在北京和上海之间做了ipsec gre vpn,部分流量加密后走隧道,部分流量直接从隧道走,现在的问题是加密的流量在隧道里面过不去,不加密的流量可以正常过去,小弟我十分不解,求大神解惑,以下是拓扑图以及配置命令,多谢大佬。
BJ配置:
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.0
nat outbound 3002
#
interface Tunnel1 mode gre
ip address 192.168.1.1 255.255.255.0
source 3.3.3.3
destination 6.6.6.6
ipsec apply policy IPSEC
#
interface Tunnel2 mode gre
ip address 192.168.2.1 255.255.255.0
source 10.1.1.1
destination 20.1.1.1
#
ip route-static 0.0.0.0 0 10.1.1.2
ip route-static 4.4.4.0 24 Tunnel1
ip route-static 5.5.5.0 24 Tunnel2
#
acl advanced 3001
rule 10 permit ip source 1.1.1.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
acl advanced 3002
rule 0 deny ip source 1.1.1.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
rule 5 permit ip
#
ipsec transform-set IPSEC
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group2
#
ipsec policy IPSEC 1 isakmp
transform-set IPSEC
security acl 3001
local-address 192.168.1.1
remote-address 192.168.1.2
ike-profile IPSEC
#
ike profile IPSEC
keychain IPSEC
local-identity address 10.1.1.1
match remote identity address 20.1.1.1 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain IPSEC
pre-shared-key address 20.1.1.1 255.255.255.255 key simple 123456
SH配置:
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 20.1.1.1 255.255.255.0
nat outbound 3002
#
interface Tunnel1 mode gre
ip address 192.168.1.2 255.255.255.0
source 6.6.6.6
destination 3.3.3.3
ipsec apply policy IPSEC
#
interface Tunnel2 mode gre
ip address 192.168.2.2 255.255.255.0
source 20.1.1.1
destination 10.1.1.1
#
ip route-static 0.0.0.0 0 20.1.1.2
ip route-static 1.1.1.0 24 Tunnel1
ip route-static 2.2.2.0 24 Tunnel2
#
acl advanced 3001
rule 10 permit ip source 4.4.4.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
#
acl advanced 3002
rule 0 deny ip source 4.4.4.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
rule 5 permit ip
#
ipsec transform-set IPSEC
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group2
#
ipsec policy IPSEC 1 isakmp
transform-set IPSEC
security acl 3001
local-address 192.168.2.1
remote-address 192.168.1.1
ike-profile IPSEC
#
ike profile IPSEC
keychain IPSEC
local-identity address 20.1.1.1
match remote identity address 10.1.1.1 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain IPSEC
pre-shared-key address 10.1.1.1 255.255.255.255 key simple 123456
#
测试结果如下:
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论