Redun VPN+ASA困惑

wzhuoxing

在做毕设过程中出现如下问题，R2与内网服务器172.16.20.1建立VPN，其中R3、R4为redundance vpn热备份（standby ip 192.168.70.3），把192.168.70.3在防火墙上静态映射202.96.1.3，R2 ping 172.16.20.1 source 10.10.10.10，R2一直处于mm_exec状态，其配置如下：
R3:
crypto keyring L2Lkey
  pre-shared-key address 202.96.2.2 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp keepalive 10 periodic
!
crypto isakmp profile 10
   keyring L2Lkey
   match identity address 202.96.2.2 255.255.255.255
!
crypto ipsec transform-set IKE esp-des esp-md5-hmac
!
crypto map VPN_Redun 10 ipsec-isakmp
set peer 202.96.2.2
set transform-set IKE
set isakmp-profile 10
match address Redun
!
interface FastEthernet0/0
ip address 192.168.70.1 255.255.255.0
standby 70 ip 192.168.70.3
standby 70 priority 110
standby 70 preempt
standby 70 name VPN
crypto map VPN_Redun redundancy VPN
!
router ospf 110
router-id 1.1.1.1
network 192.168.70.1 0.0.0.0 area 0
!
ip access-list extended Redun
permit ip host 172.16.20.1 10.10.10.0 0.0.0.255

R4:
crypto keyring L2Lkey
  pre-shared-key address 202.96.2.2 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp keepalive 10 periodic
crypto isakmp profile 10
   keyring L2Lkey
   match identity address 202.96.2.2 255.255.255.255
!
crypto ipsec transform-set IKE esp-des esp-md5-hmac
!
crypto map VPN_Redun 10 ipsec-isakmp
set peer 202.96.2.2
set transform-set IKE
set isakmp-profile 10
match address Redun
!
interface FastEthernet0/0
ip address 192.168.70.2 255.255.255.0
standby 70 ip 192.168.70.3
standby 70 preempt
standby 70 name VPN
crypto map VPN_Redun redundancy VPN
!      
router ospf 110
router-id 2.2.2.2
network 192.168.70.2 0.0.0.0 area 0
!
ip access-list extended Redun
permit ip host 172.16.20.1 10.10.10.0 0.0.0.255

PIX:
interface Ethernet0
nameif Outside
security-level 0
ip address 202.96.1.1 255.255.255.0
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.70.254 255.255.255.0
!
interface Ethernet1.200
vlan 200
nameif DMZ
security-level 50
ip address 172.16.20.254 255.255.255.0
!
static (DMZ,Outside) tcp 202.96.1.200 8080 172.16.20.1 tcp 100 50
static (Inside,Outside) 202.96.1.3 192.168.70.3
!
access-list Out_acl extended permit tcp any host 202.96.1.200 eq 8080
access-list Out_acl extended permit udp host 202.96.2.2 host 202.96.1.3 eq isakmp
access-list Out_acl extended permit esp host 202.96.2.2 host 202.96.1.3
access-group Out_acl in interface Outside
!
nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface
!
router ospf 110
router-id 3.3.3.3
network 172.16.20.254 255.255.255.255 area 0
network 192.168.70.254 255.255.255.255 area 0
default-information originate always
!

R1:
interface FastEthernet0/0
ip address 202.96.1.2 255.255.255.0
!
interface FastEthernet0/1
ip address 202.96.2.1 255.255.255.0

R2:
crypto keyring L2Lkey
  pre-shared-key address 202.96.1.3 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp keepalive 10 periodic
crypto isakmp profile 10
   keyring L2Lkey
   match identity address 202.96.1.3 255.255.255.255
!
crypto ipsec transform-set IKE esp-des esp-md5-hmac
!
crypto map VPN_to_Center 10 ipsec-isakmp
set peer 202.96.1.3
set transform-set IKE
set isakmp-profile 10
match address to_Center
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
ip address 202.96.2.2 255.255.255.0
crypto map VPN_to_Center
!         
ip route 0.0.0.0 0.0.0.0 202.96.2.1
!
ip access-list extended to_Center
permit ip 10.10.10.0 0.0.0.255 host 172.16.20.1