关于神州数码路由器IPSEC不得不说的事-创新互联

一句话神码路由器的IPSEC很有特色

仁寿网站建设公司成都创新互联公司,仁寿网站设计制作,有大型网站制作公司丰富经验。已为仁寿千余家提供企业网站建设服务。企业网站搭建\成都外贸网站建设公司要多少钱,请找那个售后服务好的仁寿做网站的公司定做!

   实验环境:两台路由器直接相连一共3个网段192.168.0.0192.168.1.0192.168.2.0其中192.168.1.0模拟公网另外两个网段模拟私有网络通过启用IPSEC ×××实现这两个网段安全通信。

开始配置时两个路由器配置文件如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--     ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list standard 123
permit ip any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--     ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list standard 123
permit ip any !

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

通过show crypto ipsec sa和show crypto iskmp sa发现不能正常建立IPSEC连接也就是IPSEC通道没有激活啥问题检查配置没有错误啊。算了去掉NAT测试通过show crypto ipsec sa和show crypto iskmp sa发现能正常建立IPSEC连接。不理解了。。。。。。

经过拨打神码400电话后更改配置如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--     ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list extended 123
deny  ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip any any

!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--     ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list extended 123
deny  ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
permit ip any any
!

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

   也就是在上面的配置和初始的配置差别在NAT的访问控制列表上面的配置中扩展的访问控制列表先拒绝192.168.0.0和192.168.2.0网段数据进行NAT然后允许所有。经过这样配置IPSEC的通道就能ACTIVE。

   事后分析神码路由的操作系统内部流程nat优先于IPSEC。

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


分享标题:关于神州数码路由器IPSEC不得不说的事-创新互联
文章转载:http://hbruida.cn/article/dssopd.html