关于基于Double SVTI的IPSec VPN诡异问题
关于基于Double SVTI的IPSec VPN诡异问题,求解!!!实验拓扑:
实验步骤:
a. 配置分支站点: 配置IPSec VPN: R1(config)#crypto isakmp policy 10R1(config-isakmp)#encryption 3desR1(config-isakmp)#authentication pre-shareR1(config-isakmp)#group 2R1(config-isakmp)#hash md5R1(config-isakmp)#exR1(config)#crypto isakmp key cisco address 23.1.1.3R1(config)#crypto isakmp key cisco address 24.1.1.4R1(config)#crypto ipsec transform-set cisco esp-3des esp-md5-hmacR1(cfg-crypto-trans)#ex R1(config)#crypto ipsec profile proR1(ipsec-profile)#set transform-set ciscoR1(ipsec-profile)#ex 配置双SVTI隧道: R1(config)#interface tunnel 0R1(config-if)#ip add 13.1.1.1 255.255.255.0R1(config-if)#tunnel source 12.1.1.1R1(config-if)#tunnel destination 23.1.1.3R1(config-if)#tunnel mode ipsec ipv4R1(config-if)#tunnel protection ipsec profile proR1(config-if)#exR1(config)#interface tunnel 1R1(config-if)#ip add 13.R1(config-if)#ip add 14.1.1.1 255.255.255.0R1(config-if)#tunnel source 12.1.1.1R1(config-if)#tunnel destination 24.1.1.4R1(config-if)#tunnel mode ipsec ipv4R1(config-if)#tunnel protection ipsec profile proR1(config-if)#no shutR1(config-if)#exR1(config)# 配置EIGRP: R1(config)#router eigrp 1R1(config-router)#no auto-summary R1(config-router)#eigrp router-id 1.1.1.1R1(config-router)#network 1.1.1.1 0.0.0.0R1(config-router)#network 13.1.1.1 0.0.0.0R1(config-router)#network 14.1.1.1 0.0.0.0R1(config-router)#exR1(config)# b. 配置中心站点Primary路由器: 配置IPSec VPN: R3(config)#crypto isakmp policy 10R3(config-isakmp)#encryption 3desR3(config-isakmp)#authentication pre-shareR3(config-isakmp)#group 2R3(config-isakmp)#hash md5R3(config-isakmp)#exR3(config)#crypto isakmp key cisco address 12.1.1.1R3(config)#crypto ipsec transform-set cisco esp-3des esp-md5-hmacR3(cfg-crypto-trans)#exR3(config)#crypto ipsec profile proR3(ipsec-profile)#set transform-set ciscoR3(ipsec-profile)#exR3(config)# 配置SVTI隧道: R3(config)#interface tunnel 0R3(config-if)#ip add 13.1.1.3 255.255.255.0R3(config-if)#tunnel source 23.1.1.3R3(config-if)#tunnel destination 12.1.1.1R3(config-if)#tunnel mode ipsec ipv4R3(config-if)#tunnel protection ipsec profile proR3(config-if)#no shutR3(config-if)#exR3(config)# 配置EIGRP: R3(config)#router eigrp 1R3(config-router)#no auto-summaryR3(config-router)#eigrp router-id 3.3.3.3R3(config-router)#network 192.168.34.0 0.0.0.255R3(config-router)#network 13.1.1.3 0.0.0.0R3(config-router)#exR3(config)# c. 配置中心站点Secondary路由器: 配置IPSec VPN: R4(config)#crypto isakmp policy 10R4(config-isakmp)#authentication pre-shareR4(config-isakmp)#encryption 3desR4(config-isakmp)#group 2R4(config-isakmp)#hash md5R4(config-isakmp)#exR4(config)#crypto isakmp key cisco address 12.1.1.1R4(config)#crypto ipsec transform-set cisco esp-3des esp-md5-hmacR4(cfg-crypto-trans)#exR4(config)#crypto ipsec profile proR4(ipsec-profile)#set transform-set ciscoR4(ipsec-profile)#exR4(config)# 配置SVTI隧道: R4(config)#interface tunnel 0R4(config-if)#ip add 14.1.1.4 255.255.255.0R4(config-if)#tunnel source 24.1.1.4 R4(config-if)#tunnel destination 12.1.1.1R4(config-if)#tunnel mode ipsec ipv4R4(config-if)#tunnel protection ipsec profile proR4(config-if)#no shutR4(config-if)#exR4(config)# 配置EIGRP: R4(config)#router eigrp 1R4(config-router)#no auto-summaryR4(config-router)#eigrp router-id 4.4.4.4R4(config-router)#network 192.168.34.0 0.0.0.255R4(config-router)#network 14.1.1.4 0.0.0.0R4(config-router)#exR4(config)# d. 配置Server(R5): 配置EIGRP: R5(config)#router eigrp 1R5(config-router)#no auto-summaryR5(config-router)#eigrp router-id 5.5.5.5R5(config-router)#network 5.5.5.5 0.0.0.0R5(config-router)#network 192.168.34.0 0.0.0.255 R5(config-router)#exR5# 配置完成后诡异的事情出现了,R1,R5都有各自的路由,但是R1PingR5时,R5收到ICMP Request后,却无法将ICMP Reply发送出去:R1路由表:R3路由表:R4路由表:R5路由表: R1 Ping R5:
R5收到ICMP包后: R4、R3没有收到任何ICMP包: 求解!!!!!!
本帖最后由 victor_huang 于 2013-6-8 11:49 编辑
看一看,测一测,配置没问题啊~,路由都是对的,我的测试结果
R1#ping 5.5.5.5 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/141/256 ms
R5#
*Mar1 00:42:09.463: ICMP: echo reply sent, src 5.5.5.5, dst 1.1.1.1
*Mar1 00:42:09.775: ICMP: echo reply sent, src 5.5.5.5, dst 1.1.1.1
*Mar1 00:42:09.927: ICMP: echo reply sent, src 5.5.5.5, dst 1.1.1.1
*Mar1 00:42:10.027: ICMP: echo reply sent, src 5.5.5.5, dst 1.1.1.1
*Mar1 00:42:10.135: ICMP: echo reply sent, src 5.5.5.5, dst 1.1.1.1
victor_huang 发表于 2013-6-8 11:12
看一看,测一测,配置没问题啊~,路由都是对的,我的测试结果
R1#ping 5.5.5.5 source 1.1.1.1
额。。。不知道怎么回事,我的就是不通。。。{:soso_e136:}{:soso_e136:}{:soso_e136:}
页:
[1]