注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

欢迎光临shaying110的博客

RSed-ISPing

 
 
 

日志

 
 

DMVPN配置解析  

2009-09-22 16:09:57|  分类: CISCO网络 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

DMVPN配置解析

2007年12月05日 星期三 04:56

DMVPN常用于大型网络的L2L设计,为简化配置和管理。否则在上百个分支站点的VPN建设和管理将是尴尬的

DMVPN基本拓扑:R1为中心站,R2、R3为分支站

                            

                            172.1.1.1/GRE隧道/172.1.1.2

                         |————————————————|              

                         |                              ———192.1.1.2/R2/192.168.2.0/24

                           |                            |

                           |                            |

192.168.1.0/24/R1/192.1.1.1——SW OR WAN ——192.1.1.3/R3/192.168.3.0/24

                           |                            |

                           |————————————————|

                               172.1..1/GRE隧道/172.1.1.3

要求:内部网络运行OSPF,要求中心和分支可以相互学习到动态路由;中心到分支,分支到分支要部署VPN保护。

DMVPN HUB配置

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

第一阶段策略,注意是通配符密码,因为中心站是不站点分支的情况的

!

crypto ipsec transform-set cisco esp-aes esp-sha-hmac

mode transport

设置传输模式,用于GRE的点到点网络结构

crypto ipsec profile deng 为简化配置使用此语法,允许将多个TRANS调用到一起,为匹配多个分支的策略,你需要这样做

set transform-set cisco

interface Loopback0

ip address 192.168.1.1 255.255.255.0

!

interface Tunnel0

这里是核心内容,主要是通过TUNNEL命令处理隧道、IP NHRP处理网络可达来完成

ip address 172.1.1.1 255.255.255.0

no ip redirects

ip nhrp authentication cisco123

启动认证,用来不被路由欺骗,常用于WAN边界的安全考虑;

ip nhrp map multicast dynamic

动态的映射多播流,将用来学习分支站点路由

ip nhrp network-id 10000

指定网络域,同一个TUNNEL必须处在相同的区域,且是一个子网中

ip nhrp holdtime 500

检测对端失效计时器,默认的时间是2小时

ip nhrp cache non-authoritative

这是默认产生的

ip ospf network broadcast

起用广播,才可以选择DR,否则路由会有问题

ip ospf priority 2

设置中心站点是DR

tunnel source 192.1.1.1

tunnel mode gre multipoint

多点模式

tunnel key 10000

当有多个TUNNEL的时候用于选择

tunnel protection ipsec profile deng

这里很重要,相当于crypto map的意义,用于触发VPN的发动机。当调用DENG到这个地方的时候,不需要在物理接口上再去应用CRY MAP。还应该注意这里只调用了设置为传输模式的TRANS,没有PEER,也没有CRY ACL,就是说任何PEER和数据包去撞击GRE TUNNEL的时候都会触发VPN,包括WAN接口,因为这里的TUNNEL SOURE是定义在WAN接口上的。//错误:正确的是——WAN流量不会触发VPN,只有GRE流(ACL是PERMIT IP ANY ANY默认语句,并且在简化配置的IPSEC-PROFILE下没有这样的命令去配置ACL,)才触发VPN。这里经常让人不可理解——VTI接口和物理接口的流量是怎么区分的,CISCO的某些人是如此聪明,VTI类似GRE隧道,但是又不完全相同,VTI的魅力是即使流量终归是要在物理链路上通过的,但是只有隧道流量才触发VPN。

tunnel protection ipsec profile deng这个命令的解释是:让IPSEC的流量附着在隧道接口上(即使TUNNEL源和目的地址任何时候都调用物理接口上的流量),而不是一个物理接口上!!!

可以说以上的配置都是必须的,对TUNNEL端口的配置应该仔细检查

interface FastEthernet0/0

ip address 192.1.1.1 255.255.255.0

duplex half

router ospf 1

log-adjacency-changes

network 172.1.1.0 0.0.0.255 area 1

network 192.168.1.0 0.0.0.255 area 0

这里的考虑是信任骨干网的稳定性,将中心的LAN放在区域0中,而所有分支的连接网络都放在区域1中,好处当然是利于OSPF的故障排除

另外一个考虑是将分支的连接也放到区域0中,而只将分支站的LAN放其他区域

DMVPN SPOKE R2配置:

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

这里也是通配符密钥,因为分支也需要和其他分支通信

!

