- 积分
- 61
- 鸿鹄币
- 个
- 好评度
- 点
- 精华
- 注册时间
- 2015-11-15
- 最后登录
- 1970-1-1
- 阅读权限
- 20
- 听众
- 收听
助理工程师
|
我 在packet tracer模拟site-site的VPN配置,没有成功,请帮我看下什么原因。。。
ASA1配置如下
:
ASA Version 9.6(1)
!
hostname a7
names
!
interface GigabitEthernet1/1et
nameif outside
security-level 0
ip address 192.168.32.1 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
route outside 0.0.0.0 0.0.0.0 192.168.32.254 1
!
access-list 100 extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map icmp_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 192.168.1.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 19200
!
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
——————————————————————————————————————————————
ASA2配置如下
ASA Version 9.6(1)
!
hostname a5
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
!
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map icmp_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 192.168.32.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 19200
!
tunnel-group 192.168.32.1 type ipsec-l2l
tunnel-group 192.168.32.1 ipsec-attributes
ikev1 pre-shared-key cisco
!
————————————-----------------------------------------------------------------------------------
防火墙可以互相ping,检查如下
a5#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.32.1
Type : L2L Role : Initiator
Rekey : no State : QM_IDLE
There are no IKEv2 SAs
——————————————————————————————————————————————————————————————
a5#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 1, local addr 192.168.1.1
permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 192.168.32.1
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1/0, remote crypto endpt.:192.168.32.1/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x55A272E7(1436709607)
current inbound spi: 0x55BE9B04(1436709607)
inbound esp sas:
spi: 0x55BE9B04(1438554884)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3547)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x55A272E7(1436709607)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3547)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
————————————————————————————————————————————————————————————————
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2022-8-10 17:13:49
置顶卡
喧嚣卡
变色卡
千斤顶
