IPSec 在 跨网段时有没有需要特别的配置为何我的配置不通

zpiaomiao

使用的鼎杰的模拟器   
RT2 与 rt3 中间跑IPSec  r1 和 r4 的e0/1/0 模拟内网   
使用内外地址ping  网络中除了对端内网的所有地址都没有问题
所有的ip 都是 启动的rip v2 协议  
为何 内外互相ping 不通啊    各位大神求解啊



r3的配置

version 5.20, Alpha 1011
#
sysname wai
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 10
#
ike peer wode
pre-shared-key cipher XgybmeVxnUk=
remote-address 1.1.34.3
#
ipsec proposal nide
esp authentication-algorithm sha1
#
ipsec policy tade 10 isakmp
security acl 3003
ike-peer wode
proposal nide
#
interface Ethernet0/1/0
port link-mode route
#
interface Serial0/2/0
link-protocol ppp
ip address 1.1.34.4 255.255.255.0
#
interface Serial0/2/1
link-protocol ppp
#               
interface Serial0/2/2
link-protocol ppp
ip address 1.1.45.4 255.255.255.0
#
interface Serial0/2/3
link-protocol ppp
#
interface NULL0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
source 1.1.34.4
destination 1.1.34.3
keepalive 10 3
#
rip 1
undo summary
version 2
network 1.0.0.0
#
ip route-static 10.2.2.0 255.255.255.0 Tunnel1 preference 55
#               
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return

r2 的配置


version 5.20, Alpha 1011
#
sysname wqi
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 10
#
ike peer wode
pre-shared-key cipher XgybmeVxnUk=
remote-address 1.1.34.4
#
ipsec proposal nide
esp authentication-algorithm sha1
#
ipsec policy tade 10 isakmp
security acl 3003
ike-peer wode
proposal nide
#
acl number 3003
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
#
interface Ethernet0/1/0
port link-mode route
#
interface Serial0/2/0
link-protocol ppp
ip address 1.1.23.3 255.255.255.0
#               
interface Serial0/2/1
link-protocol ppp
#
interface Serial0/2/2
link-protocol ppp
ip address 1.1.34.3 255.255.255.0
#
interface NULL0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
source 1.1.34.3
destination 1.1.34.4
keepalive 10 3
#
rip 1
undo summary
version 2
network 1.0.0.0
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#               
load xml-configuration
#
user-interface con 0
user-interface vty 0 4

                               
登录/注册后可看大图

该贴已经同步到 zpiaomiao的微博

qq360870025

R3上没有ACL看到，另外你IPsec没调用接口

你想实现的是gre over ipsec，那么你感兴趣流量就不因该这么定义 因该定义接口的gre地址，你这样只能实现L2L的，调用到接口 可以ping通了

qianpeng4

不错不错，支持顶个