SA建立成功,但是主机无法互相ping通
【MSR3620-1】
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 12.1.1.1 255.255.255.0
nat outbound 3001
ipsec apply policy map1
#
ip route-static 0.0.0.0 0 12.1.1.2
ip route-static 192.168.10.0 24 172.16.10.1
ip route-static 192.168.20.2 32 12.1.1.2
#
acl advanced 3000
rule 0 permit ip source 192.168.10.2 0 destination 192.168.20.2 0
#
acl advanced 3001
description natout-deny-ip
rule 0 deny ip source 192.168.10.2 0 destination 192.168.20.2 0
rule 10 permit ip
#
ipsec transform-set tran1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
remote-address 23.1.1.1
ike-profile profile1
#
ike identity fqdn ike-ar1
#
ike profile profile1
keychain keychain1
exchange-mode aggressive
local-identity fqdn ike-ar1
match remote identity fqdn L13
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 23.1.1.1 255.255.255.0 key cipher $c$3$GwlV5BPnQ6hPLBzvXWx80lZcNoZRKA==
#
【MSR3620-2】
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 23.1.1.1 255.255.255.0
nat outbound 3001
nat server protocol udp global 23.1.1.1 500 inside 172.16.20.5 500
nat server protocol udp global 23.1.1.1 4500 inside 172.16.20.5 4500
#
ip route-static 0.0.0.0 0 23.1.1.2
ip route-static 192.168.20.0 24 172.16.20.1
#
acl advanced 3001
rule 0 deny ip source 192.168.20.2 0 destination 192.168.10.2 0
rule 10 permit ip
#
【MSR3620-5】
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 172.16.20.5 255.255.255.252
ipsec apply policy user1
#
ip route-static 12.1.1.0 24 172.16.20.6
ip route-static 192.168.10.2 32 172.16.20.6
#
acl advanced 3000
rule 0 permit ip source 192.168.20.2 0 destination 192.168.10.2 0
ipsec transform-set tran1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy user1 10 isakmp
transform-set tran1
security acl 3000
remote-address 12.1.1.1
ike-profile profile1
#
ike identity fqdn L13
#
ike profile profile1
keychain keychain1
exchange-mode aggressive
local-identity fqdn L13
match remote identity fqdn ike-ar1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 12.1.1.1 255.255.255.0 key cipher $c$3$0Ao3vIIzyyuBwO0uOu5YXGGMuhcrIA==
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
下面的都是没有问题的,只看VPN配置