|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
现在ros与CISCO的2811进行VPN连接,是site-site的方式,我在网上查了一些资料,按以下文章做了连接:
routeros的大致配置过程:
================================
RouterOS是在vmware中进行测试了,虚拟了两个接口Ether1和Ethernet2, Ether1 的ip地址为192.168.1.18/24, Ether2的ip地址为10.1.1.1/24。
IPSec部分的配置命令为:
1)设置IKE Phase1的具体参数:
/ip ipsec peer add address=192.168.1.28 secret="cisco123" enc-algorithm=des
2)设置IKE Phase2的具体参数:
主要设置包括加密传输的算法和认证方式,缺省的auth-algorithm是sha1
/ip ipsec proposal set default enc-alogrithms=des
3)详细设置需要加密的数据流及IPSecVPN的方式:Tunnel/Transport Mode等
/ip ipsec policy add src-address=10.1.1.0/24 dst-address=10.1.2.0/24 action=encrypt tunnel=yes sa-src=192.168.1.18 sa-dst=192.168.1.28
另外,如果为了采用更强的加密方式3DES, 修改两者的IKE Phase1和Phase2的参数就可以了,但一定要匹配,才能保证IKE SA和IPSec SA的成功建立。
Cisco路由器的IPSec SA信息:
======================================
Cisco1721#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: mymap, local addr. 192.168.1.28
protected vrf:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.28, remote crypto endpt.: 192.168.1.18
path mtu 1500, media mtu 1500
current outbound spi: D2B7C901
inbound esp sas:
spi: 0x1FC07E86(532708998)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD2B7C901(3535259905)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Cisco1721#
RouteROS的IPSec SA信息:
============================================
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x1FC07E86 direction=out src-address=192.168.1.18 dst-address=192.168.1.28 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="88309c224c6ed89360737f9052b8ca3465d73e4a"
enc-key="eef065a84c5ae446" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=5184
1 E spi=0xD2B7C901 direction=in src-address=192.168.1.28 dst-address=192.168.1.18 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="b8b7144e6cbeb3fc1960452c4da244726ef17dd8"
enc-key="9c8fd493ea2da1ec" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=4960
[admin@MikroTik] >
但是我设好后总是不能通,只有
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual 其他的信息没有
ipsec peer 和ipsec proposal 下面的状态栏显示disabled
ip policy下面的状态栏显示no phase2
考虑是伪地址优先级的原因,也更改过,就是没有办法通,请高手帮帮忙解决一下了! |
|