帮我看看VPN 怎么不通呢？

savi_bj · ‎10-27-2016

------------------------服务端
sever-set# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname sever-set
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.221 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 110 extended permit icmp any any
access-list vpn extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set cisco esp-3des esp-sha-hmac
crypto map cisco 10 match address vpn
crypto map cisco 10 set peer 192.168.100.222
crypto map cisco 10 set trustpoint cisco
crypto map cisco interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.100.222 type ipsec-l2l
tunnel-group 192.168.100.222 ipsec-attributes
ikev1 pre-shared-key csico
----------------------------------------------------客户端
set1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname set1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address 192.168.100.222 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 2.2.2.2 255.255.255.0
!
ftp mode passive
access-list 110 extended permit icmp any any
access-list vpn extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cisco 10 match address vpn
crypto map cisco 10 set peer 192.168.100.221
crypto map cisco 10 set transform-set cisco
crypto map cisco interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.100.221 type ipsec-l2l
tunnel-group 192.168.100.221 ipsec-attributes
pre-shared-key *****

one-time · ‎10-27-2016

感谢您的提问，会有小伙伴为您解答的！:):handshake

Mansur · ‎10-27-2016

按照实际情况排错的话，你可以分别看一下两个ASA的isakmp和ipsec的sa有没有生成，确定问题出在哪
我没用过ASA8.4以前的版本，不太确定你的客户端配置是不是正确的，
看你给的配置，服务器端的转换集调用应该是这个：
crypto map cisco 10 set ikev1 transform-set cisco

savi_bj · ‎10-27-2016

我测试一下

gang liu · ‎10-28-2016

你这个是测试环境吧，拓扑是怎样的？先确定两边的公网地址是通的。