vrf -aware ipsec vpn问题请教
本帖最后由 jin544642965 于 2014-1-14 20:54 编辑测试top如下:
其中ASR1上模拟vpn路由器,ASR2模拟企业路由器对接vpn;使用互联网段为 10.255.0.0/28
在ASR上开启lo0接口,配置到一个vrf中,为VIP3112;
ASR也开启lo0接口,进行模拟感兴趣流测试;
目前测试结果如下:
当ASR 1 lo0接口上划分到VIP3112时,ipsec vpn建立成功;但感兴趣流数据ping不通,发现只有site发起端数据包加密封装过去后对端site能够解密,但是没有回包;
当ASR 1 lo0 接口重新划到全局后,ipsec vpn建立成功;感兴趣流数据ping通;
配置如下:
ASR1006-1#
ip vrf VIP3112
rd 112:1
route-target export 112:1
route-target import 112:1
crypto keyring vpn3112
pre-shared-key address 10.255.0.4 key cisco
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp keepalive 20
crypto isakmp profile vpn3112
vrf VIP3112
keyring vpn3112
match identity address 10.255.0.4 255.255.255.255
crypto ipsec transform-set zuoyb esp-des esp-md5-hmac
mode tunnel
crypto map zuoyb 10 ipsec-isakmp
set peer 10.255.0.4
set transform-set zuoyb
set isakmp-profile vpn3112
match address 112
interface Loopback0
ip vrf forwarding VIP3112
ip address 10.100.241.100 255.255.255.0
interface TenGigabitEthernet1/2/0
ip address 10.255.0.1 255.255.255.240
cdp enable
crypto map zuoyb
ip route 0.0.0.0 0.0.0.0 10.255.0.4 100 name test-vpn
ip route vrf VIP3112 0.0.0.0 0.0.0.0 10.255.0.4 global
access-list 112 permit ip 10.100.241.0 0.0.0.255 192.168.1.0 0.0.0.255
------------------------------------------------------------------------------------------
ASR1006-2#
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 20
crypto isakmp profile vip3112
keyring vip3112
match identity address 10.255.0.1 255.255.255.255
crypto ipsec transform-set zuoyb esp-des esp-md5-hmac
mode tunnel
crypto map zuoyb 10 ipsec-isakmp
set peer 10.255.0.1
set transform-set zuoyb
match address 112
interface Loopback0
ip address 192.168.1.100 255.255.255.0
interface TenGigabitEthernet1/2/0
ip address 10.255.0.4 255.255.255.240
cdp enable
crypto map zuoyb
ip route 0.0.0.0 0.0.0.0 10.255.0.1
ip route 192.168.1.0 255.255.255.0 10.110.10.253
access-list 112 permit ip 192.168.1.0 0.0.0.255 10.100.241.0 0.0.0.255
页:
[1]