现场为advpn组网,总部为一台MSR5660路由器,充当hub和server角色,采用本地认证,分部为MSR810作为spoke
现场关键配置如下:
1.总部配置
# ospf 1
area 0.0.0.0
network 192.168.1.1 0.0.0.0
#
interface GigabitEthernet2/0/1
port link-mode route
combo enable copper
ip address x.x.x.x 255.255.255.252
nat outbound
#
interface Tunnel1 mode advpn udp
ip address 192.168.1.1 255.255.255.0
ospf network-type p2mp
source GigabitEthernet2/0/1
tunnel protection ipsec profile zongbu1
vam client hub1 compatible advpn0
#
radius scheme zongbu1
key authentication simple XXXX
key accounting simple XXXX
user-name-format without-domain
#
domain zongbu1
authentication advpn local
#
domain default enable zongbu1
#
local-user changfa class network
password simple XXXX
service-type advpn
authorization-attribute user-role network-operator
#
ipsec transform-set zongbu1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec profile zongbu1 isakmp
transform-set zongbu1
ike-profile zongbu1
#
ike profile zongbu1
keychain zongbu1
#
ike keychain zongbu1 pre-shared-key address 0.0.0.0 0.0.0.0 key simple XXXX
#
vam client name changfa
#
vam client name hub1
advpn-domain zongbu1
server primary ip-address x.x.x.x
pre-shared-key simple XXXX
user hub1 password simple XXXX
client enable
#
vam server advpn-domain zongbu1 id 1
pre-shared-key simple XXXX
authentication-method chap domain zongbu1
keepalive interval 10 retry 3
server enable
hub-group 0
hub private-address 192.168.1.1 public-address x.x.x.x
spoke private-address range 192.168.1.0 192.168.1.255
2.分部配置(采用pppoe拨号上网)
# ospf 1
area 0.0.0.0
network 192.168.1.2 0.0.0.0
#
interface Tunnel1 mode advpn udp
ip address 192.168.1.2 255.255.255.0
ospf network-type p2mp
source Dialer0
tunnel protection ipsec profile 1
vam client changfa
#
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec profile 1 isakmp
transform-set 1
ike-profile 1
#
ike profile 1
keychain 1
#
ike keychain 1
pre-shared-key address 0.0.0.0 0.0.0.0
key simple XXXX
#
vam client name changfa
advpn-domain zongbu1
server primary ip-address x.x.x.x
pre-shared-key simple XXXX
user changfa password simple XXXX
client enable
检查设备配置,没有发现问题,确认过两端的密钥配置的也是一致的,公网也跟现场确认是通的,分部用户拨号上网一切正常,用MSR3620复现现场的配置,发现advpn隧道能够正常建立,但是现场的组网情况下vam client无法注册到server上,隧道建立不成功。
[R1]display vam server address-map
ADVPN domain name: zongbu1
Total private address mappings: 0
[R1]display advpn session
Interface : Tunnel1
Number of sessions: 0
经过排查,总部的MSR5660属于分布式设备,在配置advpn时需要指定处理流量的slot,通过service slot xx命令指定,现场指定slot后advpn恢复正常。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作