设为首页收藏本站language 语言切换
开启辅助访问 切换到宽版

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

鸿鹄论坛»鸿鹄论坛 ≡□≡思科认证≡□≡ Cisco安全 Cisco IOU上配置LAN to LAN VPN时候ACL的问题
返回列表 发新帖
查看: 4962|回复: 7
收起左侧

Cisco IOU上配置LAN to LAN VPN时候ACL的问题

[复制链接]
badboycx
发表于 2012-3-20 15:46:46 | 显示全部楼层 |阅读模式
50鸿鹄币
本帖最后由 badboycx 于 2012-3-20 15:52 编辑

路由器A的内网连192.168.1.0/24   
路由器C的内网连:172.16.1.0/24
路由器A:access-list 100 permit ip 192.168.1.0 0.0.0.255 any
路由器C:access-list 100 permit ip 172.16.1.0 0.0.0.255 any
第二阶段就过不去,
但A C都改成permit ip any any
或者
路由器A:access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
路由器C:access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
就可以了。按理说都能感兴趣流都能匹配上的啊。这是什么原因呢?
以下是具体第一次原ACL不通时候的操作过程:

R1#show ip acce
R1#show ip access-lists
Extended IP access list 100
    10 permit ip 192.168.1.0 0.0.0.255 any
R1#
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*Mar 14 11:35:59.767: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (N) NEW SA
*Mar 14 11:35:59.767: ISAKMP: Created a peer struct for 200.1.1.2, peer port 500
*Mar 14 11:35:59.767: ISAKMP: New peer created peer = 0xB59F6050 peer_handle = 0x80000002
*Mar 14 11:35:59.767: ISAKMP: Locking peer struct 0xB59F6050, refcount 1 for crypto_isakmp_process_block
*Mar 14 11:35:59.767: ISAKMP: local port 500, remote port 500
*Mar 14 11:35:59.767: ISAKMP0):insert sa successfully sa = B6660EB8
*Mar 14 11:35:59.767: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 14 11:35:59.767: ISAKMP0):Old State = IKE_READY  New State = IKE_R_MM1 *Mar 14 11:35:59.771: ISAKMP0): processing SA payload. message ID = 0
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 14 11:35:59.771: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 14 11:35:59.771: ISAKMP (0): vendor ID is NAT-T v7
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 14 11:35:59.771: ISAKMP0): vendor ID is NAT-T v3
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 14 11:35:59.771: ISAKMP0): vendor ID is NAT-T v2
*Mar 14 11:35:59.771: ISAKMP0):found peer pre-shared key matching 200.1.1.2
*Mar 14 11:35:59.771: ISAKMP0): local preshared key found
*Mar 14 11:35:59.771: ISAKMP : Scanning profiles for xauth ...
*Mar 14 11:35:59.771: ISAKMP0):Checking ISAKMP transform 1 against priority 100 policy
*Mar 14 11:35:59.771: ISAKMP:      encryption 3DES-CBC
*Mar 14 11:35:59.771: ISAKMP:      hash MD5
*Mar 14 11:35:59.771: ISAKMP:      default group 2
*Mar 14 11:35:59.771: ISAKMP:      auth pre-share
*Mar 14 11:35:59.771: ISAKMP:      life type in seconds
*Mar 14 11:35:59.771: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar 14 11:35:59.771: ISAKMP0):atts are acceptable. Next payload is 0
*Mar 14 11:35:59.771: ISAKMP0):Acceptable atts:actual life: 0
*Mar 14 11:35:59.771: ISAKMP0):Acceptable atts:life: 0
*Mar 14 11:35:59.771: ISAKMP0):Fill atts in sa vpi_length:4
*Mar 14 11:35:59.771: ISAKMP0):Fill atts in sa life_in_seconds:86400
*Mar 14 11:35:59.771: ISAKMP0):Returning Actual lifetime: 86400
*Mar 14 11:35:59.771: ISAKMP0)::Started lifetime timer: 86400.*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 14 11:35:59.771: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 14 11:35:59.771: ISAKMP (0): vendor ID is NAT-T v7
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 14 11:35:59.771: ISAKMP0): vendor ID is NAT-T v3
*Mar 14 11:35:59.771: ISAKMP0): processing vendor id payload
*Mar 14 11:35:59.771: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 14 11:35:59.771: ISAKMP0): vendor ID is NAT-T v2
*Mar 14 11:35:59.771: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 14 11:35:59.771: ISAKMP0):Old State = IKE_R_MM1  New State = IKE_R_MM1 *Mar 14 11:35:59.775: ISAKMP0): constructed NAT-T vendor-rfc3947 ID
*Mar 14 11:35:59.775: ISAKMP0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 14 11:35:59.775: ISAKMP0):Sending an IKE IPv4 Packet.
*Mar 14 11:35:59.775: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 14 11:35:59.775: ISAKMP0):Old State = IKE_R_MM1  New State = IKE_R_MM2 *Mar 14 11:35:59.783: ISAKMP (0): received packet from 200.1.1.2 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 14 11:35:59.783: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 14 11:35:59.783: ISAKMP0):Old State = IKE_R_MM2  New State = IKE_R_MM3 *Mar 14 11:35:59.783: ISAKMP0): processing KE payload. message ID = 0
*Mar 14 11:35:59.787: ISAKMP0): processing NONCE payload. message ID = 0
*Mar 14 11:35:59.787: ISAKMP0):found peer pre-shared key matching 200.1.1.2
*Mar 14 11:35:59.787: ISAKMP1001): processing vendor id payload
*Mar 14 11:35:59.787: ISAKMP1001): vendor ID is DPD
*Mar 14 11:35:59.787: ISAKMP1001): processing vendor id payload
*Mar 14 11:35:59.787: ISAKMP1001): speaking to another IOS box!
