关于神州数码路由器IPSEC不得不说的事

      一句话神码路由器的IPSEC很有特色

     实验环境:两台路由器直接相连一共3个网段192.168.0.0192.168.1.0192.168.2.0其中192.168.1.0模拟公网另外两个网段模拟私有网络通过启用IPSEC ×××实现这两个网段安全通信。

开始配置时两个路由器配置文件如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list standard 123
permit ip any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!    

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1  
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list standard 123
permit ip any !

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

通过show crypto ipsec sa和show crypto iskmp sa发现不能正常建立IPSEC连接也就是IPSEC通道没有激活啥问题检查配置没有错误啊。算了去掉NAT测试通过show crypto ipsec sa和show crypto iskmp sa发现能正常建立IPSEC连接。不理解了。。。。。。

经过拨打神码400电话后更改配置如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list extended 123
deny   ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip any any

!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!    

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1  
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list extended 123
deny   ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
permit ip any any
!

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

      也就是在上面的配置和初始的配置差别在NAT的访问控制列表上面的配置中扩展的访问控制列表先拒绝192.168.0.0和192.168.2.0网段数据进行NAT然后允许所有。经过这样配置IPSEC的通道就能ACTIVE。

     事后分析神码路由的操作系统内部流程nat优先于IPSEC。