我已经在 ScreenOS 路由器 (SSG-5) 和 Cisco 3925 之间设置了点对点传输 ipsec 会话。ipsec 传输本身运行良好,但只要我尝试通过传输引导协议 41 流量,数据包就无法正确传输。
我起初以为您需要为 ipsec 连接创建一个隧道,然后以 ipsec 隧道的传出接口为目标 ip6in4 隧道,但是 screenos 不允许您在隧道上创建隧道。
此外,我尝试使用基于策略的 VPN,但当我尝试使用“隧道 VPN”作为策略目标时,它告诉我未知命令?基于策略的 ipsec 是否有主开/关开关?
以下是我认为的相关配置,但我非常乐意根据需要提供更多信息。
SCREENOS CONFIG:
---------------------------
set zone id 105 "mytunnel_TUNNEL"
set zone "mytunnel_TUNNEL" tcp-rst
set interface "tunnel.5" zone "mytunnel_TUNNEL"
set address "mytunnel_TUNNEL" "fdee:7e1e::/32" fdee:7e1e::/32
set ike gateway "micmplsv4" address 2.2.2.157 Main outgoing-interface "ethernet0/0" preshare "igdZeIcKNobfusol+CQcpIfvwnFwrxb5g==" sec-level compatible
set vpn "mytunnel" gateway "micmplsv4" no-replay transport idletime 0 sec-level compatible
set vpn "mytunnel" monitor optimized rekey
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set vpn "mytunnel" proxy-id check
set vpn "mytunnel" proxy-id local-ip 8.8.8.10/32 remote-ip 2.2.2.157/32 "ANY"
set policy id 137 from "DMZ" to "mytunnel_TUNNEL" "fdbe:a922:a316:2::/64" "fdee:7e1e::/32" "ANY" permit
set policy id 136 from "mytunnel_TUNNEL" to "DMZ" "fdee:7e1e::/32" "fdbe:a922:a316:2::/64" "ANY" permit
set interface "tunnel.3" zone "Untrust"
set interface tunnel.3 ip unnumbered interface ethernet0/0
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set route 2.2.2.157/32 interface tunnel.3
CISCO CONFIG:
------------------------------
ip access-list extended mic2pg
permit ip host 2.2.2.157 host 8.8.8.10
!
crypto ipsec transform-set transport-esp-3des-sha esp-3des esp-sha-hmac
mode transport
!
crypto map vpnmap 30 ipsec-isakmp
set peer 8.8.8.10
set transform-set transport-esp-3des-sha
match address mic2pg
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 2.2.2.157 255.255.255.224
crypto map vpnmap
!
interface Tunnel3
no ip address
ipv6 address FDEE:7E1E:100:F002::1/64
ipv6 enable
tunnel source 2.2.2.157
tunnel mode ipv6ip
tunnel destination 8.8.8.10
!
end
答案1
我在 ScreenOS 上做过很多 IPv6。既有本地 IPv6,也有隧道 IPv6。我做过你所问的事情(尽管另一端没有 Cisco)。下面是具体做法。
摆脱 6in4 的东西。仅使用一个隧道接口,并在两侧取消设置代理 ID。使用 v4 端点构建隧道,然后将远程 v6 前缀以及远程 v4 前缀路由到隧道接口。
更新:根据要求,示例配置。
笔记:
- 本地 v6 超网是 fd28:e1f3:d650:1000::/56
- 远程 v6 超网是 fd28:e1f3:d650:2000::/56
- 重要的 v4 部分已被省略,因为我认为您已经明白了。
。
set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 5.6.7.8/27
set interface ethernet0/0 route
set interface ethernet0/2 zone Trust
set interface ethernet0/2 ip 192.168.10.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ipv6 mode router
set interface ethernet0/2 ipv6 enable
set interface ethernet0/2 ipv6 ip fd28:e1f3:d650:1010::/64
set interface ethernet0/2 ipv6 nd nud
set interface ethernet0/2 ipv6 ra link-address
set interface ethernet0/2 ipv6 ra link-mtu
set interface ethernet0/2 ipv6 ra managed
set interface ethernet0/2 ipv6 ra other
set interface ethernet0/2 ipv6 ra preference high
set interface ethernet0/2 ipv6 ra prefix fd28:e1f3:d650:1010::/64
set interface ethernet0/2 ipv6 ra reachable-time
set interface ethernet0/2 ipv6 ra retransmit-time
set interface ethernet0/2 ipv6 ra transmit
set zone name v6remote
set interface tunnel.20 ip unnumbered interface ethernet0/0
set interface tunnel.20 zone v6remote
set interface tunnel.20 ipv6 mode host
set interface tunnel.20 ipv6 enable
set interface tunnel.20 ipv6 nd dad-count 0
set interface tunnel.20 ipv6 nd nud
set ike p1-proposal AES256-SHA preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal AES256-SHA group2 esp aes256 sha-1 second 3600
set ike gateway gateway2v6remote address 10.255.255.1 Main outgoing-interface ethernet0/0 preshare "secret-word" proposal AES256-SHA
set vpn tunnel2v6remote gateway gateway2v6remote replay tunnel idletime 0 proposal AES256-SHA
set vpn tunnel2v6remote bind interface tunnel.20
set policy from v6remote to trust v6remote v6local ANY permit log count
set policy from trust to v6remote v6local v6remote ANY permit log count
set route fd28:e1f3:d650:2000::/56 interface tunnel.20 gateway ::
答案2
我知道 ScreenOS 在直接路由 6in4 流量时存在问题。人们通常的做法是创建环回接口来终止 6in4 隧道,然后通过它路由 IPv6 流量。我对带有 sixxs 的 6in4 隧道使用了类似的配置,但我认为一般原则可能也适用于您的情况。请检查此链接了解更多信息,特别是“2009 年 9 月 13 日更新”部分。