ScreenOS ip6in4隧道传输模式ipsec？

Question

我已经在ScreenOS路由器(SSG-5)和思科3925之间设置了一个点到点传输ipsec会话。ipsec传输本身工作得很好，但是一旦我试图通过传输引导协议41流量，数据包就不能正常传输。

我最初假设您需要为ipsec连接创建一个隧道，然后以ipsec隧道的传出接口为目标，但是screenos不允许您在隧道上创建隧道。

另外，我尝试使用基于策略的vpn，但是当我尝试使用“隧道vpn”作为策略目标时，它会告诉我未知的命令？基于策略的ipsec是否有主开关？

下面是我认为是相关的配置，但我将非常乐意提供更多的信息，视需要。

SCREENOS CONFIG:
---------------------------
set zone id 105 "mytunnel_TUNNEL"
set zone "mytunnel_TUNNEL" tcp-rst
set interface "tunnel.5" zone "mytunnel_TUNNEL"
set address "mytunnel_TUNNEL" "fdee:7e1e::/32" fdee:7e1e::/32
set ike gateway "micmplsv4" address 2.2.2.157 Main outgoing-interface "ethernet0/0" preshare "igdZeIcKNobfusol+CQcpIfvwnFwrxb5g==" sec-level compatible
set vpn "mytunnel" gateway "micmplsv4" no-replay transport idletime 0 sec-level compatible
set vpn "mytunnel" monitor optimized rekey
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set vpn "mytunnel" proxy-id check
set vpn "mytunnel" proxy-id local-ip 8.8.8.10/32 remote-ip 2.2.2.157/32 "ANY"
set policy id 137 from "DMZ" to "mytunnel_TUNNEL"  "fdbe:a922:a316:2::/64" "fdee:7e1e::/32" "ANY" permit
set policy id 136 from "mytunnel_TUNNEL" to "DMZ"  "fdee:7e1e::/32" "fdbe:a922:a316:2::/64" "ANY" permit
set interface "tunnel.3" zone "Untrust"
set interface tunnel.3 ip unnumbered interface ethernet0/0
set vpn "mytunnel" id 0x16 bind interface tunnel.3
set route 2.2.2.157/32 interface tunnel.3


CISCO CONFIG:
------------------------------
ip access-list extended mic2pg
 permit ip host 2.2.2.157 host 8.8.8.10
!
crypto ipsec transform-set transport-esp-3des-sha esp-3des esp-sha-hmac
 mode transport
!
crypto map vpnmap 30 ipsec-isakmp
 set peer 8.8.8.10
 set transform-set transport-esp-3des-sha
 match address mic2pg
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 2.2.2.157 255.255.255.224
 crypto map vpnmap
!
interface Tunnel3
 no ip address
 ipv6 address FDEE:7E1E:100:F002::1/64
 ipv6 enable
 tunnel source 2.2.2.157
 tunnel mode ipv6ip
 tunnel destination 8.8.8.10
 !
end

Answer 1

我在ScreenOS上做了很多IPv6。无论是本地还是隧道。我完全按照你的要求做了(不过，另一端不是思科)。以下是该做的事。

把6英寸4的东西扔掉。只使用一个隧道接口，并取消双方的代理id。使用v4端点构建隧道，然后将远程v6前缀和远程v4前缀路由到隧道接口。

更新:根据请求，示例配置。

备注：

• 本地v6超级网为fd28 28:e1f3:d 650:1000：：/56
• 远程v6超网是fd28 28:e1f3:d 650:2000：：/56
• 大量的v4部分被忽略了，因为我认为你明白了。

。

set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 5.6.7.8/27
set interface ethernet0/0 route

set interface ethernet0/2 zone Trust
set interface ethernet0/2 ip 192.168.10.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ipv6 mode router
set interface ethernet0/2 ipv6 enable
set interface ethernet0/2 ipv6 ip fd28:e1f3:d650:1010::/64

set interface ethernet0/2 ipv6 nd nud
set interface ethernet0/2 ipv6 ra link-address
set interface ethernet0/2 ipv6 ra link-mtu
set interface ethernet0/2 ipv6 ra managed
set interface ethernet0/2 ipv6 ra other
set interface ethernet0/2 ipv6 ra preference high
set interface ethernet0/2 ipv6 ra prefix fd28:e1f3:d650:1010::/64
set interface ethernet0/2 ipv6 ra reachable-time
set interface ethernet0/2 ipv6 ra retransmit-time
set interface ethernet0/2 ipv6 ra transmit

set zone name v6remote
set interface tunnel.20 ip unnumbered interface ethernet0/0
set interface tunnel.20 zone v6remote
set interface tunnel.20 ipv6 mode host
set interface tunnel.20 ipv6 enable
set interface tunnel.20 ipv6 nd dad-count 0
set interface tunnel.20 ipv6 nd nud

set ike p1-proposal AES256-SHA preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal AES256-SHA group2 esp aes256 sha-1 second 3600

set ike gateway gateway2v6remote address 10.255.255.1 Main outgoing-interface ethernet0/0 preshare "secret-word" proposal AES256-SHA
set vpn tunnel2v6remote gateway gateway2v6remote replay tunnel idletime 0 proposal AES256-SHA 
set vpn tunnel2v6remote bind interface tunnel.20

set policy from v6remote to trust v6remote v6local ANY permit log count 
set policy from trust to v6remote v6local v6remote ANY permit log count

set route fd28:e1f3:d650:2000::/56 interface tunnel.20 gateway ::

Answer 2

我知道在ScreenOS中有一个直接6/4流量路由的问题。人们通常做的是创建回环接口，以终止6/4隧道的末端，然后通过它路由IPv6流量。我使用类似的配置，我的6英寸4隧道与六，但我认为一般原则可能也适用于您的情况。请查看此链接的更多信息，特别是“更新2009年9月13日”部分。