本帖最后由 zhangzhihui1 于 2017-3-7 15:57 编辑
1.Cisco ASA 5525 为静态地址 (9.4)
2. Juniper SSG140 为PPPOE 拨号(6.2)
ASA配置:
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ipsec ikev1 transform-set VPNSET esp-des esp-md5-hmac
crypto dynamic-map dmap 10 match address vpn
crypto dynamic-map dmap 10 set ikev1 transform-set VPNSET
crypto dynamic-map dmap 10 set pfs group1
crypto dynamic-map dmap 10 set reverse-route
crypto map vpn 10 ipsec-isakmp dynamic dmap
access-list vpn extended permit ip 10.15.0.0 255.255.0.0 10.14.0.0 255.255.0.0
access-list vpn extended permit ip 10.15.0.0 255.255.0.0 192.168.14.0 255.255.255.0
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
object-group network Inside-vpn
network-object 10.15.0.0 255.255.0.0
object-group network NONAT
network-object 10.14.0.0 255.255.0.0
network-object 192.168.14.0 255.255.255.0
nat (inside,outside6) source static Inside-vpn Inside-vpn destination static NONAT NONAT
Juniper 按正常的配置。
问题:
第一阶段时有时没有。
第二阶段没有。
VPN建立不起来。
Debug日志:
ASA:debug crypto ikev1
Mar 06 17:57:14 [IKEv1]Group = DefaultL2LGroup, IP = 58.49.172.82, Session is being torn down. Reason: Peer Address Changed
Mar 06 17:57:31 [IKEv1]Group = DefaultL2LGroup, IP = 58.49.172.82, Session is being torn down. Reason: Peer Address Changed
Mar 06 17:57:37 [IKEv1]Group = DefaultL2LGroup, IP = 58.49.172.82, Session is being torn down. Reason: Peer Address Changed
Juniper日志显示两个阶段建立完成: