一个ipse vpn拨号到路由器的问题.补拓扑和需求!

mmght

最简单的拓扑,从互联网上用cisco vpn client拨号到路由器.不成功,开debug 看,是第一阶段认证不成功.


需求,从互联网上用cisco vpn clinet 拨号到公司出口路由器,访问公司内网资源.
公司内部网段192.168.1.0/24
分配给vpn拨号用户  192.168.2.0/24


show run 如下


hostname R2

aaa new-model
aaa authentication login tea-rz local
aaa authorization network tea-sq local
!
aaa session-id common
memory-size iomem 5   
ip cef
no ip domain lookup
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
!
crypto isakmp client configuration group cisco
key cisco
pool mypool
acl 101
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list tea-rz
crypto map mymap isakmp authorization list tea-sq
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap
!
!         
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
ip local pool mypool 192.168.2.1 192.168.2.254
ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet1/0 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
end

Jeff.

最好把图和需求贴出来，

xzx1943

还要隐藏........

15980890429

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
好矛盾的说

tiq

当时看秦坷的视频说是，配这种REMOTE VPN需要使用Diffie-Hellman GROUP 2，如果是GROUP 1的话应该是不行的，我看你的POLICY 应该只是默认的GROUP 1