闲来无事,做了一个ipsec ***的实验,结果没有想到,不但没有效果,反而出现了一个意想不到的结果,呵呵。。。这个不是重点,看看如何排除故障!!!



实验拓扑:


R3-R1-R5-R2-R4


接口的话 从左到右,依次是e0/1 e0/1    e0/0 e0/0  e0/2 e0/2 e0/1 e0/1

一些基本的配置,这里就省略了,相信配置IP地址这个不是什么问题。

R3的e0/1:192.168.2.100 网关192.168.2.254

R1的e0/1:192.168.2.254   e0/0 10.1.1.1

R5的e0/0:10.1.1.5     e0/2: 20.1.1.5

R2的e0/2 20.1.1.2      e0/1 10.10.2.254

R4  e0/1 10.10.2.100   网关:10.10.2.254


这个实验需要注意的几点,ipsec ***和NAT的相关性问题还有就是感兴趣流,大家平时做实验都是写扩展列表,但是可能不会太注意到细节,如下所写:access-list 100 permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0 我注意到我身边的有些技术人员就会这样写,这样你在show  running-config时,是无法看到正常的列表的。



R1的配置如下:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 20.1.1.2
!
!        
crypto ipsec transform-set ssk ah-md5-hmac esp-3des
!
crypto map ssk 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set ssk
match address 101(故障点1)
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map ssk
!
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex


ip route 0.0.0.0 0.0.0.0 10.1.1.5
!
!
ip nat inside source list 101 interface Ethernet0/0 overload
!


access-list 101 deny   ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 permit ip any any   (故障点2)



这里只贴出相关配置


ipsec ***基本设置配置完成后,发现第一阶段建立不起来,于是开启debug查看相关信息后,如下:


R2#
*Mar  1 01:25:32.659: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Mar  1 01:25:32.659: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
*Mar  1 01:25:32.659: ISAKMP: New peer created peer = 0x645C147C peer_handle = 0x80000004
*Mar  1 01:25:32.663: ISAKMP: Locking peer struct 0x645C147C, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 01:25:32.663: ISAKMP: local port 500, remote port 500
*Mar  1 01:25:32.663: insert sa successfully sa = 651B769C
*Mar  1 01:25:32.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:25:32.667: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:25:32.671: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:25:32.675: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 01:25:32.675: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar  1 01:25:32.679: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 01:25:32.679: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.1.1.1
*Mar  1 01:25:32.683: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 01:25:32.683: ISAKMP : Scanning profiles for xauth ...
*Mar  1 01:25:32.683: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 01:25:32.683: ISAKMP:      encryption 3DES-CBC
*Mar  1 01:25:32.683: ISAKMP:      hash MD5
*Mar  1 01:25:32.687: ISAKMP:      default group 2
*Mar  1 01:25:32.687: ISAKMP:      auth pre-share
*Mar  1 01:25:32.687: ISAKMP:      life type in seconds
*Mar  1 01:25:32.687: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 01:25:32.691: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 01:25:32.763: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:25:32.763: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:25:32.767: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 01:25:32.767: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar  1 01:25:32.771: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:25:32.771: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch





在此处大家只需要注意故障点1和2就可以了,因为做了NAT,所以要特别注意NAT的流量和ipsec的感兴趣流量是要分开的,于是match的地址一定不能被nat的流量匹配到。把流量分开后,ipsec ***成功建立。当然这只是其中一个问题,每个人碰到的问题都不会相同,希望大家有问题,一起交流,第一次写博文,有不足之处,希望大家批评指正,谢谢!!!