*Mar 14 11:35:59.787: ISAKMP1001): processing vendor id payload
*Mar 14 11:35:59.787: ISAKMP1001): vendor ID seems Unity/DPD but major 79 mismatch
*Mar 14 11:35:59.787: ISAKMP1001): vendor ID is XAUTH
*Mar 14 11:35:59.787: ISAKMP:received payload type 20
*Mar 14 11:35:59.787: ISAKMP (1001): His hash no match - this node outside NAT
*Mar 14 11:35:59.787: ISAKMP:received payload type 20
*Mar 14 11:35:59.787: ISAKMP (1001): No NAT Found for self or peer
*Mar 14 11:35:59.787: ISAKMP1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 14 11:35:59.787: ISAKMP1001):Old State = IKE_R_MM3  New State = IKE_R_MM3 *Mar 14 11:35:59.795: ISAKMP1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 14 11:35:59.795: ISAKMP1001):Sending an IKE IPv4 Packet.
*Mar 14 11:35:59.795: ISAKMP1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 14 11:35:59.795: ISAKMP1001):Old State = IKE_R_MM3  New State = IKE_R_MM4 *Mar 14 11:35:59.807: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 14 11:35:59.807: ISAKMP1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 14 11:35:59.807: ISAKMP1001):Old State = IKE_R_MM4  New State = IKE_R_MM5 *Mar 14 11:35:59.807: ISAKMP1001): processing ID payload. message ID = 0
*Mar 14 11:35:59.807: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 200.1.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar 14 11:35:59.807: ISAKMP0):: peer matches *none* of the profiles
*Mar 14 11:35:59.807: ISAKMP1001): processing HASH payload. message ID = 0
*Mar 14 11:35:59.807: ISAKMP1001): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = B6660EB8
*Mar 14 11:35:59.807: ISAKMP1001):SA authentication status:
        authenticated
*Mar 14 11:35:59.807: ISAKMP1001):SA has been authenticated with 200.1.1.2
*Mar 14 11:35:59.807: ISAKMP1001):SA authentication status:
        authenticated
*Mar 14 11:35:59.807: ISAKMP1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 100.1.1.1 remote 200.1.1.2 remote port 500
*Mar 14 11:35:59.807: ISAKMP: Trying to insert a peer 100.1.1.1/200.1.1.2/500/,  and inserted successfully B59F6050.
*Mar 14 11:35:59.807: ISAKMP1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 14 11:35:59.807: ISAKMP1001):Old State = IKE_R_MM5  New State = IKE_R_MM5 *Mar 14 11:35:59.807: ISAKMP1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 14 11:35:59.807: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 100.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar 14 11:35:59.807: ISAKMP1001):Total payload length: 12
*Mar 14 11:35:59.807: ISAKMP1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 14 11:35:59.807: ISAKMP1001):Sending an IKE IPv4 Packet.
*Mar 14 11:35:59.807: ISAKMP1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 14 11:35:59.807: ISAKMP1001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE *Mar 14 11:35:59.807: ISAKMP1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 14 11:35:59.807: ISAKMP1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE *Mar 14 11:35:59.815: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (R) QM_IDLE      
*Mar 14 11:35:59.815: ISAKMP: set new node 1182447927 to QM_IDLE      
*Mar 14 11:35:59.815: ISAKMP1001): processing HASH payload. message ID = 1182447927
*Mar 14 11:35:59.815: ISAKMP1001): processing SA payload. message ID = 1182447927
*Mar 14 11:35:59.815: ISAKMP1001):Checking IPSec proposal 1
*Mar 14 11:35:59.815: ISAKMP: transform 1, ESP_3DES
*Mar 14 11:35:59.815: ISAKMP:   attributes in transform:
*Mar 14 11:35:59.815: ISAKMP:      encaps is 1 (Tunnel)
*Mar 14 11:35:59.815: ISAKMP:      SA life type in seconds
*Mar 14 11:35:59.815: ISAKMP:      SA life duration (basic) of 3600
*Mar 14 11:35:59.815: ISAKMP:      SA life type in kilobytes
*Mar 14 11:35:59.815: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar 14 11:35:59.815: ISAKMP:      authenticator is HMAC-MD5
*Mar 14 11:35:59.815: ISAKMP1001):atts are acceptable.
*Mar 14 11:35:59.815: ISAKMP1001): IPSec policy invalidated proposal with error 32
*Mar 14 11:35:59.815: ISAKMP1001): phase 2 SA policy not acceptable! (local 100.1.1.1 remote 200.1.1.2)
*Mar 14 11:35:59.815: ISAKMP: set new node -1089631740 to QM_IDLE      
*Mar 14 11:35:59.815: ISAKMP1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 3057839992, message ID = -1089631740
*Mar 14 11:35:59.815: ISAKMP1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE      
*Mar 14 11:35:59.815: ISAKMP1001):Sending an IKE IPv4 Packet.
*Mar 14 11:35:59.815: ISAKMP1001):purging node -1089631740
*Mar 14 11:35:59.815: ISAKMP1001):deleting node 1182447927 error TRUE reason "QM rejected"
R1#
*Mar 14 11:35:59.815: ISAKMP1001):Node 1182447927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 14 11:35:59.815: ISAKMP1001):Old State = IKE_QM_READY  New State = IKE_QM_READY

