IPSec VPN 实验问题

superxy

OSPF路由全网互通
在R2和R4之间搭建IPSEC VPN
实验问题：R1和R5的环回口地址之间可以ping通，通过R1的物理接口ping不通R5的环回口，通过R5的物理接口ping不通R1的环回口
R2
R2#sh run | se crypto
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 24
lifetime 3600
crypto isakmp key cisco address 34.1.1.4      
crypto isakmp keepalive 30
crypto ipsec transform-set XY esp-aes esp-sha512-hmac
mode tunnel
crypto map IPSEC 10 ipsec-isakmp
set peer 34.1.1.4
set transform-set XY
match address IPSEC
crypto map IPSEC
R2#sh run | se access-list
ip access-list extended IPSEC
permit ip host 1.1.1.1 host 5.5.5.5
permit ip host 23.1.1.2 host 5.5.5.5
permit ip host 12.1.1.1 host 5.5.5.5
R2#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


R4
R4#sh run | se crypto
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 24
lifetime 3600
crypto isakmp key cisco address 23.1.1.2      
crypto isakmp keepalive 30
crypto ipsec transform-set XY esp-aes esp-sha512-hmac
mode tunnel
crypto map IPSEC 10 ipsec-isakmp
set peer 23.1.1.2
set transform-set XY
match address IPSEC
crypto map IPSEC
R4#sh run | se access-list
ip access-list extended IPSEC
permit ip host 5.5.5.5 host 1.1.1.1
permit ip host 34.1.1.4 host 1.1.1.1
permit ip host 45.1.1.5 host 1.1.1.1
R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


R1
R1#ping 5.5.5.5 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 61/94/107 ms
R1#ping 5.5.5.5 source 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 12.1.1.1
.....
Success rate is 0 percent (0/5)


R5
R5#ping 1.1.1.1 source 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 169/199/211 ms
R5#ping 1.1.1.1 source 45.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 45.1.1.5
.....
Success rate is 0 percent (0/5)

thegreek1

Hey, can you run debug on the link to see if any traffic hits the router from the tunnel. If you don't see any communication between the nodes, then you are looking at the first phase of the problem. Usually here you will see password issues or misconfigured isakmp cyrpto settings. Next, you see Your second stage encrypts the maps, whether they match, and whether they are in order. Do you have NAT translation on the router? In most cases, if your traffic reaches the firewall through the router, you will use 'no nat' and nat-t.The general rule of thumb is that only interesting traffic can start the tunnel, so you need to start and start ping and telnet tests from an internal host (such as tinycore).Please post the debug output of isakmp to review the matter.

Eric_tor

Thanks.

thegreek1

嗨，您是否能够在链路上运行调试，以查看是否有任何流量从隧道中击中路由器。如果您没有看到节点之间的任何通信，那么您正在查看第一阶段问题。通常在这里您会看到密码问题或错误配置的isakmp cyrpto设置。接下来，你看
你的第二阶段加密地图，它们是否匹配，是否按顺序排列。你在路由器上有NAT转换吗？在大多数情况下，如果你的流量通过路由器到达防火墙，你将使用'no nat'和nat-t。
一般的经验法则是，只有有趣的流量可以启动隧道，因此您需要从内部主机（例如tinycore）开始并启动ping和telnet测试。

请发布isakmp的调试输出来审核此事

thegreek1

当您运行调试crypto isakmp时，您收到的错误消息是什么

superxy

这是自己搭建的实验环境，没有用NAT，基础配置肯定没问题，因为R1和R5的环回口地址之间可以ping通，而且抓包看也是同通过ESP加密了。后来我在感兴趣流里加了路由器接口IP到对端IP，再通过这个接口IP来ping对端，这样就ping不通了。

我就是搞不清楚，为什么把接口地址加入感兴趣流就不行呢？

guoshuofeng

高手出手

zou8412

acl两边要对应吧，不能随便定义感兴趣流吧