我刚刚在我的路由器和接入点之间配置了 IPSEC 隧道。我可以看到隧道已经出现并且在双方都处于活动状态。

但是，当我检查“Show cyrpto ipsec sa”时，我可以看到 decaps 数据包计数器正在增加，但 encaps 数据包始终显示为 0。

我认为路由器能够解密其入口路径中的数据包，但它没有加密出站数据包，或者数据包没有通过隧道路由。

有人可以指导我解决这个问题吗？

Router#show crypto ipsec sa

interface: FastEthernet4
    Crypto map tag: SG_LAB_MAP, local addr 10.140.134.50

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.140.134.50/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
   current_peer 192.168.1.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 177, #pkts decrypt: 177, #pkts verify: 177
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.140.134.50, remote crypto endpt.: 192.168.1.10
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x290F(10511)

     inbound esp sas:
      spi: 0x2527(9511)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: Motorola SEC 1.0:3, crypto map: SG_LAB_MAP
        no sa timing
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x290F(10511)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: Motorola SEC 1.0:4, crypto map: SG_LAB_MAP
        no sa timing
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

路由器配置

Router#sh run
Building configuration...

Current configuration : 3333 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 <Intentionally Trimmed>
enable password <Intentionally Trimmed>
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool test
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   lease 0 1 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
ipv6 unicast-routing
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username <Intentionally Trimmed> privilege 15 secret 5 <Intentionally Trimmed>
!
!
!
crypto ipsec transform-set MANUAL_TRANSFORM_SET01 esp-aes esp-sha-hmac
 mode transport
!
crypto map SG_LAB_MAP 100 ipsec-manual
 description "<Intentionally Trimmed> (APREL) MAC <Intentionally Trimmed>"
 set peer 192.168.1.10 default
 set session-key inbound esp 9511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
 set session-key outbound esp 10511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
 set transform-set MANUAL_TRANSFORM_SET01
 match address <Intentionally Trimmed>
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel100
 description "<Intentionally Trimmed>"
 no ip address
 ipv6 address FDC9:CCBE:10C0:A6:BF22:7825:C8F6:7257/64
 ipv6 enable
 tunnel source 10.140.134.50
 tunnel destination 192.168.1.10
 tunnel mode ipv6ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 speed auto
 full-duplex
 crypto map SG_LAB_MAP
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip tcp adjust-mss 1452
 ipv6 enable
!
ip forward-protocol nd
ip route 10.140.134.0 255.255.255.0 10.140.134.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list extended AP_001350FFFE11B666_ACL
 permit ip host 10.140.134.50 host 192.168.1.10
 permit ip host 10.140.134.50 host 192.168.1.1
!
no cdp run

ipv6 route FDC9:CCBE:1DC7:A6::/64 Tunnel100
!
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password <Intentionally Trimmed>
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Router#