crypto ipsec transform-set cisco esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile deng

set transform-set cisco

interface Loopback0

ip address 192.168.2.1 255.255.255.0

!

interface Tunnel0

ip address 172.1.1.2 255.255.255.0

no ip redirects

ip nhrp authentication cisco123

ip nhrp map multicast 192.1.1.1

比较R1的配置,R1是需要动态获取分支站的路由信息的,因为分支可能基于DHCP服务器产生地址。

分支必须要静态指向中心站的物理接口地址而不是指向TUNNEL地址,本质上是通过此命令去获取其他分支的路由条目,路由信息是通过多播流来泛发的

ip nhrp map 172.1.1.1 192.1.1.1

实现物理接口和TUNNEL的对接,原理同上

ip nhrp network-id 10000

ip nhrp holdtime 500

ip nhrp nhs 172.1.1.1

这个命令的解析是:将中心站的TUNNEL地址作为分支站得到下一跳路由的服务器,用于处理分支的NHRP查询

ip nhrp cache non-authoritative

ip ospf network broadcast

ip ospf priority 0(这是重要的,排除分支设备成为DR/BDR的可能,否则整个的路由体系是混乱的)

tunnel source FastEthernet0/0这里必须指向接口,因为DHCP可能产生不同的IP地址

tunnel mode gre multipoint

tunnel key 10000

tunnel protection ipsec profile deng

!

interface FastEthernet0/0

ip address 192.1.1.2 255.255.255.0

duplex half

router ospf 1

log-adjacency-changes

network 172.1.1.0 0.0.0.255 area 1

network 192.168.2.0 0.0.0.255 area 1

配置解析:

1、路由可达:在实验中不需要开启缺省路由,因为成功配置TUNNEL后,传递了路由信息

2、VPN思路:

中心和分支都不静态指定PEER和CRY ACL,只设置了TRANS,自动去感知感兴趣的数据流——全部的数据流。注意:这里会引发另外一个思考,如果有不希望保护的数据流,需要重新考虑分离隧道,或是另外的WAN连接。

如何将路由可达和VPN结构融和在一起的?

物理接口调用TUNNEL在中心站和分支站来传递路由,这个GRE可以做得很好,完成和OSPF的融和。

但是分支站的路由是怎么得到的?并最终建立分支和分支之间的VPN的呢?

这是NHRP的工作任务了,注意每个分支站点上有三条关键的命令:

ip nhrp map muticast hub-phyical-ip_add

这条命令完成将多播流路由信息映射到中心站物理接口的目的,分支站基于这个命令去建立自己的路由表,记得去比较中心站点的配置,那里的关键字是DYNAMIC

ip nhrp map hub-tunnel_ip_add hub-phyical-ip_add

将TUNNEL接口同样映射到物理接口

ip nhrp nhs hub-tunnel_ip_add

将NHRP,下一条路由查询服务器设置为中心站的TUNNEL接口

通过以上的命令,这里会有两个最核心的问题会发生:路由是通过TUNNEL在中心站点之间传递的,但是VPN通道是通过分支之间的物理链路建立的,是很美妙的事情,说明中心站点不需要处理如此庞大的分支站之间的数据信息,而只需要处理维持内部网络的路由信息——这些流量不是大的。

下面将显示一个简单的例子来说明基于分支站之间的VPN过程是如何处理的

R3的内部网络需要和R2的内部网络说话,下面是R3通过GRE学习到的路由表

R3#sh ip rou

Gateway of last resort is not set

     172.1.0.0/24 is subnetted, 1 subnets

C       172.1.1.0 is directly connected, Tunnel0

C    192.1.1.0/24 is directly connected, FastEthernet0/0

     192.168.1.0/32 is subnetted, 1 subnets

O IA    192.168.1.1 [110/11112] via 172.1.1.1, 00:35:17, Tunnel0

     192.168.2.0/32 is subnetted, 1 subnets

O       192.168.2.1 [110/11112] via 172.1.1.2, 00:35:17, Tunnel0(这里有个小问题需要解释一下,L0接口被解析成主机路由)

C    192.168.3.0/24 is directly connected, Loopback0

第一步:R3查询是通过172.1.1.2这个TUNNEL可达

tunnel protection ipsec profile deng

还记得这个命令吗?VPN通话因这个命令被触发(这里和前面的GRE静态案例有些不同,那里的情况是ACL是明确指向物理接口地址的,而这里是被调用在TUNNEL接口上的),是不是就在TUNNEL上建立VPN通话呢?

