cfg
crypto ipsec client ezvpn vpn
connect manual
group ezvpngroup key ezvpngroup
mode client
peer 12.1.1.1
xauth userid mode interactive
interface FastEthernet0/0
ip address 5.5.5.5 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn vpn inside
interface Serial1/3
ip address 25.1.1.5 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
crypto ipsec client ezvpn vpn
ip route 0.0.0.0 0.0.0.0 25.1.1.2
ip nat inside source list 100 interface Serial1/3 overload
access-list 100 permit ip 5.5.5.0 0.0.0.255 any

xuexue705

你R3 R5可以上外网不？
1、你R1上的EZVPN的隧道分离AC为什么要做拒绝？当R5拔上之后可以上外网不？
2、你site to site R3上ACL也有问题。你有试过可以PING通R2的环回？
还有一点就是，R1要做子接口

doudouxiaoji

xuexue705 发表于 2013-6-6 16:34
你R3 R5可以上外网不？
1、你R1上的EZVPN的隧道分离AC为什么要做拒绝？当R5拔上之后可以上外网不？
2、你 ...

我在R2上做了个loopback口，做外网地址，当vpn拨入后，都是可以ping通这个地址的。
现在R3可以ping通R1赋予R5的IP地址，也就是14.1.1.100，但不能ping通5.5.5.5.并且R1也不能ping通5.5.5.5.
R5如果用14.1.1.100也能ping通R3的地址，
再次感谢兄弟

wudiwo2

先顶顶看喽......

maqizhao

都快过来围观，楼主的好帖赞爆了