ASA to Route 做dynamic site-to-site VPN

  ASA的配置:

  ciscoasa(config)# crypto isakmp policy 10

  ciscoasa(config-isakmp-policy)# encryption des

  ciscoasa(config-isakmp-policy)# hash md5

  ciscoasa(config-isakmp-policy)# authentication pre-share

  ciscoasa(config-isakmp-policy)# group 2

  ciscoasa(config-isakmp-policy)# exit

  ciscoasa(config)#

  ciscoasa(config)# crypto ipsec transform-set test esp-des esp-md5-hmac

  ciscoasa(config)# crypto dynamic-map dymap 500 set transform-set test

  ciscoasa(config)# crypto dynamic-map dymap 500 set reverse-route

  ciscoasa(config)# crypto map mymap 500 ipsec-isakmp dynamic dymap

  ciscoasa(config)# crypto map mymap interface outside

  ciscoasa(config)# isakmp enable outside

  ciscoasa(config)# isakmp key cisco address 0.0.0.0 netmask 0.0.0.0

  对端ADSL接入的路由器配置

  R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255

  R1(config)#crypto isakmp policy 1

  R1(config-isakmp)#encryption des

  R1(config-isakmp)#hash md5

  R1(config-isakmp)#authentication pre-share

  R1(config-isakmp)#group 2

  R1(config-isakmp)#exit

  R1(config)#crypto isakmp key 0 cisco address11.11.11.11

  R1(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac

  R1(cfg-crypto-trans)#exit

  R1(config)#crypto map mymap 1 ipsec-isakmp

  R1(config-crypto-map)#set peer 11.11.11.11

  R1(config-crypto-map)#set transform-set vpn

  R1(config-crypto-map)#match address 102

  R1(config-crypto-map)#exit

  R1(config)#int f0/1

  R1(config-if)#crypto map mymap

  R1(config-if)#exit

  按照上面的配置写好后,结果发现VPN不通,sh crypto isakmpsa无任何信息,ASA上启用debug后,inside口下面的PC发ping包,结果无任何debug显示。无奈只好在对端路由器上发ping包,在ASA上做debug,出来显示信息了:

  Feb 15 12:43:50 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntry

  Feb 15 12:44:00 [IKEv1]: IP = 113.119.126.28, Removing peer frompeer table failed, no match!

  Feb 15 12:44:00 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntry

  Feb 15 12:44:10 [IKEv1]: IP = 113.119.126.28, Removing peer frompeer table failed, no match!

  Feb 15 12:44:10 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntry

  Feb 15 12:44:20 [IKEv1]: IP = 113.119.126.28, Removing peer frompeer table failed, no match!

  Feb 15 12:44:20 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntry

  Feb 15 12:44:30 [IKEv1]: IP = 113.119.126.28, Removing peer frompeer table failed, no match!

  Feb 15 12:44:30 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntry

  Feb 15 12:44:40 [IKEv1]: IP = 113.119.126.28, Removing peer frompeer table failed, no match!

  Feb 15 12:44:40 [IKEv1]: IP = 113.119.126.28, Error: Unable toremove PeerTblEntr

  ASA上一直重复显示这样的debug信息,在cisco的官网上也没找到解决方法。百度找不到,后来只能google,结果在一家国外的技术论坛上得到了提示(一个CCIE#1937的老前辈写的),自己在网上搜索并总结了

  在ASA上敲入isakmp key cisco address 0.0.0.0 netmask 0.0.0.0后,shrun如下:

  tunnel-group DefaultRAGroup ipsec-attributes

  pre-shared-key *

  这里L2L用于IPsec VPN site-to-site协商,RA用于Remote IPsecVPN(如EasyVPN)的积极模式协商,所以在这里我们需要定义一个L2L的tunnel-group,即

  tunnel-group DefaultL2LGroup ipsec-attributes

  pre-shared-key *

  然后在ASA上定义了数据流的ACL

  ciscoasa(config)#access-list test extend permit ip 10.100.1.0255.255.255.0 10.1.1.0 255.255.255.0

  ciscoasa(config)# crypto dynamic-map dymap 500 match addresstest

 

发表评论

邮箱地址不会被公开。 必填项已用*标注