1、組網：總部一台路由設備，兩個(gè)分部分别用兩台AR3260做(zuò)出口設備，兩兩建立IPSec VPN

2、總部和(hé)兩台分部的AR設備分别建立起IPSec VPN，且內(nèi)部用戶網絡可(kě)以相互通(tōng)信

3、兩台AR3260建立了IPSec VPN，但(dàn)是內(nèi)網用戶無法互相訪問

兩端AR3260關于IPSec VPN的配置

AR3260-1

acl number 3000  
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 permit ip 
acl number 3001  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 15 deny ip 
acl number 3002  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 deny ip                                                  
# 
ipsec proposal To_HJJT 
esp encryption-algorithm 3des 
ipsec proposal To_WFZ_Office 
esp encryption-algorithm 3des 
# 
ike proposal 5 
encryption-algorithm 3des-cbc 
dh group2 
authentication-algorithm md5 
# 
ike peer To_WFZ_Office v1 
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@ 
ike-proposal 5 
remote-address 61.184.89.252 
ike peer To_HJJT v1 
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@ 
ike-proposal 5 
remote-address 61.184.80.157 
# 
ipsec policy WFZ 10 isakmp 
security acl 3001 
ike-peer To_HJJT 
proposal To_HJJT                         
ipsec policy WFZ 20 isakmp 
security acl 3002 
ike-peer To_WFZ_Office 
proposal To_WFZ_Office 
#
interface GigabitEthernet0/0/0 
ip address 58.53.160.62 255.255.255.240 
ipsec policy WFZ 
combo-port auto 
nat outbound 3000

AR3260---2

acl number 3000  
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 permit ip 
acl number 3001  
rule 5 permit ip source 172.31.32.0 0.0.1.255（本地網段）destination 10.82.0.0 0.0.255.255（總部網段） 
rule 15 deny ip 
acl number 3002  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255（不通(tōng)的對端網段） 
rule 15 deny ip                          
# 
ipsec proposal To_HJJT 
esp encryption-algorithm 3des 
ipsec proposal To_WFZ_Office 
esp encryption-algorithm 3des 
# 
ike proposal 5 
encryption-algorithm 3des-cbc 
dh group2 
authentication-algorithm md5 
# 
ike peer To_WFZ_Office v1 
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@ 
ike-proposal 5 
remote-address 61.184.89.252 
ike peer To_HJJT v1 
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@ 
ike-proposal 5 
remote-address 61.184.80.157 
# 
ipsec policy WFZ 10 isakmp 
security acl 3001 
ike-peer To_HJJT 
proposal To_HJJT                         
ipsec policy WFZ 20 isakmp 
security acl 3002 
ike-peer To_WFZ_Office 
proposal To_WFZ_Office 
#

interface GigabitEthernet0/0/0 
ip address 58.53.160.62 255.255.255.240 
ipsec policy WFZ 
combo-port auto 
nat outbound 3000

 

1、首先查看兩端的SA信息，下為其中一端的IPSec sa，發現sa信息都已經正常建立，IPsec是已經建立成功的

<WFZ_DianChang_AR3260>dis ike sa 
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  --------------------------------------------------------------- 
       57    61.184.89.252   0     RD|ST                  2     
       56    61.184.89.252   0     RD|ST                  1     
       60    61.184.80.157   0     RD|ST                  2     
       59    61.184.80.157   0     RD|ST                  1     

  Flag Description: 
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT 
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

----------------------------- 
  IPSec policy name: "WFZ" 
  Sequence number  : 20 
  Acl group        : 3002 
  Acl rule         : 5 
  Mode             : ISAKMP 
  ----------------------------- 
    Connection ID     : 57 
    Encapsulation mode: Tunnel 
    Tunnel local      : 58.53.160.62 
    Tunnel remote     : 61.184.89.252 
    Flow source       : 172.31.32.0/255.255.254.0 0/0 
    Flow destination  : 172.31.34.0/255.255.255.0 0/0 
    Qos pre-classify  : Disable 
    Qos group         : - 

    [Outbound ESP SAs] 
      SPI: 960343579 (0x393dae1b) 
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5 
      SA remaining key duration (bytes/sec): 1887436800/2641 
      Max sent sequence-number: 0 
      UDP encapsulation used for NAT traversal: N 

    [Inbound ESP SAs] 
      SPI: 718339035 (0x2ad0fbdb) 
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5 
      SA remaining key duration (bytes/sec): 1887436800/2641 
      Max received sequence-number: 0 
      Anti-replay window size: 32 
      UDP encapsulation used for NAT traversal: N

2、查看NAT，去往目的網段的流量是否有(yǒu)被地址轉換。

3、為避免是因為內(nèi)部PC開(kāi)啓了防火(huǒ)牆導緻ping不通(tōng)，告知ping對端的網關地址，發現還(hái)是不通(tōng)。

4、再次查看配置，使用一個(gè)IPSec policy的兩個(gè)節點來(lái)建立的IPSec VPN，再次查看安全ACL的信息：

     acl number 3001  
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
     rule 15 deny ip 
     acl number 3002  
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
     rule 15 deny ip 

 去掉acl3001裏面的rule 15 deny ip，兩端可(kě)以ping通(tōng)。

因為是隻使用了一個(gè)IPSec policy ,所以流量來(lái)到之後會(huì)先匹配ipsec policy WFZ 10中的ACL，去往總部匹配到了acl number 3000的rule 5，因此可(kě)以通(tōng)信，但(dàn)是去往另外一台AR3260匹配到的是acl number 3000的rule 15 deny ip，流量就被deny拒絕轉發。

去掉兩邊設備的ACL中的deny條目。