——R3和R2是通过R1才有TUNNEL连接的,如果 通过TUNNEL建立VPN连接说明所有流量都需要经过R1,这是绝对不希望发生的事情,相反R3和R2之间是有物理链路的,应该去把VPN流量放到物理 链路上去。这时候发生什么呢,这个机器会自己变得聪明起来吗?

是的,它很棒。

第二步:R3的下一跳查询服务器是通过命令静态指定的R1的172.1.1.1地址,R3查询下面这个表,请求172.1.1.2怎么走

R3#sh ip nhrp

172.1.1.1/32 via 172.1.1.1, Tunnel0 created 00:40:45, never expire

Type: static, Flags: nat used

NBMA address: 192.1.1.1

第三步:NHS查询下面这个表,会返回给R3一个R2的物理接口地址

R1#sh ip nhrp

172.1.1.2/32 via 172.1.1.2, Tunnel0 created 01:34:39, expire 00:07:16

Type: dynamic, Flags: unique nat registered

NBMA address: 192.1.1.2

172.1.1.3/32 via 172.1.1.3, Tunnel0 created 00:47:27, expire 00:06:32

Type: dynamic, Flags: unique nat registered

NBMA address: 192.1.1.3

第四步:VPN会话得以在物理链路上奔跑

记住并理解这四个命令很重要

配置检查:

R1#sh ip rou

Gateway of last resort is not set

     172.1.0.0/24 is subnetted, 1 subnets

C       172.1.1.0 is directly connected, Tunnel0

C    192.1.1.0/24 is directly connected, FastEthernet0/0

C    192.168.1.0/24 is directly connected, Loopback0

     192.168.2.0/32 is subnetted, 1 subnets

O       192.168.2.1 [110/11112] via 172.1.1.2, 00:31:44, Tunnel0

     192.168.3.0/32 is subnetted, 1 subnets

O       192.168.3.1 [110/11112] via 172.1.1.3, 00:31:44, Tunnel0

R1#sh cry isa pe

Peer: 192.1.1.2 Port: 500 Local: 192.1.1.1

Phase1 id: 192.1.1.2

Peer: 192.1.1.3 Port: 500 Local: 192.1.1.1

Phase1 id: 192.1.1.3

中心站任何时候都和分支建立VPN对等体关系,因为他是DR,上面的路由传递随时激活VPN进程,而分支站如果没有数据包,则在HOLDTIME期满结束VPN连接,下面将有详细的输出来解释这个过程

R1#sh cry en conn a

Crypto Engine Connections

   ID Interface Type Algorithm           Encrypt Decrypt IP-Address

    7 Fa0/0      IPsec AES+SHA                   0      204 192.1.1.1

    8 Fa0/0      IPsec AES+SHA                 199        0 192.1.1.1

    9 Fa0/0      IPsec AES+SHA                   0      152 192.1.1.1

   10 Fa0/0      IPsec AES+SHA                 154        0 192.1.1.1

1002 Fa0/0      IKE   SHA+DES                   0        0 192.1.1.1

1004 Fa0/0      IKE   SHA+DES                   0        0 192.1.1.1

R1#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.1.1.1       192.1.1.2       QM_IDLE           1002    0 ACTIVE

192.1.1.1       192.1.1.3       QM_IDLE           1004    0 ACTIVE

R1#sh cry sess

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 192.1.1.2 port 500

IKE SA: local 192.1.1.1/500 remote 192.1.1.2/500 Active

IPSEC FLOW: permit 47 host 192.1.1.1 host 192.1.1.2

        Active SAs: 2, origin: crypto map

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 192.1.1.3 port 500

IKE SA: local 192.1.1.1/500 remote 192.1.1.3/500 Active

IPSEC FLOW: permit 47 host 192.1.1.1 host 192.1.1.3

        Active SAs: 2, origin: crypto map

R1#sh cry ipsec spi

Active SPI table

     SPI Prot Local Address            M Type

3DA8E38C ESP 192.1.1.1                  IKE-based IPSec SA

9350F613 ESP 192.1.1.1                  IKE-based IPSec SA

只能检查到入站的SPI,是单向的,所以这里共有4个SPI

R1#sh cry ipsec tr

Transform set cisco: { esp-aes esp-sha-hmac }

   will negotiate = { Transport, },

R1#sh cry map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

        Profile name: deng

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                cisco,

        }

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

        Map is a PROFILE INSTANCE.

