丰满美女冒白浆久久久久久久,亚洲精品国产第一综合99久久,欧美日韩精品久久免费,中字无码在线不卡激情av,亚洲视频无码乱码,久久公共厕所精品,97免费公开在线视频,日韩精品无码夜

AR3260 IPSec VPN成功建立，但是兩邊的設備互相ping不通

2015/3/3 16:53:12點擊：

問題描述

1、組網：總部一臺路由設備，兩個分部分別用兩臺AR3260做出口設備，兩兩建立IPSec VPN

2、總部和兩臺分部的AR設備分別建立起IPSec VPN，且內部用戶網絡可以相互通信

3、兩臺AR3260建立了IPSec VPN，但是內網用戶無法互相訪問

兩端AR3260關于IPSec VPN的配置

AR3260-1

acl number 3000
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255
rule 15 permit ip
acl number 3001
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255
rule 15 deny ip
acl number 3002
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255
rule 15 deny ip
#
ipsec proposal To_HJJT
esp encryption-algorithm 3des
ipsec proposal To_WFZ_Office
esp encryption-algorithm 3des
#
ike proposal 5
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer To_WFZ_Office v1
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@
ike-proposal 5
remote-address 61.184.89.252
ike peer To_HJJT v1
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@
ike-proposal 5
remote-address 61.184.80.157
#
ipsec policy WFZ 10 isakmp
security acl 3001
ike-peer To_HJJT
proposal To_HJJT
ipsec policy WFZ 20 isakmp
security acl 3002
ike-peer To_WFZ_Office
proposal To_WFZ_Office
#
interface GigabitEthernet0/0/0
ip address 58.53.160.62 255.255.255.240
ipsec policy WFZ
combo-port auto
nat outbound 3000

AR3260---2

acl number 3000
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255
rule 15 permit ip
acl number 3001
rule 5 permit ip source 172.31.32.0 0.0.1.255（本地網段）destination 10.82.0.0 0.0.255.255（總部網段）
rule 15 deny ip
acl number 3002
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255（不通的對端網段）
rule 15 deny ip
#
ipsec proposal To_HJJT
esp encryption-algorithm 3des
ipsec proposal To_WFZ_Office
esp encryption-algorithm 3des
#
ike proposal 5
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer To_WFZ_Office v1
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@
ike-proposal 5
remote-address 61.184.89.252
ike peer To_HJJT v1
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@
ike-proposal 5
remote-address 61.184.80.157
#
ipsec policy WFZ 10 isakmp
security acl 3001
ike-peer To_HJJT
proposal To_HJJT
ipsec policy WFZ 20 isakmp
security acl 3002
ike-peer To_WFZ_Office
proposal To_WFZ_Office
#

interface GigabitEthernet0/0/0
ip address 58.53.160.62 255.255.255.240
ipsec policy WFZ
combo-port auto
nat outbound 3000

處理過程

1、首先查看兩端的SA信息，下為其中一端的IPSec sa，發(fā)現sa信息都已經正常建立，IPsec是已經建立成功的

<WFZ_DianChang_AR3260>dis ike sa
    Conn-ID Peer            VPN   Flag(s)                Phase
---------------------------------------------------------------
       57    61.184.89.252   0     RD|ST                  2
       56    61.184.89.252   0     RD|ST                  1
       60    61.184.80.157   0     RD|ST                  2
       59    61.184.80.157   0     RD|ST                  1

Flag Description:
RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

-----------------------------
IPSec policy name: "WFZ"
Sequence number : 20
Acl group        : 3002
Acl rule         : 5
Mode             : ISAKMP
-----------------------------
    Connection ID     : 57
    Encapsulation mode: Tunnel
    Tunnel local      : 58.53.160.62
    Tunnel remote     : 61.184.89.252
    Flow source       : 172.31.32.0/255.255.254.0 0/0
    Flow destination : 172.31.34.0/255.255.255.0 0/0
    Qos pre-classify : Disable
    Qos group         : -

    [Outbound ESP SAs]
      SPI: 960343579 (0x393dae1b)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/2641
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs]
      SPI: 718339035 (0x2ad0fbdb)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/2641
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

2、查看NAT，去往目的網段的流量是否有被地址轉換。

3、為避免是因為內部PC開啟了防火墻導致ping不通，告知ping對端的網關地址，發(fā)現還是不通。

4、再次查看配置，使用一個IPSec policy的兩個節(jié)點來建立的IPSec VPN，再次查看安全ACL的信息：

     acl number 3001
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255
     rule 15 deny ip
     acl number 3002
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255
     rule 15 deny ip

去掉acl3001里面的rule 15 deny ip，兩端可以ping通。

根因

因為是只使用了一個IPSec policy ,所以流量來到之后會先匹配ipsec policy WFZ 10中的ACL，去往總部匹配到了acl number 3000的rule 5，因此可以通信，但是去往另外一臺AR3260匹配到的是acl number 3000的rule 15 deny ip，流量就被deny拒絕轉發(fā)。

解決方案

去掉兩邊設備的ACL中的deny條目。

上一篇：OSPF卡在各個狀態(tài)的原因是什么？ 2015/3/3
下一篇：AR3200與思科R2800路由器通過E1接口對接 2015/3/3

AR3260 IPSec VPN成功建立，但是兩邊的設備互相ping不通

AR3260 IPSec VPN成功建立，但是兩邊的設備互相ping不通