文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Cisco隧道问题

Cisco隧道问题
EN

Network Engineering用户
提问于 2021-01-06 08:28:30
回答 1查看 228关注 0票数 0

我对VPN配置有问题。这是我创建的拓扑:

首次更新许可证以使VPN可用:

许可证引导模块c1900技术-包securityk9

IPsec路由器NetworkA配置:

代码语言:javascript
复制
ip route 0.0.0.0 0.0.0.0 200.100.100.2 
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 103.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 103.168.40.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 103.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 103.168.40.0 0.0.0.255
!
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key VPN address 200.200.100.1
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
crypto map VPN 10 ipsec-isakmp 
set peer 200.200.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set VPN
match address 100
!
interface gigabitEthernet 0/0
 crypto map VPN
!

Ipsec路由器NetworkB:

代码语言:javascript
复制
ip route 0.0.0.0 0.0.0.0 200.200.100.2 
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.20.0 0.0.0.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key VPN address 200.100.100.1
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
crypto map VPN 10 ipsec-isakmp 
set peer 200.200.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set VPN
match address 100
!
interface gigabitEthernet 0/0
 crypto map VPN
!

VLAN路由器NetworkA

代码语言:javascript
复制
interface gigabitEthernet 0/1.1
 encapsulation dot1Q 10 
 ip address 192.168.10.1 255.255.255.0 
!
interface gigabitEthernet 0/1.2
 encapsulation dot1Q 20 
 ip address 192.168.20.1 255.255.255.0
!

VLAN路由器NetworkB

代码语言:javascript
复制
interface gigabitEthernet 0/1.1
 encapsulation dot1Q 30 
 ip address 192.168.30.1 255.255.255.0 
!
interface gigabitEthernet 0/1.2
 encapsulation dot1Q 40 
 ip address 192.168.40.1 255.255.255.0
!

Switch1

代码语言:javascript
复制
interface gigabitEthernet 0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20
!
interface range fastEthernet 0/1-11
 switchport access vlan 10
!
interface range fastEthernet 0/11-20
 switchport access vlan 20
!

Switch2

代码语言:javascript
复制
interface gigabitEthernet 0/1
 switchport mode trunk
 switchport trunk allowed vlan 30,40
!
interface range fastEthernet 0/1-11
 switchport access vlan 30
!
interface range fastEthernet 0/11-20
 switchport access vlan 40
!

我希望VLAN能够相互通信,但是VPN隧道有问题。

我想我需要配置NAT,但不知道如何配置。

输出"show crypto isakmp sa“在两个路由器上是相同的:

代码语言:javascript
复制
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
!
IPv6 Crypto ISAKMP SA
!
ipsec
vlan
vpn
nat
EN

回答 1

Network Engineering用户

回答已采纳

发布于 2021-01-06 18:08:52

访问列表中有一个错误,不允许流量进入VPN隧道:

代码语言:javascript
复制
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 103.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 103.168.20.0 0.0.0.255

注103.168.10.0而不是192.168.10.0

票数 1
EN
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://networkengineering.stackexchange.com/questions/71887

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档