IKE野蛮模式及NAT穿越

实验TOP：

 

 

 

RT1的配置：

==================================================

<H3C>sy                              
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.1.2 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]int s0/2/0
[H3C-Serial0/2/0]un shu
[H3C-Serial0/2/0]ip add 192.168.2.1 255.255.255.0
[H3C-Serial0/2/0]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2
[H3C]rip
[H3C-rip-1]net 192.168.1.0
[H3C-rip-1]net 192.168.2.0
[H3C-rip-1]quit
[H3C]ike local-name rt1
[H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]ike pee
[H3C]ike peer peer1
[H3C-ike-peer-peer1]exchange-mode aggressive
[H3C-ike-peer-peer1]pre-shared-key abc
[H3C-ike-peer-peer1]id-type name
[H3C-ike-peer-peer1]remote-name rt2    
[H3C-ike-peer-peer1]remote-address 192.168.4.2
[H3C-ike-peer-peer1]nat traversal
[H3C-ike-peer-peer1]quit
[H3C]ipsec proposal kalng
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel
[H3C-ipsec-proposal-kalng]transform esp
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5
[H3C-ipsec-proposal-kalng]quit
[H3C]ipsec policy policy1 10 isakmp
[H3C-ipsec-policy-isakmp-policy1-10]ike-peer peer1
[H3C-ipsec-policy-isakmp-policy1-10]security acl 3001
[H3C-ipsec-policy-isakmp-policy1-10]proposal kalng
[H3C-ipsec-policy-isakmp-policy1-10]quit
[H3C]int s0/2/0
[H3C-Serial0/2/0]ipsec policy policy1
[H3C-Serial0/2/0]quit

 

NAT的配置：

====================================================

<H3C>sy
[H3C]int s0/2/0
[H3C-Serial0/2/0]ip add 192.168.2.2 255.255.255.0
[H3C-Serial0/2/0]un shu
[H3C-Serial0/2/0]quit
[H3C]int s0/2/1
[H3C-Serial0/2/1]ip add 192.168.3.1 255.255.255.0
[H3C-Serial0/2/1]un shu
[H3C-Serial0/2/1]quit
[H3C]rip
[H3C-rip-1]net 192.168.2.0
[H3C-rip-1]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.3.2
[H3C]acl number 2001
[H3C-acl-basic-2001]rule permit source any
[H3C-acl-basic-2001]quit
[H3C]nat address-group 1 192.168.3.5 192.168.3.10
[H3C]int s0/2/1
[H3C-Serial0/2/1]nat outbound 2001 address-group 1
[H3C-Serial0/2/1]quit
[H3C]

 

RT2的配置：

=====================================================

<H3C>sy
[H3C]int s0/2/0
[H3C-Serial0/2/0]ip add 192.168.4.2 255.255.0
[H3C-Serial0/2/0]ip add 192.168.4.2 255.255.255.0
[H3C-Serial0/2/0]un shu
[H3C-Serial0/2/0]quit
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.5.1 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.4.1
[H3C]ike local-name rt2
[H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.5.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]ike peer peer2
[H3C-ike-peer-peer2]exchange-mode aggressive
[H3C-ike-peer-peer2]pre-shared-key abc
[H3C-ike-peer-peer2]id-type name
[H3C-ike-peer-peer2]remote-name rt1
[H3C-ike-peer-peer2]nat traversal
[H3C-ike-peer-peer2]quit
[H3C]ipsec proposal kalng
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel
[H3C-ipsec-proposal-kalng]transform esp
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5
[H3C-ipsec-proposal-kalng]quit
[H3C]ipsec policy policy2 10 isakmp
[H3C-ipsec-policy-isakmp-policy2-10]ike-peer peer2
[H3C-ipsec-policy-isakmp-policy2-10]security acl 3001
[H3C-ipsec-policy-isakmp-policy2-10]proposal kalng
[H3C-ipsec-policy-isakmp-policy2-10]quit
[H3C]int s0/2/0
[H3C-Serial0/2/0]ipsec policy policy2
[H3C-Serial0/2/0]quit
[H3C]

 

PS：当配置完成之后，先从PC2 ping PC1,会发现ping不通。

 

从PC1 ping PC2发现可以ping通。

 

这时在从PC2 ping PC1 会发现可以ping通了。

 

原因是由于在NAT上没有RT1的映射，必须先由从PC1 ping PC2 建立映射之后，PC2才可以ping通PC1。