我有以下configuration,
R1:
crypto keyring KR pre-shared-key address 1.1.1.2 key cisco ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile PROFILE keyring KR match identity address 1.1.1.2 255.255.255.255 ! ! crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac ! crypto map MAP 10 ipsec-isakmp set peer 1.1.1.2 set transform-set TRANSFORM_SET set isakmp-profile PROFILE match address IPSEC_ACL ! ip access-list extended IPSEC_ACL permit ip host 1.1.1.1 host 1.1.1.2 ! int e0/0 ip address 1.1.1.1 255.255.255.0 crypto map MAP 和R2:
crypto keyring KR pre-shared-key address 1.1.1.1 key cisco ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile PROFILE keyring KR match identity address 1.1.1.1 255.255.255.255 ! ! crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac ! crypto map MAP 10 ipsec-isakmp set peer 1.1.1.1 set transform-set TRANSFORM_SET set isakmp-profile PROFILE match address IPSEC_ACL ! ip access-list extended IPSEC_ACL permit ip host 1.1.1.2 host 1.1.1.1 ! int e0/0 ip address 1.1.1.2 255.255.255.0 crypto map MAP
IPSEC隧道不会有任何想法为什么?
匹配地址ACL应该是将经过链路的IP范围而不是encryption映射所在的IP。
例如,如果IP范围192.168.1.0/24在R1上,192.168.2.0/24在R2上,而192.168.1.0/24上的主机想要通过隧道与192.168.2.0/24对话,则需要设置ACL是以下。
R1
ip access-list extended IPSEC_ACL permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R2
ip access-list extended IPSEC_ACL permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
当stream量从192.168.1.0/24到192.168.2.0/24或从192.168.2.0/24到192.168.1.0/24时,路由器将尝试启动隧道
您可以尝试以下方法查看debugging输出以查看隧道出现故障的位置
debug crypto isakmp debug crypto ipsec
禁用debugging使用
undebug all
要么
no debug all
如果您看不到任何debugging输出,则可能需要启用terminal监视器
terminal monitor