闲来无事,做了一个ipsec ***的实验,结果没有想到,不但没有效果,反而出现了一个意想不到的结果,呵呵。。。这个不是重点,看看如何排除故障!!!
实验拓扑:
R3-R1-R5-R2-R4
接口的话 从左到右,依次是e0/1 e0/1 e0/0 e0/0 e0/2 e0/2 e0/1 e0/1
一些基本的配置,这里就省略了,相信配置IP地址这个不是什么问题。
R3的e0/1:192.168.2.100 网关192.168.2.254
R1的e0/1:192.168.2.254 e0/0 10.1.1.1
R5的e0/0:10.1.1.5 e0/2: 20.1.1.5
R2的e0/2 20.1.1.2 e0/1 10.10.2.254
R4 e0/1 10.10.2.100 网关:10.10.2.254
这个实验需要注意的几点,ipsec ***和NAT的相关性问题还有就是感兴趣流,大家平时做实验都是写扩展列表,但是可能不会太注意到细节,如下所写:access-list 100 permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0 我注意到我身边的有些技术人员就会这样写,这样你在show running-config时,是无法看到正常的列表的。
R1的配置如下:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 20.1.1.2
!
!
crypto ipsec transform-set ssk ah-md5-hmac esp-3des
!
crypto map ssk 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set ssk
match address 101(故障点1)
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map ssk
!
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
ip route 0.0.0.0 0.0.0.0 10.1.1.5
!
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 permit ip any any (故障点2)
这里只贴出相关配置
ipsec ***基本设置配置完成后,发现第一阶段建立不起来,于是开启debug查看相关信息后,如下:
R2#
*Mar 1 01:25:32.659: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Mar 1 01:25:32.659: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
*Mar 1 01:25:32.659: ISAKMP: New peer created peer = 0x645C147C peer_handle = 0x80000004
*Mar 1 01:25:32.663: ISAKMP: Locking peer struct 0x645C147C, IKE refcount 1 for crypto_isakmp_process_block
*Mar 1 01:25:32.663: ISAKMP: local port 500, remote port 500
*Mar 1 01:25:32.663: insert sa successfully sa = 651B769C
*Mar 1 01:25:32.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:25:32.667: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:25:32.675: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.1.1.1
*Mar 1 01:25:32.683: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 01:25:32.683: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:25:32.683: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 01:25:32.683: ISAKMP: encryption 3DES-CBC
*Mar 1 01:25:32.683: ISAKMP: hash MD5
*Mar 1 01:25:32.687: ISAKMP: default group 2
*Mar 1 01:25:32.687: ISAKMP: auth pre-share
*Mar 1 01:25:32.687: ISAKMP: life type in seconds
*Mar 1 01:25:32.687: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:25:32.691: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 01:25:32.763: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.763: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:25:32.767: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar 1 01:25:32.771: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.771: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
在此处大家只需要注意故障点1和2就可以了,因为做了NAT,所以要特别注意NAT的流量和ipsec的感兴趣流量是要分开的,于是match的地址一定不能被nat的流量匹配到。把流量分开后,ipsec ***成功建立。当然这只是其中一个问题,每个人碰到的问题都不会相同,希望大家有问题,一起交流,第一次写博文,有不足之处,希望大家批评指正,谢谢!!!
转载于:https://blog.51cto.com/ssk77/1206653