前言:
目标
-
根据图配置拓扑 -
将IP地址分配给各自的端口 -
在SITE-A-ROUTER 1 和 2 上配置通往R3 的默认路由 -
在充当 ISP NAT 设备的路由器 3 上配置静态路由 -
为需要打通的网段配置 扩展ACL -
启用加密 ISAKMP -
配置加密 ISAKMP 策略 -
配置预共享密钥 -
在两个站点上配置 IPsec 转换集 -
配置IPsec安全关联生命周期 -
配置加密映射 -
在接口上应用加密映射 -
在路由器3上配置IP静态NAT -
在路由器3上配置内部和外部NAT -
确保 192.168.10.1 可以通过 IPsec 到达 192.168.20.1,并将 IP 转换为 100.100.100.100
配置:
将IP地址分配给各自的端口
SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit
SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#no keepalive
SITE-A-ROUTER(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip address 192.168.1.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip address 192.168.2.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exitSITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
SITE-B-ROUTER(config-if)#no shutdown
SITE-B-ROUTER(config-if)#exit
SITE-B-ROUTER(config)#interface fastethernet 0/0
SITE-B-ROUTER(config-if)#ip address 192.168.20.1 255.255.255.0
SITE-B-ROUTER(config-if)#no shutdown
SITE-B-ROUTER(config-if)#exit各设备上查看下配置的ip
SITE-A-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
SITE-B-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Internet-NAT-Device#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
在SITE-A-ROUTER 1 和 2 上配置通往R3 的默认路由
SITE-A-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
SITE-B-ROUTER(config)#end
Internet-NAT-Device(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
Internet-NAT-Device(config)#end
为需要打通的网段配置 扩展ACL
SITE-A-ROUTER(config)#ip access-list extended important-traffic
SITE-A-ROUTER(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-A-ROUTER(config-ext-nacl)#exitSITE-B-ROUTER(config)#ip access-list extended important-traffic
SITE-B-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-B-ROUTER(config-ext-nacl)#end
查看配置ACL
SITE-A-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-B-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255启用加密 ISAKMP
SITE-A-ROUTER(config)#crypto isakmp enable
SITE-B-ROUTER(config)#crypto isakmp enable配置加密 ISAKMP 策略
SITE-A-ROUTER(config)#crypto isakmp policy 20
SITE-A-ROUTER(config-isakmp)#authentication pre-share
SITE-A-ROUTER(config-isakmp)#encryption aes 256
SITE-A-ROUTER(config-isakmp)#hash sha
SITE-A-ROUTER(config-isakmp)#group 5
SITE-A-ROUTER(config-isakmp)#lifetime 3600
SITE-A-ROUTER(config-isakmp)#exit
SITE-B-ROUTER(config)#crypto isakmp policy 20
SITE-B-ROUTER(config-isakmp)#authentication pre-share
SITE-B-ROUTER(config-isakmp)#encryption aes 256
SITE-B-ROUTER(config-isakmp)#hash sha
SITE-B-ROUTER(config-isakmp)#group 5
SITE-B-ROUTER(config-isakmp)#lifetime 3600
SITE-B-ROUTER(config-isakmp)#end查看 配置的ISAKMP 策略
SITE-A-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-B-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit置预共享密钥
SITE-A-ROUTER(config)#crypto isakmp key 0 internetworks address 192.168.2.1
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#crypto isakm key 0 internetworks address 100.100.100.100
SITE-B-ROUTER(config)#end
//在上面的命令中,我已经将路由器2上的地址从192.168.1.1更改为100.100.100.100,因为路由器1的IP 192.168.1.1在另一端看起来会不同,即100.100.100.100。接下来,我打算只在路由器2上更改加密映射中的对等地址,因此我们需要将地址更改为静态NAT地址,以便获得成功的IPsec VPN结果。
//在配置IPsec VPN时,确保两端的对等设备能够正确识别对方的地址至关重要。在这个场景中,路由器1的内部IP地址是192.168.1.1,而这个地址在通过NAT设备后,在外部网络中将被转换为100.100.100.100。为了确保路由器2能够正确地识别并建立与路由器1的VPN连接,我们需要在路由器2的加密映射配置中更新对等地址,将其设置为经过NAT转换后的静态IP地址100.100.100.100。
//这样,当路由器2尝试与路由器1建立VPN隧道时,它将使用正确的IP地址进行通信,从而确保IPsec VPN连接的成功建立和稳定运行。通过这种方式,即使在NAT环境下,也能够实现跨网络的安全数据传输。在两个站点上配置 IPsec 转换集
SITE-A-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-A-ROUTER(cfg-crypto-trans)#end
SITE-B-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-B-ROUTER(cfg-crypto-trans)#end查看配置的IPsec 转换集
SITE-A-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-B-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },SITE-A-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-A-ROUTER(config)#exit
SITE-B-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-B-ROUTER(config)#endSITE-A-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds
SITE-B-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 secondsSITE-A-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-A-ROUTER(config-crypto-map)#match address important-traffic
SITE-A-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-A-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-A-ROUTER(config-crypto-map)#exit
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-B-ROUTER(config-crypto-map)#match address important-traffic
SITE-B-ROUTER(config-crypto-map)#set peer 100.100.100.100
SITE-B-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-B-ROUTER(config-crypto-map)#ENDITE-A-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:SITE-B-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-A-ROUTER(config-if)#exitSITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-B-ROUTER(config-if)#end
SITE-B-ROUTER#show crypto map interface serial 4/1
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/1
SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/100 ms
SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0xFD7D51CD(4252848589)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 32/62/96 ms
SITE-B-ROUTER#show crypto ipsec sa
interface: Serial4/1
Crypto map tag: CRYPTO-MAP, local addr 192.168.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
current outbound spi: 0x367632C(57107244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Internet-NAT-Device(config)#ip nat inside source static 192.168.1.1 100.100.100.100
Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip nat inside
Internet-NAT-Device(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip nat outside
Internet-NAT-Device(config-if)#exit
SITE-A-ROUTER#clear crypto isakmp
SITE-A-ROUTER#clear crypto session
SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/60/140 ms
SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 24/60/144 ms ---Internet-NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 100.100.100.100:4500 192.168.1.1:4500 192.168.2.1:4500 192.168.2.1:4500
--- 100.100.100.100 192.168.1.1 --- ---
SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2219, #pkts encrypt: 2219, #pkts digest: 2219
#pkts decaps: 2219, #pkts decrypt: 2219, #pkts verify: 2219
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0x3BD9F3C0(1004139456)
PFS (Y/N): N, DH group: none
原文始发于微信公众号(释然IT杂谈):网络世界的“隐形斗篷”:IPsec NAT穿越技术
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论