下面是修改了ACL,就通了  

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no acc
R1(config)#no access-list 100
R1(config)#access-list 100 PErmit IP any any
R1(config)#end
R1#
R1#debug crypto isakmp
*Mar 14 11:38:28.715: %SYS-5-CONFIG_I: Configured from console by console
R1#conf t               
*Mar 14 11:38:37.419: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (R) QM_IDLE      
*Mar 14 11:38:37.419: ISAKMP: set new node 1659482319 to QM_IDLE      
*Mar 14 11:38:37.419: ISAKMP1001): processing HASH payload. message ID = 1659482319
*Mar 14 11:38:37.419: ISAKMP1001): processing SA payload. message ID = 1659482319
*Mar 14 11:38:37.419: ISAKMP1001):Checking IPSec proposal 1
*Mar 14 11:38:37.419: ISAKMP: transform 1, ESP_3DES
*Mar 14 11:38:37.419: ISAKMP:   attributes in transform:
*Mar 14 11:38:37.419: ISAKMP:      encaps is 1 (Tunnel)
*Mar 14 11:38:37.419: ISAKMP:      SA life type in seconds
*Mar 14 11:38:37.419: ISAKMP:      SA life duration (basic) of 3600
*Mar 14 11:38:37.419: ISAKMP:      SA life type in kilobytes
*Mar 14 11:38:37.419: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar 14 11:38:37.419: ISAKMP:      authenticator is HMAC-MD5
*Mar 14 11:38:37.419: ISAKMP1001):atts are acceptable.
*Mar 14 11:38:37.419: ISAKMP1001): processing NONCE payload. message ID = 1659482319
*Mar 14 11:38:37.419: ISAKMP1001): processing ID payload. message ID = 1659482319
*Mar 14 11:38:37.419: ISAKMP1001): processing ID payload. message ID = 1659482319
*Mar 14 11:38:37.419: ISAKMP1001)M Responder gets spi
*Mar 14 11:38:37.419: ISAKMP:(1001):Node 1659482319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 14 11:38:37.419: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar 14 11:38:37.419: ISAKMP:(1001): Creating IPSec SAs
*Mar 14 11:38:37.419:         inbound SA from 200.1.1.2 to 100.1.1.1 (f/i)  0/ 0
        (proxy 0.0.0.0 to 0.0.0.0)
*Mar 14 11:38:37.419:         has spi 0x8DC8B4D4 and conn_id 0
*Mar 14 11:38:37.419:         lifetime of 3600 seconds
*Mar 14 11:38:37.419:         lifetime of 4608000 kilobytes
*Mar 14 11:38:37.419:         outbound SA from 100.1.1.1 to 200.1.1.2 (f/i) 0/0
        (proxy 0.0.0.0 to 0.0.0.0)
*Mar 14 11:38:37.419:         has spi  0xDF376392 and conn_id 0
*Mar 14 11:38:37.419:         lifetime of 3600 seconds
*Mar 14 11:38:37.419:         lifetime of 4608000 kilobytes
*Mar 14 11:38:37.419: ISAKMP:(1001): sending packet to 200.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE      
*Mar 14 11:38:37.419: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 14 11:38:37.419: ISAKMP:(1001):Node 1659482319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Mar 14 11:38:37.419: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Mar 14 11:38:37.427: ISAKMP (1001): received packet from 200.1.1.2 dport 500 sport 500 Global (R) QM_IDLE      
R1#conf t
*Mar 14 11:38:37.427: ISAKMP:(1001):deleting node 1659482319 error FALSE reason "QM done (await)"
*Mar 14 11:38:37.427: ISAKMP:(1001):Node 1659482319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 14 11:38:37.427: ISAKMP:(1001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
R1#      
*Mar 14 11:39:27.431: ISAKMP:(1001):purging node 1659482319
R1#
R1#ping 172.16.1.1 so
R1#ping 172.16.1.1 source 192.168.1.1 re
R1#ping 172.16.1.1 source 192.168.1.1 repeat 5Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/24 ms
R1#

