我正在做一个关于 DMVPN 和站点到站点 ASA 集成的实验室。DMVPN 没有问题。
但是,我在建立从站点到站点 ASA 到 DMVPN 的路由时遇到问题。
左边的路由器是 DMVPN 的集线器,右边的路由器是辐条之一。所有内部网络(172.20.40.0/24、172.20.1.0/4)都通过 EIGRP 通过隧道接口路由。
将地址 132.87.2.2 一对一地转发到左侧的 FW (172.20.4.2)。右侧防火墙通过外部IP(132.87.2.2)建立点对点VPN。show crypto ipsec sa 设法显示已建立 vpn 隧道,但是没有从右侧防火墙到 DMVPN (172.20.30.0/24 -> 172.20.40.0/24) 的路由。
外网路由(132.87.2.0/24、65.32.147.0/24、18.31.192.0/24)使用BGP交换路由。如何让防火墙学习 DMVPN 的路由,反之亦然?
左侧 ASA
protocol esp encryption des
protocol esp integrity sha-256
crypto ikev2 policy 1
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
! Define the B-END of the tunnel and configure PSK
tunnel-group 65.32.147.1 type ipsec-l2l
tunnel-group 65.32.147.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***
access-list S2SACL extended permit ip any 172.16.30.0 255.255.255.0
crypto map S2SCRYPTOMAP 10 match address S2SACL
crypto map S2SCRYPTOMAP 10 set peer 65.32.147.1
crypto map S2SCRYPTOMAP 10 set ikev2 ipsec-proposal S2SPROP
crypto map S2SCRYPTOMAP interface outside
右侧 ASA
crypto ipsec ikev2 ipsec-proposal S2SPROP
protocol esp encryption des
protocol esp integrity sha-256
!
crypto ikev2 policy 1
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 132.87.2.2 type ipsec-l2l
tunnel-group 132.87.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***
!
object network INTERNAL
network-object 172.16.30.0 255.255.255.0
access-list clients extended permit ip object INTERNAL any
access-list clients extended permit icmp any any
access-list S2SACL extended permit ip 172.16.30.0 255.255.255.0 any
!
access-group clients in interface inside
!
crypto map outside_map 10 match address S2SACL
crypto map outside_map 10 set peer 132.87.2.2
crypto map outside_map 10 set ikev2 ipsec-proposal S2SPROP
crypto map outside_map interface outside
!
packet-tracer input inside icmp 172.16.30.10 1 2 3 172.16.40.10