CISCO VPN 站点到站点

CISCO VPN 站点到站点

我在将 VPN 调制解调器/路由器 CISCO 887 9 VA-WE-K 连接到 CISCO WRV210 时遇到问题。我的内部网络运行良好,作为 ADSL 连接。

我可以在两个路由器之间创建 VPN 连接,因为我在 WRV210 上看到隧道状态为已连接。(日志中没有错误消息)。但是,它们无法通信。当我尝试将路由器 887 ping 到另一个内部网络时,它不起作用,反之亦然。

这是我的 CISCO 887 配置:

Building configuration...

Current configuration : 2989 bytes
!
! Last configuration change at 15:08:03 UTC Sun Nov 18 2012
! NVRAM config last updated at 00:04:33 UTC Sun Nov 18 2012
! NVRAM config last updated at 00:04:33 UTC Sun Nov 18 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LEHAVRE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXXXXX
enable password 7 XXXXXXXX
!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.103
!
ip dhcp pool DHCP_LEHAVRE
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.103
 dns-server 192.168.10.103
 domain-name lehavre.local
!
!
ip domain name lehavre.local
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FCZ1644C0U0
!
!
username LeHavre privilege 15 secret 4 XXXXXXXX
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key XXXXXXXX address 82.101.5.XXX
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 82.101.5.XXX
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 crypto map CMAP
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 no ip address
 shutdown
!
interface Vlan1
 ip address 192.168.10.103 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname fti/XXXXXXX
 ppp chap password 7 XXXXXXXX
 ppp ipcp dns request
 ppp ipcp route default
 crypto map CMAP
!
no ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.10.0 0.0.0.255 192.168.101.0 0.0.0.255
!
access-list 1 permit any
!
!
!
!
snmp-server community public RO
!
line con 0
 password 7 XXXXXXX
 login
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 password 7 XXXXXXXXX
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end 

信息:

LEHAVRE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
92.132.127.XXX   82.101.5.XXX    QM_IDLE           2013 ACTIVE

IPv6 Crypto ISAKMP SA 

如果有一点帮助就太好了。非常感谢。

答案1

我们也将 Cisco877 与 VPN 一起使用。

如果 ipsec 隧道处于活动状态(空闲)但对等体之间没有流量或 ping,则可能是因为隧道网络上的 no-Nat 没有正确配置或访问列表不匹配。

您的 VPN-TRAFFIC acl 已正确分配,现在尝试以下操作:

ip access-list extended PERMIT-NAT
 deny   ip 192.168.10.0 0.0.0.255 192.168.101.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
route-map SDM_RMAP_1 permit 1
 match ip address PERMIT-NAT
!

这应该会让您到该网络目的地的流量通过 ipsec。

尝试一下并告知结果。

相关内容