Cisco IPsec VPN 隧道问题

网络工程 局域网 虚拟专用网 纳特 ipsec
2022-03-02 21:33:19

我的 VPN 配置有问题。这是我创建的拓扑:

在此处输入图像描述

首次更新许可证以使 VPN 可用:

许可证引导模块 c1900 技术包 securityk9

IPsec 路由器网络配置:

ip route 0.0.0.0 0.0.0.0 200.100.100.2 
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 103.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 103.168.40.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 103.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 103.168.40.0 0.0.0.255
!
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key VPN address 200.200.100.1
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
crypto map VPN 10 ipsec-isakmp 
set peer 200.200.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set VPN
match address 100
!
interface gigabitEthernet 0/0
 crypto map VPN
!

ipsec 路由器网络 B:

ip route 0.0.0.0 0.0.0.0 200.200.100.2 
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.20.0 0.0.0.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key VPN address 200.100.100.1
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
crypto map VPN 10 ipsec-isakmp 
set peer 200.200.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set VPN
match address 100
!
interface gigabitEthernet 0/0
 crypto map VPN
!

VLAN路由器网络A

interface gigabitEthernet 0/1.1
 encapsulation dot1Q 10 
 ip address 192.168.10.1 255.255.255.0 
!
interface gigabitEthernet 0/1.2
 encapsulation dot1Q 20 
 ip address 192.168.20.1 255.255.255.0
!

VLAN路由器网络B

interface gigabitEthernet 0/1.1
 encapsulation dot1Q 30 
 ip address 192.168.30.1 255.255.255.0 
!
interface gigabitEthernet 0/1.2
 encapsulation dot1Q 40 
 ip address 192.168.40.1 255.255.255.0
!

开关1

interface gigabitEthernet 0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20
!
interface range fastEthernet 0/1-11
 switchport access vlan 10
!
interface range fastEthernet 0/11-20
 switchport access vlan 20
!

开关2

interface gigabitEthernet 0/1
 switchport mode trunk
 switchport trunk allowed vlan 30,40
!
interface range fastEthernet 0/1-11
 switchport access vlan 30
!
interface range fastEthernet 0/11-20
 switchport access vlan 40
!

我希望 VLAN 能够相互通信,但是 VPN 隧道存在问题。

我想我需要配置 NAT 但不知道如何。

两个路由器上的输出“show crypto isakmp sa”相同:

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
!
IPv6 Crypto ISAKMP SA
!
1个回答

您的访问列表中有错字,不允许流量进入 VPN 隧道:

access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.20.0 0.0.0.255

注意103.168.10.0而不是192.168.10.0

其它你可能感兴趣的问题
上一篇未标记帧和基于 VLAN 的运营商以太网服务(例如 EVP-LAN) 下一篇用于工业用途的 RJ 45 以太网电缆