FQDN DMVPN ISAKMP 建立的 IPsec 协商失败

网络工程 虚拟专用网 网络安全
2021-08-02 20:06:16

尝试学习和使用 VPN,类似的设置在我的家庭实验室中运行良好,PAT 似乎引起了问题,我知道它与配置相关,只是不确定在哪里。连接是通过动态分配 IP 的 ISP 实现的,无论公共 IP 是否发生变化,此设置都应允许动态连接,这无论如何都是目标。请看一看,让我知道您的想法。我是在 GRE 上配置 IPsec 的业余爱好者,可能犯了一个简单的错误。

FQDN DMVPN 集线器配置:

interface Tunnel2
 ip address 172.16.64.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication string
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile myprofile

crypto ipsec profile myprofile
 set transform-set set 

crypto ipsec transform-set set esp-aes 
 mode tunnel

crypto isakmp key key address 0.0.0.0 

crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share

辐条配置:

interface Tunnel2
 ip address 172.16.64.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication string
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma fqdn.net
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile myprofile

crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
crypto isakmp key key address 0.0.0.0 0.0.0.0
crypto ipsec transform-set set esp-aes 
crypto ipsec profile myprofile
 set security-association lifetime kilobytes 102400
 set transform-set set

以下是我收到的调试输出,我知道它与代理 IP 相关,不知道如何解决这个问题。谷歌没有太大帮助:

*Mar 21 23:03:36.665: IPSEC(validate_proposal_request): proposal part #1
*Mar 21 23:03:36.665: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.16.48.2:0, remote= 98.x.x.x:0,
    local_proxy= 174.x.x.x/255.255.255.255/47/0,
    remote_proxy= 192.168.1.43/255.255.255.255/47/0,
    protocol= ESP, transform= esp-aes  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
 *Mar 21 23:03:36.665: map_db_find_best did not find matching map
*Mar 21 23:03:36.665: IPSEC(ipsec_process_proposal): proxy identities not supported
1个回答

这是我用来完成 FQDN DMVPN 设置的配置。

HUB

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 100 3
 ip hold-time eigrp 100 24
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp keycisco address 0.0.0.0        
crypto ipsec transform-set cisco esp-aes esp-sha-hmac 
 mode transport
crypto ipsec profile cisco
 set transform-set cisco

Spoke

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 100 3
 ip hold-time eigrp 100 24
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1 nbma url.net multicast
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-aes esp-sha-hmac 
crypto ipsec profile cisco
其它你可能感兴趣的问题
上一篇VyOS 中的别名 IP 地址 下一篇带有戴尔交换机 VLAN 配置的 Cisco 路由器