MRS810-LM 3G+ipsec与中心ASA5520建立IPSECvpn
MRS810 3G 配置完成,内网上网正常。在3G接口上添加Ipsecvpn配置,但是dis ike sa,dis ipsec sa 都没有信息,不知道是什么问题,请各位老师解答疑惑。
MRS810 OS版本是V7的
(0)
最佳答案
原来分支是通过ASA5505 通过pppoe+vpdn的方式连接到总部ASA5520访问资源正常的,现在客户环境要求进行了变化:
本端设备 H3C MSR810-LM
对端设备 Cisco ASA5520
(spoke)MSR810-LM-- 4G--Internet--Enternet--ASA5520-X(Hub)
4G可以正常上网。
MSR810本地,配置完ipsec并没有 ipsec 加密隧道信息,Ike第一阶段也没有。
IPSEC关键配置如下:
MSR 810-LM配置:
interface Eth-channel1/0:0
dialer circular enable
dialer-group 89
dialer timer autodial 5
dialer number #777 autodial
ip address cellular-alloc
tcp mss 1280
nat outbound
apn-profile apply profile69
ipsec apply policy To_HUB
ipsec transform-set To_HUB
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy To_HUB 65534 isakmp
transform-set To_HUB
security acl 3000
remote-address *.*.*.*
ike-profile To_HUB
sa duration time-based 3600
sa duration traffic-based 1843200
#
ike profile To_HUB
keychain To_HUB
dpd interval 300 on-demand
match remote identity address *.*.*.* 255.255.255.255
proposal 65534
#
ike proposal 65534
dh group2
authentication-algorithm md5
#
ike keychain To_HUB
pre-shared-key address *.*.*.* 255.255.255.255 key cipher $c$3$MvltOMNRgNf/m4Wc/HNhoofc1pC54LcQ1q0=
#
ASA5520配置:
crypto ipsec transform-set tso esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map center-sh 20 set transform-set tso
crypto dynamic-map center-sh 20 set security-association lifetime seconds 28800
crypto dynamic-map center-sh 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map center-sh 20 set reverse-route
crypto map shanghai 20 ipsec-isakmp dynamic center-sh
crypto map shanghai interface outside
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp nat-traversal 60
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key ****
(0)
暂无评论
您好,这个需要看下具体配置和组网,对端是什么设备? 能否发一下两个设备的关键配置。
配置完ipsec后 是否有流量出发ipsec?
(0)
暂无评论
