穿越IPSec隧道
穿越IPSec隧道
提问于 2019-07-12 15:50:01
askk
嗨。当我完成从主机192.168.11.0/24到服务器10.0.0.0/24的跟踪时,即站点B。当数据包进入公共区域时,它显示Request timed out (如下图所示)。我使用的是IPSec协议。谢谢..。
网络图
KCP 1(地盘A) Conf
Current configuration : 1284 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname KCP1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524EEWL-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key bjj address 209.165.100.1
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map bjjtunnel 1 ipsec-isakmp
set peer 209.165.100.1
set transform-set TS
match address vpn-ke-bjjpusat
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 209.165.101.1 255.255.255.248
duplex auto
speed auto
crypto map bjjtunnel
!
interface GigabitEthernet0/1
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.101.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-ke-bjjpusat
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
endBJJPUSAT (B站点) Conf
Current configuration : 1290 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname BJJPUSAT
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524I08N-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key bjj address 209.165.101.1
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map bjjtunnel 1 ipsec-isakmp
set peer 209.165.101.1
set transform-set TS
match address vpn-ke-kcp1
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 209.165.100.1 255.255.255.248
duplex auto
speed auto
crypto map bjjtunnel
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.100.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-ke-kcp1
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.11.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end回答 1
Network Engineering用户
发布于 2019-07-12 18:41:08
BJJPUSAT是通往目的地的隧道一侧,在TTL耗尽时不会发送超过ICMP的消息。它只是默默地丢下探测包。
注意,隧道包没有进入公共区域本身。它被封装在一个穿越该区域的外部数据包中。因此,隧道只将TTL减少1,而traceroute将隧道看作一个单跳,而不考虑外部分组的跳数。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/60375
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号