关于ipsec的问题
图片
我使用iou做ipsec实验,配置都配置完成的,就是局域网不能通,还有通过#show crypto isakmp sa没有信息,下面是配置的内容,请帮忙看看,谢谢
配置步骤
1、配置路由器R1和R2,使R1和R2能够正常访问互联网,并互相能够ping通。
2、在R1配置静态IPSEC VPN隧道
(1)配置ipsec感兴趣流
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255//指定感兴趣流为源地址192.168.0.0/24,目的地址为192.168.1.0/24的网段。
(2)配置isakmp策略
crypto isakmp keepalive 5 periodic//配置IPSEC DPD探测功能
crypto isakmp policy 1//创建新的isakmp策略
authentication pre-share //指定认证方式为“预共享密码”,如使用数字证书配置“authentication rsa-sig”,如使用数字信封配置“authentication digital-email”。
group 2 //
encryption 3des//指定使用3DES进行加密
(3)配置预共享密钥
crypto isakmp key 0 ruijie address 10.0.0.2//指定peer 10.0.0.1的预共享密钥为“ruijie”,对端也必须配置一致的密钥。如使用数字证书/信封认证则无需配置。
(4)配置ipsec加密转换集
crypto ipsec transform-set mysetesp-des esp-md5-hmac //指定ipsec使用esp封装des加密、MD5检验
(5)配置ipsec加密图
crypto map mymap 5 ipsec-isakmp //新建名称为“mymap”的加密图
set peer 10.0.0.2//指定peer地址
set transform-set myset//指定加密转换集“myset”
match address 101//指定感兴趣流为ACL 101
(6)将加密图应用到接口
interface e0/0
crypto map mymap
3、在R1配置路由,
ip route 192.168.1.0 255.255.255.0 10.0.0.2
4、在R2配置静态IPSEC VPN隧道
(1)配置ipsec感兴趣流
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255//指定感兴趣流为源地址192.168.1.0/24,目的地址为192.168.0.0/24的网段。
(2)配置isakmp策略
crypto isakmp policy 1//创建新的isakmp策略
authentication pre-share //指定认证方式为“预共享密码”,如使用数字证书配置“authentication rsa-sig”,如使用数字信封配置“authentication digital-email”。
encryption 3des//指定使用3DES进行加密
(3)配置预共享密钥
crypto isakmp key 0 ruijie address 10.0.0.1//指定peer 10.0.0.1的预共享密钥为“ruijie”,对端也必须配置一致的密钥。如使用数字证书/信封认证则无需配置。
(4)配置ipsec加密转换集
crypto ipsec transform-set mysetesp-des esp-md5-hmac //指定ipsec使用esp封装des加密、MD5检验
(5)配置ipsec加密图
crypto map mymap 5 ipsec-isakmp //新建名称为“mymap”的加密图
set peer 10.0.0.1//指定peer地址
set transform-set myset//指定加密转换集“myset”
match address 101//指定感兴趣流为ACL 101
(6)将加密图应用到接口
interface e0/0
crypto map mymap
5、在R2配置路由
ip route 192.168.0.0 255.255.255.0 10.0.0.1
你需要从源地址到目标地址ping一次,就会有SA了 ping过了,不通,也没有信息,pc1可以ping通R2的10.0.0.2,但是不能ping通192.168.1.2 清帮忙下,谢谢 调试一下,发现第一阶段出错,但是看不出来那里错
*Mar 27 15:01:20.608: ISAKMP:(0): SA request profile is (NULL)
*Mar 27 15:01:20.608: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Mar 27 15:01:20.608: ISAKMP: New peer created peer = 0xF2932778 peer_handle = 0x80000008
*Mar 27 15:01:20.608: ISAKMP: Locking peer struct 0xF2932778, refcount 1 for isakmp_initiator
*Mar 27 15:01:20.608: ISAKMP: local port 500, remote port 500
*Mar 27 15:01:20.608: ISAKMP: set new node 0 to QM_IDLE
*Mar 27 15:01:20.608: ISAKMP:(0):insert sa successfully sa = F2931C50
*Mar 27 15:01:20.608: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 27 15:01:20.608: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Mar 27 15:01:20.608: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 27 15:01:20.608: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 27 15:01:20.608: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 27 15:01:20.608: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 27 15:01:20.608: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 27 15:01:20.608: ISAKMP:(0):Old State = IKE_READYNew State = IKE_I_MM1
*Mar 27 15:01:20.608: ISAKMP:(0): beginning Main Mode exchange
*Mar 27 15:01:20.608: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:20.608: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 27 15:01:20.610: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 27 15:01:20.610: ISAKMP:(0):Notify has no hash. Rejected.
*Mar 27 15:01:20.610: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:state = IKE_I_MM1
*Mar 27 15:01:20.610: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 27 15:01:20.610: ISAKMP:(0):Old State = IKE_I_MM1New State = IKE_I_MM1
IOU1#
*Mar 27 15:01:20.610: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.2
IOU1#
*Mar 27 15:01:30.614: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:30.614: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 27 15:01:30.614: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:01:30.614: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:30.615: ISAKMP:(0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:01:40.622: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:40.622: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 27 15:01:40.622: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:01:40.622: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:40.622: ISAKMP:(0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:01:50.614: ISAKMP: set new node 0 to QM_IDLE
*Mar 27 15:01:50.614: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.1, remote 10.0.0.2)
*Mar 27 15:01:50.614: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 27 15:01:50.614: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 27 15:01:50.623: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:01:50.623: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 27 15:01:50.623: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
IOU1#
*Mar 27 15:01:50.623: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:01:50.623: ISAKMP:(0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:00.633: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:00.633: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 27 15:02:00.633: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:02:00.633: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:02:00.633: ISAKMP:(0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:10.639: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:10.639: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 27 15:02:10.639: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 27 15:02:10.639: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 27 15:02:10.639: ISAKMP:(0):Sending an IKE IPv4 Packet.
IOU1#
*Mar 27 15:02:20.646: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 27 15:02:20.646: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 27 15:02:20.646: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.0.0.2)
*Mar 27 15:02:20.646: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.0.0.2)
*Mar 27 15:02:20.646: ISAKMP: Unlocking peer struct 0xF2932778 for isadb_mark_sa_deleted(), count 0
*Mar 27 15:02:20.646: ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: F2932778
*Mar 27 15:02:20.646: ISAKMP:(0):deleting node -240535528 error FALSE reason "IKE deleted"
IOU1#
*Mar 27 15:02:20.646: ISAKMP:(0):deleting node -259996762 error FALSE reason "IKE deleted"
*Mar 27 15:02:20.646: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 27 15:02:20.646: ISAKMP:(0):Old State = IKE_I_MM1New State = IKE_DEST_SA
IOU1#
*Mar 27 15:03:10.651: ISAKMP:(0):purging node -240535528
*Mar 27 15:03:10.651: ISAKMP:(0):purging node -259996762
IOU1#
*Mar 27 15:03:20.653: ISAKMP:(0):purging SA., sa=F2931C50, delme=F2931C50
我调通了,发现只能一边ping通,另一边不能ping通 配置ipsec前检查全网通 你发纯配置 我们还能帮你对比 你发这种看的眼睛都花了
页:
[1]