一、穿越防火墙
![v2-055f62015dbd6f167c148f86c0d0fc1d_b.jpg](https://img-blog.csdnimg.cn/img_convert/b12822e511b06b24b97864596a98f7fb.png)
- Site2#ping 1.1.1.1 source 2.2.2.2
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
- Packet sent with a source address of 2.2.2.2
- .....
- Success rate is 0 percent (0/5)
- Site2#sh crypto isakmp sa de
- IPv4 Crypto ISAKMP SA
- dst src state conn-id status
- 202.100.1.1 202.100.2.1 QM_IDLE 1001 ACTIVE
- IPv6 Crypto ISAKMP SA
- Site2#sh crypto engine connections active
- Crypto Engine Connections
- ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
- 1 IPsec DES+MD5 0 0 0 202.100.2.1
- 2 IPsec DES+MD5 9 0 0 202.100.2.1
- 1001 IKE SHA+DES 0 0 0 202.100.2.1
![v2-e1a4b237f0e8c5f83e04b7f7e0fa5c5d_b.jpg](https://img-blog.csdnimg.cn/img_convert/a780aa4b069a45819d405a469ce6f92a.png)
解决方法:
- access-list out extended permit udp host 202.100.1.1 eq isakmp host 202.100.2.1
- 允许从外发发起ipsec 连接
- access-list out extended permit esp host 202.100.1.1 host 202.100.2.1
- 放行esp流量
- access-group out in interface Outside
- 中间设备需要放行流量
- 1.加密点之间的ISAKMP流量(UPD500)
- 2.加密点之间的ESP或者AH流量
二、IPSec流量放行问题
![v2-96b18be23ceb83a550433d4d38887c07_b.jpg](https://img-blog.csdnimg.cn/img_convert/721a33b391a30fcf6b3e30cfea0bd429.png)
IOS12.3之后 对与VPN 解密后的明文流量由 crypto map acl 来控制
- access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
- crypto map cisco 10 ipsec-isakmp
- set ip access-group 110 in
并且使用 crypto map acl 后 需重新建立ipsec SA 才能生效
删除 crypto map acl 不需要重新建立ipsec SA
- Inside#telnet 2.2.2.2
- Trying 2.2.2.2 ... Open
- Password required, but none set
- [Connection to 2.2.2.2 closed by foreign host]
- Inside#ping 2.2.2.2
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
- .....
- Success rate is 0 percent (0/5)
三、NAT-T穿越的问题
![v2-2bb29358ce1dc1a7e830dcb700c166f4_b.jpg](https://img-blog.csdnimg.cn/img_convert/d5fcb9ef131dfe93be2d57c5741b679c.png)
![v2-cc92b02e423dd6a68c86db2e5339336d_b.jpg](https://img-blog.csdnimg.cn/img_convert/efcfcc2452eabb391745a57ede75dfe9.png)
- 故障排除:
- show run | s crypto //查看VPN所有配置
- show ip access
- show crypto isakmpsa//查看第一阶段sa
- show cryptoipsecsa//查看第二阶段sa
- clear crypto sa//清除邻居关系
- clear crypto isakamp//清除邻居关系
- debug crypto isakmp //查看第一阶段令居建立过程
- debug crypto ipsec// 查看第一阶段令居建立过程