网络拓扑见附件:
siteA配置:
version 12.4
no service password-encryption
!
hostname IPV6-2821-CNBJPEK12-01
enable secret 5 $1$p3WY$E.P83ia7N/Bx.YE9J87eV/
!
no aaa new-model
clock timezone UTC 8
!
ip cef
!
no ip domain lookup
ip domain name lenovo.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
ipv6 cef
!
voice-card 0
no dspfarm
!
crypto pki token default removal timeout 0
!
username lenovo password 0 lenovo,!
!
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
ip address 9.9.9.2 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.103.2.134
tunnel destination 10.128.220.107
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
description To-COS-12804-CNBJPEK12-01-10GE3/0/10
ip address 10.103.2.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description To-Dis-12708-CNBJPEK12-01-XGE1/0/6
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 9.9.9.2 0.0.0.0 area 0
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.103.2.133 name Internal-mgmt
!
siteB配置:
version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname apnewhkxscs_csr1000v-1
!
aaa session-id common
clock timezone UTC 8 0
!
ip name-server 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9F8JLPHZJYI
license accept end user agreement
license boot level security
!
username lenovo privilege 15 password 7 151E0E020B3C246869
!
redundancy
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel6
ip address 9.9.9.1 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.128.220.107
tunnel mode ipsec ipv4
tunnel destination 10.103.2.134
tunnel protection ipsec profile P1
!
interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip tcp adjust-mss 1200
negotiation auto
!
router ospf 1
router-id 10.128.220.107
network 9.9.9.1 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.128.220.147 name internet
ip route 10.0.0.0 255.0.0.0 10.128.220.110
ip route 10.103.2.134 255.255.255.255 10.128.220.110
测试:
IPV6-2821-CNBJPEK12-01#ping 10.128.220.107 source 10.103.2.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.220.107, timeout is 2 seconds:
Packet sent with a source address of 10.103.2.134
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/52 ms
isdkmp sa:
IPV6-2821-CNBJPEK12-01#sh crypto isakmp sa
dst src state conn-id slot status
10.128.220.107 10.103.2.134 QM_IDLE 2 0 ACTIVE
siteA:
ipsec sa:
IPV6-2821-CNBJPEK12-01#SH CRYpto IPsec SA
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.103.2.134
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.128.220.107 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.103.2.134, remote crypto endpt.: 10.128.220.107
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x87C7164F(2277971535)
inbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585833/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426620/2352)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585832/2348)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426604/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
siteB:
apnewhkxscs_csr1000v-1#sh crypto ipsec sa peer 10.103.2.134
interface: Tunnel6
Crypto map tag: Tunnel6-head-0, local addr 10.128.220.107
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.103.2.134 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.128.220.107, remote crypto endpt.: 10.103.2.134
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x91268ACF(2435222223)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2875, flow_id: CSR:875, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2877, flow_id: CSR:877, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607985/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2876, flow_id: CSR:876, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2878, flow_id: CSR:878, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607988/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
问题:
site A只有加密的包,site B加密解密都有,隧道口地址ping不到,
IPV6-2821-CNBJPEK12-01#ping 9.9.9.1 SOurce 9.9.9.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.2
.....
Success rate is 0 percent (0/5)
site A无邻居表象
IPV6-2821-CNBJPEK12-01#sh ip os neighbor
siteB有邻居表项,状态为init
apnewhkxscs_csr1000v-1#sh ip os neighbor
Neighbor ID Pri State Dead Time Address Interface
10.103.2.134 0 INIT/ - 00:00:31 9.9.9.2 Tunnel6
排除iOS版本影响,有别的site跟siteA一样的版本12.4,可以正常和site B建立邻居,学习路由,
请帮忙分析下。
siteA配置:
version 12.4
no service password-encryption
!
hostname IPV6-2821-CNBJPEK12-01
enable secret 5 $1$p3WY$E.P83ia7N/Bx.YE9J87eV/
!
no aaa new-model
clock timezone UTC 8
!
ip cef
!
no ip domain lookup
ip domain name lenovo.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
ipv6 cef
!
voice-card 0
no dspfarm
!
crypto pki token default removal timeout 0
!
username lenovo password 0 lenovo,!
!
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
ip address 9.9.9.2 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.103.2.134
tunnel destination 10.128.220.107
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
description To-COS-12804-CNBJPEK12-01-10GE3/0/10
ip address 10.103.2.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description To-Dis-12708-CNBJPEK12-01-XGE1/0/6
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 9.9.9.2 0.0.0.0 area 0
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.103.2.133 name Internal-mgmt
!
siteB配置:
version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname apnewhkxscs_csr1000v-1
!
aaa session-id common
clock timezone UTC 8 0
!
ip name-server 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9F8JLPHZJYI
license accept end user agreement
license boot level security
!
username lenovo privilege 15 password 7 151E0E020B3C246869
!
redundancy
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel6
ip address 9.9.9.1 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.128.220.107
tunnel mode ipsec ipv4
tunnel destination 10.103.2.134
tunnel protection ipsec profile P1
!
interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip tcp adjust-mss 1200
negotiation auto
!
router ospf 1
router-id 10.128.220.107
network 9.9.9.1 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.128.220.147 name internet
ip route 10.0.0.0 255.0.0.0 10.128.220.110
ip route 10.103.2.134 255.255.255.255 10.128.220.110
测试:
IPV6-2821-CNBJPEK12-01#ping 10.128.220.107 source 10.103.2.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.220.107, timeout is 2 seconds:
Packet sent with a source address of 10.103.2.134
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/52 ms
isdkmp sa:
IPV6-2821-CNBJPEK12-01#sh crypto isakmp sa
dst src state conn-id slot status
10.128.220.107 10.103.2.134 QM_IDLE 2 0 ACTIVE
siteA:
ipsec sa:
IPV6-2821-CNBJPEK12-01#SH CRYpto IPsec SA
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.103.2.134
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.128.220.107 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.103.2.134, remote crypto endpt.: 10.128.220.107
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x87C7164F(2277971535)
inbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585833/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426620/2352)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585832/2348)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426604/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
siteB:
apnewhkxscs_csr1000v-1#sh crypto ipsec sa peer 10.103.2.134
interface: Tunnel6
Crypto map tag: Tunnel6-head-0, local addr 10.128.220.107
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.103.2.134 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.128.220.107, remote crypto endpt.: 10.103.2.134
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x91268ACF(2435222223)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2875, flow_id: CSR:875, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2877, flow_id: CSR:877, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607985/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2876, flow_id: CSR:876, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2878, flow_id: CSR:878, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607988/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
问题:
site A只有加密的包,site B加密解密都有,隧道口地址ping不到,
IPV6-2821-CNBJPEK12-01#ping 9.9.9.1 SOurce 9.9.9.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.2
.....
Success rate is 0 percent (0/5)
site A无邻居表象
IPV6-2821-CNBJPEK12-01#sh ip os neighbor
siteB有邻居表项,状态为init
apnewhkxscs_csr1000v-1#sh ip os neighbor
Neighbor ID Pri State Dead Time Address Interface
10.103.2.134 0 INIT/ - 00:00:31 9.9.9.2 Tunnel6
排除iOS版本影响,有别的site跟siteA一样的版本12.4,可以正常和site B建立邻居,学习路由,
请帮忙分析下。
1 个已接受解答
已接受的解答
