执笔画卿颜,ipsecvpn 旁挂
问题描述:
对端分支是动态获取IP,已经配好了IPSecvpn配置。
本端是个路由器做vpn设备,路由器旁挂在核心交换机上。出口是防火墙,固定IP在防火墙上配置。 路由器上也配好了VPN。防火墙上也映射路由器了udp的 500 4500端口。 vpn起不来,ike sa都没有。是我那块有问题吗? 配置看着都i一样。
防火墙上做了路由器的映射,映射的地址是路由器的地址,端口号500 4500
总部:
acl advanced 3003
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3003
#
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
分支:
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
dpd interval 5 periodic
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
dpd interval 5 periodic
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3001
remote-address 1.1.1.1
#
interface eth-channel 1/0:0
ipsec apply policy policy1
#
组网及组网描述:
感兴趣数据流流量有引流到VPN设备上吗
3小时前回答dis ike sa都没有信息。 跟感兴趣流有关系吗 不是太懂
执笔画卿颜有啊
z6Kl9你正在,ipsecvpn 旁挂
