RouterOS IPSec 另一段不能访问 请大家帮忙 谢谢
RouterOS 2.9.27 与 DrayTek Vigor2910ROS LAN :192.168.68.0/24
WAN :58.60.116.50
Vigor 2910 Lan:10.10.1.0/24
Wan:202.198.128.33
建立了IPSec 后,10.10.1.0/24网段可以PING通192.168.68.0/24网段,并可以网上邻居共享。但ROS和192.168.68.0/24网PC却PING不通10.10.1.0/24网段。
ROS LOG 记录
ipsec ike info:responding phase 2 (src58.60.116.50) (dst 202.198.128.33)
ipsec ike info:received ISAKMP packet from 202.198.128.33:500,phase 2,Quick
ipsec warning:decrypted packed did not match policy
---------------------------------------
ROS IPSEC 配置
ip ipsec> export
# mar/30/2008 05:03:10 by RouterOS 2.9.27
# software id = TFSH-9LN
#
/ ip ipsec policy
add src-address=192.168.68.0/24:any dst-address=10.10.1.0/24:any protocol=all \
action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=58.60.116.50 sa-dst-address=202.198.128.33 proposal=GH2 \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=202.198.128.33/32:500 secret="123456" generate-policy=no \
exchange-mode=main send-initial-contact=yes proposal-check=obey \
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="GH2" auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128 \
lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
请大家帮我看下我的ROS哪里有问题,谢谢大家! 你还能做成功,就不错了,应该跟地址转换有关,谁有跟安奈特R750S路由器建立IPSEC的实利啊?
页:
[1]