ASA 与路由器在NAT-T环境下建立ipsec -v-p-n ( ikev2 )配置及排错过程

ASA 与路由器在NAT-T环境下建立ipsec -v-p-n ( ikev2 )配置及排错过程

//ipsec类型为点到点L2L,   ipsec的双方认证密钥（人为干预的）

tunnel-group 202.134.122.2 type ipsec-l2l

tunnel-group 202.134.122.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco

ikev2 local-authentication pre-shared-key cisco

//在接口下调用

crypto ikev2 enable outside

crypto map l2lmap interface outside

R1

ip route 0.0.0.0 0.0.0.0 202.134.121.2

ip nat inside source list natacl interface Ethernet0/1 overload

//若不写以下端口映射，在内网 NAT-T环境下是可以主动与对方出口路由器建立ipsec ***的，反之不行

ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable

ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable

ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable

ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable

//从此路由出口的流量全部为访问异地内网所需，所以所有流量都加密

ip access-list extended natacl

permit ip any any

R2

//定义ipsec第一阶段 ikev2协商策略

crypto ikev2 proposal ikev2-proposal

encryption 3des

integrity sha512

group 2

//定义ikev2的策略

crypto ikev2 policy ikev2-policy

proposal ikev2-proposal

//定义加密认证参数（对方名、对方公网地址、预共享密钥）

crypto ikev2 keyring ikev2-keyring

peer ASA2

address 202.134.121.1

pre-shared-key cisco

//定义ikev2的认证框架（远端设备的真实内网地址，本地公网地址，预共享认证方式，认证参数）

这个内网地址不正确，就会停留在ikev2协商的第一阶段SA-INIT，然后IKE-AUTH阶段就一直报错，

crypto ikev2 profile IKEV2-profile

match identity remote address 10.249.190.253 255.255.255.0

identity local address 202.134.122.2

authentication remote pre-share

authentication local pre-share

keyring local ikev2-keyring

//定义第二阶段转换集参数

crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac

mode tunnel

//定义加密图

crypto map l2lmap 10 ipsec-isakmp

set peer 202.134.121.1

set transform-set l2ltrans

set ikev2-profile IKEV2-profile

set pfs

match address l2lacl

//分离出要加密的流量

ip access-list extended l2lacl

permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

ip access-list extended natacl

deny   ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

permit ip any any

//接口调用

ip nat inside source list natacl interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 202.134.122.1

interface Ethernet0/0

ip address 202.134.122.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

crypto map l2lmap

报错内容图片及描述，有空再码，未完待续。。。。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。