路由器, 100, Cisco

相关帖子
回复

使用道具 举报

在路上
发表于 2012-3-20 17:28:54 | 显示全部楼层
IPSec VPN 保护的是双方的私网,所以感兴趣流量只能是双方私网的地址范围,不能用any表示,另外如果路由器上配置了NAT,还必须配置绕过NAT的流量, 做了NAT以后,内网访问外网时,内网的私有IP地址被转化成公网IP地址,这样自然也就访问不了对方的内网,所以就必须为穿越VPN隧道(即私网之间)的流量建立豁免规则,绕过NAT,也就是说两端私网之间互访时不做NAT地址转换。
沙发 2012-3-20 17:28:54 回复 收起回复
回复

使用道具 举报

badboycx
 楼主| 发表于 2012-3-20 23:37:10 | 显示全部楼层
但我用 permit ip any any  就可以,中间不做NAT。今天查了资料,存在map中ACL覆盖的一个问题。还在研究中。
板凳 2012-3-20 23:37:10 回复 收起回复
回复

使用道具 举报

123@
发表于 2012-5-10 10:26:32 | 显示全部楼层
在VPN中的感兴趣流量的源地址和目标地址只能是私网的地址,不能有any的出现,否则无法建立隧道,这应该是VPN的一种机制吧,保护的是私网段的流量,只能匹配具体的网段,我是这么认为的
地板 2012-5-10 10:26:32 回复 收起回复
回复

使用道具 举报

bysuosi
发表于 2012-7-11 22:25:25 | 显示全部楼层
谢谢分享
5# 2012-7-11 22:25:25 回复 收起回复
回复

使用道具 举报

chenlinqi
发表于 2013-8-26 17:30:38 | 显示全部楼层
badboycx 发表于 2012-3-20 23:37
但我用 permit ip any any  就可以,中间不做NAT。今天查了资料,存在map中ACL覆盖的一个问题。还在研究中。 ...

请问你这个问题有个具体的了解了么,我也遇到了这个问题。不知道是客户端还是服务器端的问题。明明隧道都建立了。但是还是ping不通服务器端内网IP
6# 2013-8-26 17:30:38 回复 收起回复
回复

使用道具 举报

zf7252676
发表于 2015-4-21 16:38:51 | 显示全部楼层
楼主这个问题我也遇到了
7# 2015-4-21 16:38:51 回复 收起回复
回复

使用道具 举报

静思语
发表于 2017-3-16 14:23:40 | 显示全部楼层
这个是系统
8# 2017-3-16 14:23:40 回复 收起回复
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2025-4-27 16:32 , Processed in 0.111515 second(s), 23 queries , Redis On.  

  Powered by Discuz!

  © 2001-2025 HH010.COM

快速回复 返回顶部 返回列表