ipsecvpn client端可以连接，但不能访问server端。

goflylong

最近做了个ipsecvpn，遇到一问题，client端可以获取到地址池ip也可以访问公网，但就是没法访问server端的内网。这最有可能是哪里问题？请多多指教。以下是我的配置：
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ezvpn-authentication local
aaa authorization exec default local
aaa authorization network ezvpn-authorization local
!
no ip domain lookup
!
username long privilege 15 password 0 long
username cisco password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group myezvpn
key myezvpn
pool ezvpn-pool
acl 101
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto dynamic-map ezvpn-dynamic-map 1
set transform-set ccsp
!
!
crypto map cisco client authentication list ezvpn-authentication
crypto map cisco isakmp authorization list ezvpn-authorization
crypto map cisco client configuration address respond
crypto map cisco 1 ipsec-isakmp dynamic ezvpn-dynamic-map
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial1/1
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
crypto map cisco
!
ip local pool ezvpn-pool 192.168.100.1 192.168.100.100
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip http server
no ip http secure-server
ip nat pool cisco 172.16.1.1 172.16.1.1 netmask 255.255.255.0
ip nat inside source list 100 pool cisco overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

林原静羽

LZ,为了更好的回答您的问题，请把拓扑帖出来哦。

小皮球

林原静羽 发表于 2010-12-31 10:15
LZ,为了更好的回答您的问题，请把拓扑帖出来哦。

哈哈，顶置LS的。

喵喵

提问的楼主哪去了呢？

明天¤晴天℃

看照片 是ZL？

思博网络

    高手赶紧进来，要不一个技术问题放到明年才能得到解答了!

Jeff.

检查下你的client获取到的IP 和路由情况... 一般是路由的问题可能性比较大~~


查看你的client端软件的有一个route detail 的地方获取到的是什么路由~~

goflylong

回复 7 # Jeff. 的帖子

jeff .我记得当时检查的时候，client端的路由细节里面是有去往192.168.1.0目的地的路由的。而且服务端也有一条注入的去往192.168.100.0的静态路由。所以也不大会是这里的问题。之后我用sdm做了一次，测试正常了。可配置文件里面是定义了一个虚拟模板，并把静态映射应用到了该模板上。而不是应用到了外网接口上。奇怪？难道服务端的配置方案不可行？

Jeff.

回复 8 # goflylong 的帖子

你把配置发我下..

goflylong

回复 9 # Jeff. 的帖子

SDM的配置：
R1#show running-config
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
no ip domain lookup
!
!
username longlong privilege 15 password 0 longlong
!
!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group test
key test
pool SDM_POOL_1
acl 101
netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1
   match identity group test
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!         
!
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!         
ip local pool SDM_POOL_1 123.1.1.1 123.1.1.100
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
!
ip http server
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 10.10.121.0 0.0.0.255
access-list 101 permit ip 10.10.121.0 0.0.0.255 any
。