VPN上的Tacacs+不起作用
VPN上的Tacacs+不起作用
提问于 2019-09-04 18:37:47
R3是一个Tacacs+客户端,Server0被配置为带有Tacacs+的AAA服务器,但是R3不能进行身份验证。
R3配置:
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
aaa new-model
!
aaa authentication login CONSOLE none
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
!
ip cef
no ipv6 cef
!
username backup password 0 cisco
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key secretkey address 209.165.100.1
!
crypto ipsec transform-set R3-R1 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer 209.165.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set R3-R1
match address 100
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
ip address 209.165.200.1 255.255.255.0
duplex auto
speed auto
crypto map IPSEC-MAP
!
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.200.2
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!!
tacacs-server host 192.168.1.3 key cisco
!
!line con 0
login authentication CONSOLE
!
line aux 0
!
line vty 0 4
!
!
endR1配置:
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
aaa new-model
!
aaa authentication login CONSOLE none
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
!
!
ip cef
no ipv6 cef
!
username backup password 0 cisco
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key secretkey address 209.165.200.1
!
!
!
crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer 209.165.200.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set R1-R3
match address 100
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
ip address 209.165.100.1 255.255.255.0
duplex auto
speed auto
crypto map IPSEC-MAP
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.100.2
!
ip flow-export version 9
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
tacacs-server host 192.168.1.3 key cisco
!
line con 0
login authentication CONSOLE
!
line aux 0
!
line vty 0 4
!
endISP路由器配置
Current configuration : 590 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
ip address 209.165.100.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 209.165.200.2 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end注意: R1和R3已经形成了VPN隧道。
回答 1
Network Engineering用户
回答已采纳
发布于 2019-09-05 13:02:22
您需要从内部接口中获取源,以便包含在隧道上有趣的流量中。如果不指定这一点,它将采用默认的路径到达那里,这将是您的外部接口,并且失败。请将命令ip tacacs source-interface GigabitEthernet0/0/1添加到R3上,如果该命令被解析,请返回报告。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/61294
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号