网络工程 - IPSec 隧道没有出现：ACL 有问题？ - 吾爱随笔录

我正在尝试在路由器和网桥之间建立 IPsec 隧道。我可以看到 Ipsec 隧道配置已启动并正在运行，但我认为我在 ACL 中犯了一个错误，因此 encr 和 decr 计数器仍然为 0。

有人可以指导我吗？

    SGLAB-C881K9#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
C        10.50.50.10 is directly connected, Loopback0
R        10.110.248.10 [120/4] via 192.168.2.10, 00:00:06, FastEthernet4
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, FastEthernet4
L        192.168.2.1/32 is directly connected, FastEthernet4
SGLAB-C881K9#

图表：

桌面(ETH0)-->(FE3 SVI)路由器(FE4 WAN)-->(ETH0)主桥(RF0)-->(RF0)远程桥(ETH0)-->>客户端。

路由器型号：Cisco 881K9

隧道位于路由器上创建的环回和远程网桥上的 RF0 接口之间。

配置：https : //pastebin.com/hfSQGpMu

Router configuration:
SGLAB-C881K9#
SGLAB-C881K9#
SGLAB-C881K9#sh run
Building configuration...

Current configuration : 2043 bytes
!
! Last configuration change at 11:09:09 UTC Fri Nov 16 2018
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SGLAB-C881K9
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$bEYB$z5Jz9F7gED/aMzosGxRe01
enable password <Masked>
!
no aaa new-model
!
!
!
!
!
!


!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FGL2101208A
!
!
username ssn privilege 15 secret 5 $1$2N/d$gqvkb2e6IZLUCEE5oVhG20
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 lifetime 3600
crypto isakmp key 4B0u7WnF6vFGSdy2QARJ0U09SaK1CvCW address 10.110.249.1
!
!
crypto ipsec transform-set bridge11f7d8 esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map TST local-address Loopback0
crypto map TST 10 ipsec-isakmp
 set peer 10.110.249.1
 set transform-set bridge11f7d8
 match address bridge11f7d8_ACL
!
!
!
!
!
!
interface Loopback0
 ip address 10.50.50.10 255.255.255.255
!
interface FastEthernet0
 no ip address
 shutdown
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 192.168.2.1 255.255.255.0
 duplex full
 speed auto
 crypto map TST
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
router rip
 network 10.0.0.0
 network 192.168.2.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended bridge11f7d8_ACL
 permit icmp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3
 permit tcp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3 eq 20000
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password <Masked>
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

SGLAB-C881K9# sh crypto ipsec sa

interface: FastEthernet4
    Crypto map tag: TST, local addr 10.50.50.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0)
   remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/6/20000)
   current_peer 10.110.249.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
   remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/1/0)
   current_peer 10.110.249.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
SGLAB-C881K9#