两台Pix间做lan-to-lan vpn遇到的问题及分析

泰克实验室塑造

拓扑图：
R1 1.1.12.1--1.1.12.2PIX2 1.1.23.2----1.1.23.3 PIX3 1.1.34.3--1.1.34.4 R4

r1#sh run int e0/0
interface Ethernet0/0
ip address 1.1.12.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.12.2
pix2:
interface Ethernet0
nameif inside
security-level 100
ip address 1.1.12.2 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 1.1.23.2 255.255.255.0
access-list out extended permit ip any any
access-list 100 extended permit ip host 1.1.12.1 host 1.1.34.4
access-group out in interface outside
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 match address 100
crypto map cisco 10 set peer 1.1.23.3
crypto map cisco 10 set transform-set cisco
crypto map cisco interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.23.3 type ipsec-l2l
tunnel-group 1.1.23.3 ipsec-attributes
pre-shared-key *
route outside 0.0.0.0 0.0.0.0 1.1.23.3 1
pix3:
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.23.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 1.1.34.3 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 1.1.23.2 1
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 match address 100
crypto map cisco 10 set peer 1.1.23.2
crypto map cisco 10 set transform-set cisco
crypto map cisco interface outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.23.2 type ipsec-l2l
tunnel-group 1.1.23.2 ipsec-attributes
pre-shared-key *
access-list out extended permit ip any any
access-list 100 extended permit ip host 1.1.34.4 host 1.1.12.1
access-group out in interface outside
R4:
interface Ethernet0/0
ip address 1.1.34.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.34.3


当R1 ping R4的时候：pix2停留在第一阶段的第2个包，pix3上面没有加密，也没解密，只是拒绝udp 500，但是在pix3上我放了permit ip any any。
pix2(config)#
%PIX-7-609001: Built local-host inside:1.1.12.1
%PIX-7-609001: Built local-host outside:1.1.34.4
%PIX-7-609002: Teardown local-host inside:1.1.12.1 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:1.1.34.4 duration 0:00:00
%PIX-7-715077: Pitcher: received a key acquire message, spi 0x0
%PIX-5-713041: IP = 1.1.23.3, IKE Initiator: New Phase 1, Intf 1, IKE Peer 1.1.23.3  local Proxy Address 1.1.12.1, remote Proxy Address 1.1.34.4,  Crypto map (cisco)
%PIX-7-715046: IP = 1.1.23.3, constructing ISAKMP SA payload
%PIX-7-715046: IP = 1.1.23.3, constructing Fragmentation VID + extended capabilities payload
%PIX-7-713236: IP = 1.1.23.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%PIX-7-609001: Built local-host inside:1.1.12.1
%PIX-7-609001: Built local-host outside:1.1.34.4
%PIX-7-609002: Teardown local-host inside:1.1.12.1 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:1.1.34.4 duration 0:00:00
%PIX-7-609001: Built local-host inside:1.1.12.1
%PIX-7-609001: Built local-host outside:1.1.34.4
%PIX-7-609002: Teardown local-host inside:1.1.12.1 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:1.1.34.4 duration 0:00:00
%PIX-7-609001: Built local-host inside:1.1.12.1
%PIX-7-609001: Built local-host outside:1.1.34.4
%PIX-7-609002: Teardown local-host inside:1.1.12.1 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:1.1.34.4 duration 0:00:00
%PIX-7-609001: Built local-host inside:1.1.12.1
%PIX-7-609001: Built local-host outside:1.1.34.4
%PIX-7-609002: Teardown local-host inside:1.1.12.1 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:1.1.34.4 duration 0:00:00
%PIX-7-713236: IP = 1.1.23.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
pix2(config)# sh cry
pix2(config)# sh crypto is
pix2(config)# sh crypto isakmp sa
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 1.1.23.3
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
pix2(config)# %PIX-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

phil

Thanks for your information.