端点间互联VPN 各位高手江湖救急

mike · 发表于 2010-8-11 15:59:25

用DY做端点间互联VPN，但结果isakmp  的SA死活建立不起，拓扑如上，以下是配置和show的结果，各位高手帮忙看下，看是什么原因，先谢了。
R1的配置
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 120
crypto isakmp key 123 address 1.1.1.2
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set ccnp esp-3des esp-md5-hmac
!
crypto map ccna 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set ccnp
match address 100

interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
serial restart-delay 0
clockrate 9600
crypto map ccna
!
ip route 172.16.1.0 255.255.255.0 1.1.1.2

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

R2的配置
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 120
crypto isakmp key 123 address 1.1.1.1
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set ccnp1 esp-3des esp-md5-hmac
!
crypto map ccna1 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set ccnp1
match address 100

interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
half-duplex
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
serial restart-delay 0
crypto map ccna1
ip route 192.168.1.0 255.255.255.0 1.1.1.1
access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

R0的配置
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
half-duplex

R3的配置
interface Ethernet0/0
ip address 172.16.1.2 255.255.255.0

结果
R1#sh crypto isakmp sa
dst          src          state       conn-id slot

R1r#sh cry ipsec sa
interface: Serial1/0
Crypto map tag: ccna, local addr. 1.1.1.1
protected vrf:
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.2:500
   PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
   local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
   path mtu 1500, media mtu 1500
   current outbound spi: 0
   inbound esp sas:
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   outbound ah sas:
   outbound pcp sas:

结果
R2#sh crypto isa sa
dst          src          state       conn-id slot
R2#sh crypto ipsec sa
interface: Serial1/0
Crypto map tag: ccna1, local addr. 1.1.1.2
protected vrf:
local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:500
   PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
   local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
   path mtu 1500, media mtu 1500
   current outbound spi: 0
   inbound esp sas:
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   outbound ah sas:
   outbound pcp sas:

试着淡定， · 发表于 2012-4-4 03:31:24

想不通你直连做VPN干嘛

chen928522480 · 发表于 2012-4-5 08:43:04

配置是没错的，但ipsec vpn 是在全网互通的情况下做的，你只需在R0和R3上配两条默认路由即可

chen928522480 · 发表于 2012-4-5 08:44:51

配置没错，在R0R3上配置默认路由，实现全网互通

chen928522480 · 发表于 2012-4-5 08:57:40

ipsec vpn.doc (43 KB, 下载次数: 0)

账号		自动登录	找回密码
密码			论坛注册

[已解决] 端点间互联VPN 各位高手江湖救急

客服中心

投诉建议