请教各位大神，点对点IPSEC问题。

willzh0213

file:///C:\Users\Will\AppData\Roaming\Tencent\Users\317658612\QQ\WinTemp\RichOle\3KOF~0IKPK5K_1C22%1H75K.png

因特殊情况，我必须用R1的192.168.1.1和R2的1.1.1.1建IPSEC，并且1.1.1.1只能放在Loopback口上，IPSEC加密网段是172.16.1.0/24 <> 172.16.2.0/24。请教各位大神，怎样才可以让R4通R3。



R1#wr
Building configuration...
[OK]
R1#sh star
R1#sh startup-config
Using 1272 out of 260088 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
ip cef
no ip domain lookup
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key both-win address 1.1.1.1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address vpn
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map mymap
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip route 1.1.1.1 255.255.255.255 192.168.1.2
ip route 172.16.2.0 255.255.255.0 FastEthernet0/0
ip access-list extended vpn
permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
no cdp log mismatch duplex
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end


R2#sh startup-config
Using 1436 out of 260088 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
logging buffered 4096 debugging
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
ip cef
no ip domain lookup
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key both-win address 192.168.1.1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set myset
match address vpn
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map mymap
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet1/0
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip route 172.16.1.0 255.255.255.0 Loopback0
ip access-list extended vpn
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
no cdp log mismatch duplex
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end


抓包点A抓到的ESP包：


抓包点B抓到的ICMP包：


R3和R4就配置了IP，并且写了默认路由分别指向R1\R2。

heper

回答这个问题还是要思考那么久的

yangjun19921015

哈哈哈