这是我之前的问题Ipsec vpn, phase 2 cannot come up的一个分支。VPN 已启动并正常工作，但现在我在通过它获得正确的流量时遇到了问题。

我唯一想通过它的是端口 80 流量。我正在查看 Cisco 文档配置隧道默认网关实现，并正在解决这个问题。我从 NAT 中删除了流量，这部分工作正常。我创建了一个路由映射来查看该流量并设置远程 vpn 端点的下一跳。我可以看到路线图被点击，所以它看到了交通。不过我一定是遗漏了什么。

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key ******** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
!
!
crypto map IOFVPN 1 ipsec-isakmp 
 description Isle Of Man
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address 154
!
!
!
!
interface FastEthernet0/0
 description Internal 192 Network
 ip address 192.168.30.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1
 ip address dhcp
 ip access-group 112 in
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 ip policy route-map VPN_WEB
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map IOFVPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 174.59.28.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.30.200 9443 interface FastEthernet0/1 9443
ip nat inside source static tcp 192.168.30.105 5901 interface FastEthernet0/1 5901
ip nat inside source static udp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static udp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static tcp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static tcp 192.168.30.13 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.13 80 interface FastEthernet0/1 80
ip nat inside source route-map POLICY-NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.30.20 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.30.60 443 interface FastEthernet0/1 443
!
ip access-list extended NAT
 deny   tcp 192.168.30.0 0.0.0.255 any eq www log
 deny   ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
!

access-list 112 remark Explicit accept and deny
access-list 112 deny   udp any any eq snmp
access-list 112 deny   ip host 50.17.67.227 any
access-list 112 deny   ip host 1.93.27.33 any
access-list 112 deny   tcp any any eq telnet
access-list 112 permit tcp host 37.235.50.117 any eq ftp log
access-list 112 permit tcp host 5.255.80.84 any eq ftp log
access-list 112 permit tcp host 66.228.62.226 any eq ftp log
access-list 112 permit tcp host 72.25.5.126 any eq 5901 log
access-list 112 permit tcp host 72.25.5.126 any eq 11111 log
access-list 112 permit tcp host 72.25.5.126 any eq 8000 log
access-list 112 deny   tcp any any eq ftp log
access-list 112 deny   tcp any any eq 3389 log
access-list 112 deny   tcp any any eq 5901 log
access-list 112 deny   tcp any any eq 11111
access-list 112 deny   tcp any any eq 8000
access-list 112 permit ip any any

access-list 154 permit ip 192.168.30.0 0.0.0.255 host 2.2.2.2
access-list 155 permit tcp any any eq www

snmp-server community public RO
no cdp run
!
route-map VPN_WEB permit 1
 match ip address 155
 set ip next-hop 2.2.2.2
!
route-map POLICY-NAT permit 10
 match ip address NAT

在我看来，路由映射看到了它，改变了下一跳，然后应该触发加密映射，但这并没有发生。

更新：我改变了一些东西，试图让自己更容易。在 linux 机器上，我添加了 192.168.10.1 的 eth0:0 并打开了 NAT。我意识到如果我在那里通过交通，必须做一些事情。

我读到当没有特定路由时，ip next-hop 会回退到默认路由。所以我补充说：

reverse-route static

现在它显示了一条路线：

S    192.168.10.0/24 [1/0] via 2.2.2.2

访问列表更改为：

access-list 154 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 155 permit tcp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

我将路由映射更改为将下一跳指向 192.168.10.1。仍然网络流量拒绝通过。

我的 NAT 是这样的：

ip access-list extended NAT
deny   ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any

因此，如果路由映射实际上是在 192.168.10.1 的下一跳中添加的，那么它不应该被 nat 并通过 VPN 推送。没有发生。它直接传到互联网上。

我在这里错过了什么。?

更新：当前配置。隧道已经开通。子网之间可以ping通。www 流量仍在本地网关出去。如果不删除 www 流量的 nat 行，则根本没有 www 流量。（我是说 www 流量没有通过 vpn，因为封装保持在 0 ）

v

ersion 12.4
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname Hex-2811
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T5.bin
boot-end-marker
!
no logging buffered
aaa new-model
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
!
no ip bootp server
ip domain name hexhome.int
ip name-server 192.168.30.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
!
voice-card 0
 no dspfarm
!         
archive
 log config
  hidekeys
!
!
ip ssh version 2
! 
!
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key ******* address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address 160
!
!
interface FastEthernet0/0
 description Internal 192 Network
 ip address 192.168.30.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1
 ip address dhcp
 ip access-group 112 in
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map IOFVPN
!
ip forward-protocol nd
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.30.45 3001
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.30.60 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.30.20 21 interface FastEthernet0/1 21
ip nat inside source route-map POLICY-NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.30.13 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.13 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static udp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static udp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.105 5901 interface FastEthernet0/1 5901
ip nat inside source static tcp 192.168.30.200 9443 interface FastEthernet0/1 9443
!
ip access-list extended NAT
 deny   tcp 192.168.30.0 0.0.0.255 any eq www
 deny   ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip any any
!
access-list 112 remark Explicit accept and deny
access-list 112 deny   udp any any eq snmp
access-list 112 deny   ip host 50.17.67.227 any
access-list 112 deny   ip host 1.93.27.33 any
access-list 112 deny   tcp any any eq telnet
access-list 112 permit tcp host 37.235.50.117 any eq ftp log
access-list 112 permit tcp host 5.255.80.84 any eq ftp log
access-list 112 permit tcp host 66.228.62.226 any eq ftp log
access-list 112 permit tcp host 72.25.5.126 any eq 5901 log
access-list 112 permit tcp host 72.25.5.126 any eq 11111 log
access-list 112 permit tcp host 72.25.5.126 any eq 8000 log
access-list 112 deny   tcp any any eq ftp log
access-list 112 deny   tcp any any eq 3389 log
access-list 112 deny   tcp any any eq 5901 log
access-list 112 deny   tcp any any eq 11111
access-list 112 deny   tcp any any eq 8000
access-list 112 permit ip any any
access-list 153 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 154 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 155 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq 443
snmp-server community public RO
no cdp run
!
route-map VPN_WEB permit 1
 match ip address 153
 set ip next-hop 192.168.10.1
!
route-map POLICY-NAT permit 10
 match ip address NAT