ipsec vpn为什么不通

bull92 · 发表于 2014-12-29 21:05:07

我用模拟器配置了IPsec 但一直没达到效果求大神解释

R1：
hostname R1
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
crypto isakmp key test address 111.111.111.2
crypto ipsec security-association lifetime seconds 18000
crypto ipsec transform-set test ah-sha-hmac esp-3des
crypto map cisco 100 ipsec-isakmp
set peer 111.111.111.2
set pfs group1
set security-association lifetime seconds 18000
set transform-set test
match address vpn
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 125.64.39.1 255.255.255.0
ip nat outside
clock rate 64000
crypto map cisco
!
interface Serial0/3/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 10 interface Serial0/3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 125.64.39.2
!
!
access-list 10 permit any
ip access-list extended vpn
permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
end

R2：
hostname R2
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key test address 125.64.39.1
!
crypto ipsec security-association lifetime seconds 18000
!
crypto ipsec transform-set test ah-sha-hmac esp-3des
!
crypto map cisco 100 ipsec-isakmp
set peer 125.64.39.1
set pfs group1
set security-association lifetime seconds 18000
set transform-set test
match address vpn
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 111.111.111.2 255.255.255.0
ip nat outside
crypto map cisco
!
interface Serial0/3/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 10 interface Serial0/3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 111.111.111.1
!
!
ip access-list extended vpn
permit tcp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 10 permit any
end
R3：
hostname R3
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
ip address 125.64.39.2 255.255.255.0
!
interface Serial0/3/1
ip address 111.111.111.1 255.255.255.0
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0/3/0
ip route 172.16.1.0 255.255.255.0 Serial0/3/1
end

szmabcd · 发表于 2014-12-29 22:00:39

你做了NAT，要将NAT流量与VPN流量做区分，意思就是VPN中流量你不要做NAT

szmabcd · 发表于 2014-12-29 22:00:48

本帖最后由 szmabcd 于 2014-12-29 22:04 编辑

你做了NAT，要将NAT流量与VPN流量做区分，意思就是VPN中流量你不要做NAT

R2应该还缺少路由，到对站点R1的

vaio · 发表于 2014-12-30 00:39:53

nat的问题，这段感兴趣流要no-nat

klinuxe · 发表于 2014-12-30 08:50:41

拿分走人呵呵，楼下继续！

胶己狼 · 发表于 2014-12-30 09:11:07

NAT的问题，因为NAT会重新增加新的IP报头，导致数据数据包中的HASH值发生改变，对方在进行数据完整性校验时回失败。

Rockyw · 发表于 2014-12-30 10:52:58

有没有报什么错误

xoofly · 发表于 2014-12-30 13:29:05

路过打酱油，

bull92 · 发表于 2015-1-22 10:57:59

szmabcd 发表于 2014-12-29 22:00
你做了NAT，要将NAT流量与VPN流量做区分，意思就是VPN中流量你不要做NAT

对了谢谢

bull92 · 发表于 2015-1-22 10:58:45

谢谢各位，确实是NAT的问题

古月椒 · 发表于 2015-4-16 18:58:46

怎么区分额？？楼主，我同样在学额

liaijun_123 · 发表于 2015-6-23 11:24:35

账号		自动登录	找回密码
密码			论坛注册

ipsec vpn为什么不通

客服中心

投诉建议