我已经在ScreenOS路由器(SSG-5)和Cisco 3925之间build立了一个点到点的传输ipsec会话.IPsec传输本身很好,但是当我试图通过传输来引导协议41传输时,没有正确的过境。
我首先假设你需要为ipsec连接创build一个隧道,然后使用ipsec隧道的outgoing-interface定位ip6in4隧道,但screenos不会让你在隧道上创build一个隧道。
另外,我尝试使用基于策略的VPN,但是当我尝试使用“隧道VPN”作为策略目标,它告诉我未知的命令? 基于策略的ipsec是否有主开关?
以下是我认为是相关的configuration,虽然我会很乐意根据需要提供更多的信息。
SCREENOS CONFIG: --------------------------- set zone id 105 "mytunnel_TUNNEL" set zone "mytunnel_TUNNEL" tcp-rst set interface "tunnel.5" zone "mytunnel_TUNNEL" set address "mytunnel_TUNNEL" "fdee:7e1e::/32" fdee:7e1e::/32 set ike gateway "micmplsv4" address 2.2.2.157 Main outgoing-interface "ethernet0/0" preshare "igdZeIcKNobfusol+CQcpIfvwnFwrxb5g==" sec-level compatible set vpn "mytunnel" gateway "micmplsv4" no-replay transport idletime 0 sec-level compatible set vpn "mytunnel" monitor optimized rekey set vpn "mytunnel" id 0x16 bind interface tunnel.3 set vpn "mytunnel" proxy-id check set vpn "mytunnel" proxy-id local-ip 8.8.8.10/32 remote-ip 2.2.2.157/32 "ANY" set policy id 137 from "DMZ" to "mytunnel_TUNNEL" "fdbe:a922:a316:2::/64" "fdee:7e1e::/32" "ANY" permit set policy id 136 from "mytunnel_TUNNEL" to "DMZ" "fdee:7e1e::/32" "fdbe:a922:a316:2::/64" "ANY" permit set interface "tunnel.3" zone "Untrust" set interface tunnel.3 ip unnumbered interface ethernet0/0 set vpn "mytunnel" id 0x16 bind interface tunnel.3 set route 2.2.2.157/32 interface tunnel.3 CISCO CONFIG: ------------------------------ ip access-list extended mic2pg permit ip host 2.2.2.157 host 8.8.8.10 ! crypto ipsec transform-set transport-esp-3des-sha esp-3des esp-sha-hmac mode transport ! crypto map vpnmap 30 ipsec-isakmp set peer 8.8.8.10 set transform-set transport-esp-3des-sha match address mic2pg ! interface GigabitEthernet0/0.1 encapsulation dot1Q 1 native ip address 2.2.2.157 255.255.255.224 crypto map vpnmap ! interface Tunnel3 no ip address ipv6 address FDEE:7E1E:100:F002::1/64 ipv6 enable tunnel source 2.2.2.157 tunnel mode ipv6ip tunnel destination 8.8.8.10 ! end 我在ScreenOS上完成了大量的IPv6。 本地和隧道。 我已经完成了你所问的事情(尽pipe不是在思科的另一端)。 这是做什么。
摆脱6in4的东西。 只使用一个隧道接口,并在两侧取消设置proxy-id。 使用v4端点构build隧道,然后将远程v6前缀以及远程v4前缀路由到隧道接口。
更新:根据要求,示例configuration。
笔记:
。
set interface ethernet0/0 zone Untrust set interface ethernet0/0 ip 5.6.7.8/27 set interface ethernet0/0 route set interface ethernet0/2 zone Trust set interface ethernet0/2 ip 192.168.10.1/24 set interface ethernet0/2 route set interface ethernet0/2 ipv6 mode router set interface ethernet0/2 ipv6 enable set interface ethernet0/2 ipv6 ip fd28:e1f3:d650:1010::/64 set interface ethernet0/2 ipv6 nd nud set interface ethernet0/2 ipv6 ra link-address set interface ethernet0/2 ipv6 ra link-mtu set interface ethernet0/2 ipv6 ra managed set interface ethernet0/2 ipv6 ra other set interface ethernet0/2 ipv6 ra preference high set interface ethernet0/2 ipv6 ra prefix fd28:e1f3:d650:1010::/64 set interface ethernet0/2 ipv6 ra reachable-time set interface ethernet0/2 ipv6 ra retransmit-time set interface ethernet0/2 ipv6 ra transmit set zone name v6remote set interface tunnel.20 ip unnumbered interface ethernet0/0 set interface tunnel.20 zone v6remote set interface tunnel.20 ipv6 mode host set interface tunnel.20 ipv6 enable set interface tunnel.20 ipv6 nd dad-count 0 set interface tunnel.20 ipv6 nd nud set ike p1-proposal AES256-SHA preshare group2 esp aes256 sha-1 second 28800 set ike p2-proposal AES256-SHA group2 esp aes256 sha-1 second 3600 set ike gateway gateway2v6remote address 10.255.255.1 Main outgoing-interface ethernet0/0 preshare "secret-word" proposal AES256-SHA set vpn tunnel2v6remote gateway gateway2v6remote replay tunnel idletime 0 proposal AES256-SHA set vpn tunnel2v6remote bind interface tunnel.20 set policy from v6remote to trust v6remote v6local ANY permit log count set policy from trust to v6remote v6local v6remote ANY permit log count set route fd28:e1f3:d650:2000::/56 interface tunnel.20 gateway ::
我知道在ScreenOS中有一个问题,直接路由6in4通信。 人们通常做的是创build6in4隧道的端接环回接口,然后通过它来路由IPv6stream量。 我用6×4的6in4隧道使用类似的configuration,但是我认为一般的原则也适用于你的情况。 请查看此链接以获取更多信息,尤其是“更新2009年9月13日”部分。