VPN达人进:LAN-to-LAN VPN 配置问题 全国网管乃一家

来源:网络   录入:admin   发布时间:2008-11-19 13:11:45

hellohjt 发表于 2008-5-18 01:05

VPN达人进:LAN-to-LAN VPN 配置问题两台pix配置lan-to-lan vpn,按照网上资料配置,感觉应该没有错,可还是ping不通对方地址,可每次ping后show crypto ipsec sa的pkt数字都会变,而且两端一样,如下
vpn1# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 116.228.*.*
      access-list 100 permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.25
5.0
      local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 60.191.*.*
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      [color=red]#pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 116.228.*.*, remote crypto endpt.: 60.191.*.*

vpn2# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 60.191.*.*
      access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
      current_peer: 116.228.*.*
     [color=red] [size=3]#pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 74, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 60.191.*.*, remote crypto endpt.: 116.228.*.*


还有:在VPN1下的pc能tracert 116.228.*.*的地址,可是在VPN1 traceroute这个地址到最后一步就下不去了。
是何原因?

[[i] 本帖最后由 hellohjt 于 2008-5-18 01:08 编辑 ]

kill204 发表于 2008-5-18 09:21

是软的吧?我们单位用的是硬的netgare,538连114

yonx 发表于 2008-5-18 10:45

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74


#pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

两边不一样哦,貌似只有一个方向通,另一个方向不通

out111 发表于 2008-5-20 16:12

*** 作者被禁止或删除 内容自动屏蔽 ***

hellohjt 发表于 2008-5-20 18:53

呵呵,原因找到了,配置没错,是另外一边的目标pc禁ping了。:loveliness: