IPSEC VPN连接建立不成功

bocaccio

想通过IPSEC VPN实现两个网络的通信，但是VPN一直建立不起来，提示如下：
00:20:42: %OSPF-5-ADJCHG: Process 2, Nbr 56.10.17.1 on Tunnel23 from LOADING to FULL, Loading Done
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23, changed state to down
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of 23 65E900C0 - looped chain attempting to stack
%TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
00:20:47: %OSPF-5-ADJCHG: Process 2, Nbr 56.10.17.1 on Tunnel23 from FULL to DOWN, Neighbor Down: Interface down or detached
不知道这是什么意思。求各位大神分析一下。

两个路由配置如下：
R1#sh run  

hostname R1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5

crypto isakmp key test123 address 56.10.17.1
crypto ipsec transform-set Phase2 esp-des esp-md5-hmac

crypto map map1 10 ipsec-isakmp
set peer 56.123.9.1
set transform-set Phase2
match address 100

interface Tunnel23

ip address 56.123.9.13 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 56.123.9.1

interface FastEthernet0/0

ip address 56.10.17.1 255.255.255.252
duplex auto
speed auto
crypto map map1

interface FastEthernet0/1

ip address 192.168.1.254 255.255.255.0

router ospf 2

router-id 56.10.17.1

log-adjacency-changes

redistribute connected subnets

network 56.123.9.12 0.0.0.3 area 0

ip route 0.0.0.0 0.0.0.0 56.10.17.2

access-list 100 permit gre host 56.0.17.1 host 56.123.9.1

*************************************************************************************

R3#sh run

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 5

crypto isakmp key test123 address 56.10.17.1

crypto ipsec transform-set Phase2 esp-des esp-md5-hmac

crypto map map1 10 ipsec-isakmp

set peer 56.10.17.1

set transform-set Phase2

match address 100

interface Tunnel23

ip address 56.123.9.14 255.255.255.252

tunnel source FastEthernet0/0

tunnel destination 56.10.17.1

interface FastEthernet0/0

ip address 56.123.9.1 255.255.255.248

crypto map map1

interface FastEthernet0/1

ip address 192.168.2.254 255.255.255.0

router ospf 2

router-id 56.123.9.1

log-adjacency-changes

redistribute static subnets

network 56.123.9.12 0.0.0.3 area 0

ip route 0.0.0.0 0.0.0.0 56.123.9.2

access-list 100 permit gre host 56.23.9.1 host 56.10.17.1

digg3r

你这OSPF配置的不对，把OSPF去了，两边只留默认路由就能起来。
或者好好配置OSPF，你这两个路由器属于不同的网络，却都在用area 0。如果你的拓扑是R1-R2-R3的话，把R2配置成OSPF area 0, 1, 3之间的ABR，R1配置area 1，R3配置area 3就可以了。

meng_an

分几步去检查吧

layout102

Hi bocaccio

請注意 log 顯示: %TUN-5-RECURDOWN: 23 temporarily disabled due to recursive routing
     發生 recursive routing loop                 
方法一: 寫一筆靜態路由，給 VPN Peer IP
           CLI :
           R1  ip route 56.123.9.1 255.255.255.255 56.10.17.2
           R2  ip route 56.10.17.1 255.255.255.255 56.123.9.2

方法二:     Ospf 的 再發佈 請先過濾 tunnel source prefix (使用 route-map 就很方便了)
             不舉例

因為兩個site 點的vpn peer IP 是透過 default route 到達的 (tunnel 建立以前)，
Tunnel 建立之後，從動態路由 OSPF 的再發佈學到 vpn peer IP (specific route)，
這時更明確的路由會被選來建立 Tunnel，過程如下:
         IP Loop up  ->  o 56.123.9.0 [110/ xxxxx]  via 56.123.9.14, 00:14:26, Tunnel23
         得知是透過Tunnel23
         這時會發生遞歸(recursive routing)查找需要封裝的下一跳Layer2資訊:
         經由 Tunnel 的設定得知需封裝的下一跳為 56.123.9.1，
         而這筆路由又是透過 OSPF學到，....就這樣Loop
        直到 OSPF 的 Neighbor 關係斷了(Hold time out )，明確路由老化後，預設路由又再度被使用，
       Tunnel 又再次建立起來，OSPF 鄰居又再次建立，明確路由又學進來 ,recursive routing loop再次發生.