通过 VPN 的 Tacacs+ 无法正常工作

网络工程 虚拟专用网 数据包跟踪器 隧道 啊啊啊 塔卡克斯
2022-03-02 15:39:23

R3 是 Tacacs+ 客户端,Server0 配置为带有 Tacacs+ 的 AAA 服务器,但 R3 无法进行身份验证。

R3 配置:

!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
aaa new-model
!
aaa authentication login CONSOLE none 
aaa authentication login default group tacacs+ local 
aaa authentication enable default group tacacs+ local 
!
ip cef
no ipv6 cef
!
username backup password 0 cisco
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp key secretkey address 209.165.100.1
!
crypto ipsec transform-set R3-R1 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp 
 set peer 209.165.100.1
 set pfs group5
 set security-association lifetime seconds 86400
 set transform-set R3-R1 
 match address 100
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
 ip address 209.165.200.1 255.255.255.0
 duplex auto
 speed auto
 crypto map IPSEC-MAP
!
interface GigabitEthernet0/0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.200.2 
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!!
tacacs-server host 192.168.1.3 key cisco
!
!line con 0
 login authentication CONSOLE
!
line aux 0
!
line vty 0 4
!
!
end

R1 配置:

version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
aaa new-model
!
aaa authentication login CONSOLE none 
aaa authentication login default group tacacs+ local 
aaa authentication enable default group tacacs+ local 
!
!
ip cef
no ipv6 cef
!
username backup password 0 cisco
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp key secretkey address 209.165.200.1
!
!
!
crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp 
 set peer 209.165.200.1
 set pfs group5
 set security-association lifetime seconds 86400
 set transform-set R1-R3 
 match address 100
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
 ip address 209.165.100.1 255.255.255.0
 duplex auto
 speed auto
 crypto map IPSEC-MAP
!
interface GigabitEthernet0/0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.100.2 
!
ip flow-export version 9
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
tacacs-server host 192.168.1.3 key cisco
!
line con 0
 login authentication CONSOLE
!
line aux 0
!
line vty 0 4
!
end

ISP 路由器配置

Current configuration : 590 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
 ip address 209.165.100.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/1
 ip address 209.165.200.2 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
end

注意:R1和R3已经形成了VPN隧道

在此处输入图像描述

在此处输入图像描述

1个回答

您需要它从内部接口获取源,以包含在隧道上的有趣流量中。如果不指定,它将采用您的默认路线到达那里,这将是您的外部接口,并且会失败。请在 R3 上添加命令ip tacacs source-interface GigabitEthernet0/0/1并报告是否已解决。

其它你可能感兴趣的问题
上一篇ROADM和OXC及其区别 下一篇Wireshark 捕获包中的传输控制协议端口是什么字?