重庆分公司,新征程启航
为企业提供网站建设、域名注册、服务器等服务
一句话神码路由器的IPSEC很有特色
成都创新互联专注于企业成都全网营销推广、网站重做改版、楚雄州网站定制设计、自适应品牌网站建设、H5建站、商城网站制作、集团公司官网建设、外贸网站制作、高端网站制作、响应式网页设计等建站业务,价格优惠性价比高,为楚雄州等各大城市提供网站开发制作服务。
实验环境:两台路由器直接相连一共3个网段192.168.0.0192.168.1.0192.168.2.0其中192.168.1.0模拟公网另外两个网段模拟私有网络通过启用IPSEC ×××实现这两个网段安全通信。
开始配置时两个路由器配置文件如下
路由器R1
show running-config
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list standard 123
permit ip any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
路由器R2
show run
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2
!
gbsc group default
!
crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list standard 123
permit ip any !
ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
通过show crypto ipsec sa和show crypto iskmp sa发现不能正常建立IPSEC连接也就是IPSEC通道没有激活啥问题检查配置没有错误啊。算了去掉NAT测试通过show crypto ipsec sa和show crypto iskmp sa发现能正常建立IPSEC连接。不理解了。。。。。。
经过拨打神码400电话后更改配置如下
路由器R1
show running-config
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list extended 123
deny ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip any any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
路由器R2
show run
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2
!
gbsc group default
!
crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list extended 123
deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
permit ip any any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
也就是在上面的配置和初始的配置差别在NAT的访问控制列表上面的配置中扩展的访问控制列表先拒绝192.168.0.0和192.168.2.0网段数据进行NAT然后允许所有。经过这样配置IPSEC的通道就能ACTIVE。
事后分析神码路由的操作系统内部流程nat优先于IPSEC。