本文详细阐述了在ASA和R3设备上配置IPSec L2L ***时遇到的问题,包括配置步骤、问题分析及解决方法。通过实例演示,帮助读者理解并解决类似配置错误。
拓扑:
ASA配置:
access-list NO_NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
global (outside) 100 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 100 192.168.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
crypto ipsec transform-set l2ltrans esp-des esp-md5-hmac
crypto dynamic-map dymap 100 match address NO_NAT
crypto dynamic-map dymap 100 set transform-set l2ltrans
crypto dynamic-map dymap 100 set reverse-route
crypto map stmap 10 ipsec-isakmp dynamic dymap
crypto map stmap interface outside
crypto isakmp enable outside
isakmp key cisco address 0.0.0.0 netmask 0.0.0.0
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
R3配置:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.254
!
!
crypto ipsec transform-set l2ltrans esp-des esp-md5-hmac
!
crypto map stmap 10 ipsec-isakmp
set peer 192.168.2.254
set transform-set l2ltrans
match address l2l***
ip access-list extended l2l***
permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
按照上面的配置写好后,结果发现***不通,sh crypto isakmp sa无任何信息,ASA上启用debug后,inside口下面的PC发ping包,结果无任何debug显示。在对端路由器上发ping包,在ASA上做debug,出来显示信息了:
问题分析:
在ASA上敲入isakmp key cisco address 0.0.0.0 netmask 0.0.0.0后,sh run如下:
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
RA是用于Remote IPsec ***(如Easy***)的积极模式协商,我们使用的L2L,所以导致***无法建立。
问题解决:
一 删除
tunnel-group DefaultRAGroup ipsec-attributes
二 定义一个L2L的tunnel-group,即
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
说明配置完一定要清理IPSEC SA和ISAMAP SA
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
