找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2544|回复: 0

[其它] 求助ROS IPsec连接的问题,高手请进

[复制链接]
发表于 2007-8-17 09:37:01 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
现在ros与CISCO的2811进行VPN连接,是site-site的方式,我在网上查了一些资料,按以下文章做了连接:

routeros的大致配置过程:
================================
RouterOS是在vmware中进行测试了,虚拟了两个接口Ether1和Ethernet2, Ether1 的ip地址为192.168.1.18/24, Ether2的ip地址为10.1.1.1/24。

IPSec部分的配置命令为:
1)设置IKE Phase1的具体参数:
/ip ipsec peer add address=192.168.1.28 secret="cisco123" enc-algorithm=des

2)设置IKE Phase2的具体参数:
主要设置包括加密传输的算法和认证方式,缺省的auth-algorithm是sha1
/ip ipsec proposal set default enc-alogrithms=des

3)详细设置需要加密的数据流及IPSecVPN的方式:Tunnel/Transport Mode等
/ip ipsec policy add src-address=10.1.1.0/24 dst-address=10.1.2.0/24 action=encrypt tunnel=yes sa-src=192.168.1.18 sa-dst=192.168.1.28

另外,如果为了采用更强的加密方式3DES, 修改两者的IKE Phase1和Phase2的参数就可以了,但一定要匹配,才能保证IKE SA和IPSec SA的成功建立。

Cisco路由器的IPSec SA信息:
======================================
Cisco1721#sh crypto ipsec sa

interface: FastEthernet0
Crypto map tag: mymap, local addr. 192.168.1.28

protected vrf:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.1.28, remote crypto endpt.: 192.168.1.18
path mtu 1500, media mtu 1500
current outbound spi: D2B7C901

inbound esp sas:
spi: 0x1FC07E86(532708998)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD2B7C901(3535259905)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

Cisco1721#

RouteROS的IPSec SA信息:
============================================
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x1FC07E86 direction=out src-address=192.168.1.18 dst-address=192.168.1.28 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="88309c224c6ed89360737f9052b8ca3465d73e4a"
enc-key="eef065a84c5ae446" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=5184

1 E spi=0xD2B7C901 direction=in src-address=192.168.1.28 dst-address=192.168.1.18 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="b8b7144e6cbeb3fc1960452c4da244726ef17dd8"
enc-key="9c8fd493ea2da1ec" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=4960
[admin@MikroTik] >


但是我设好后总是不能通,只有
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual 其他的信息没有

ipsec peer 和ipsec proposal 下面的状态栏显示disabled
ip policy下面的状态栏显示no phase2


考虑是伪地址优先级的原因,也更改过,就是没有办法通,请高手帮帮忙解决一下了!
routeros
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-17 17:26 , Processed in 0.043544 second(s), 6 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表