        Peer = 192.1.1.2

        Extended IP access list

            access-list permit gre host 192.1.1.1 host 192.1.1.2

        Current peer: 192.1.1.2

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                cisco,

        }

Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp

        Map is a PROFILE INSTANCE.

        Peer = 192.1.1.3

        Extended IP access list

            access-list permit gre host 192.1.1.1 host 192.1.1.3

        Current peer: 192.1.1.3

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                cisco,

        }

        Interfaces using crypto map Tunnel0-head-0:

                Tunnel0

R3#sh ip nhrp multicast

I/F     NBMA address

Tunnel0    192.1.1.1       Flags: static

R1#sh ip nhrp multic

I/F     NBMA address

Tunnel0    None            Flags: dynamic

Tunnel0    None            Flags: dynamic

R3#sh cry ipsec sp

Active SPI table

     SPI Prot Local Address            M Type

2A3284A3 ESP 192.1.1.3                  IKE-based IPSec SA

4CF01F4A ESP 192.1.1.3                  IKE-based IPSec SA

R3#traceroute 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

1 172.1.1.2 28 msec 24 msec *

这里很清楚的显示路由跟踪的过程,是走的TUNNEL,但是VPN不是这样的,下面会有输出的详细过程

R3#sh cry isa pe

Peer: 192.1.1.1 Port: 500 Local: 192.1.1.3

Phase1 id: 192.1.1.1

Peer: 192.1.1.2 Port: 500 Local: 192.1.1.3

Phase1 id: 192.1.1.2

开始的时候,检查对等体,得到答案,R3同时和R1、R2建立了会话

看看在500S(此例中命令指定的,默认是7200S,两个小时)之后,会发生什么呢

Crypto ISAKMP debugging is on

*Dec 5 06:38:42.699: ISAKMP: set new node 830158012 to QM_IDLE提示阶段二的快速模式闲置

*Dec 5 06:38:42.703: ISAKMP:(1006): sending packet to 192.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE发送这个包给R2,这里很清楚,是发给物理接口上的地址

*Dec 5 06:38:42.707: ISAKMP:(1006):purging node 830158012

*Dec 5 06:38:42.707: ISAKMP:(1006):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL阶段二连接被删除

*Dec 5 06:38:42.707: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Dec 5 06:38:42.707: ISAKMP:(1006):peer does not do paranoid keepalives.指示对等体没有KEEPLIVE

*Dec 5 06:38:42.707: ISAKMP:(1006):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 192.1.1.2)

*Dec 5 06:38:42.707: ISAKMP:(1005):peer does not do paranoid keepalives.

*Dec 5 06:38:42.707: ISAKMP:(1005):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 192.1.1.2)

*Dec 5 06:38:42.711: ISAKMP: set new node -1284218980 to QM_IDLE

*Dec 5 06:38:42.711: ISAKMP:(1006): sending packet to 192.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

*Dec 5 06:38:42.711: ISAKMP:(1006):purging node -1284218980

*Dec 5 06:38:42.711: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 5 06:38:42.711: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Dec 5 06:38:42.711: ISAKMP: set new node 1491255910 to QM_IDLE

*Dec 5 06:38:42.715: ISAKMP:(1005): sending packet to 192.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE

*Dec 5 06:38:42.715: ISAKMP:(1005):purging node 1491255910

*Dec 5 06:38:42.715: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 5 06:38:42.715: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Dec 5 06:38:42.715: ISAKMP:(1006):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 192.1.1.2)

*Dec 5 06:38:42.715: ISAKMP: Unlocking peer struct 0x65BE545C for isadb_mark_sa_deleted(), count 1

*Dec 5 06:38:42.715: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 5 06:38:42.715: ISAKMP:(1006):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Dec 5 06:38:42.715: ISAKMP:(1005):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 192.1.1.2)

*Dec 5 06:38:42.715: ISAKMP: Unlocking peer struct 0x65BE545C for isadb_mark_sa_deleted(), count 0

*Dec 5 06:38:42.715: ISAKMP: Deleting peer node by peer_reap for 192.1.1.2: 65BE545C最终PEER被删除

*Dec 5 06:38:42.715: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 5 06:38:42.715: ISAKMP:(1005):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Dec 5 06:38:42.723: ISAKMP (0:1006): received packet from 192.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE

*Dec 5 06:38:42.735: ISAKMP (0:1005): received packet from 192.1.1.2 dport 500 sport 500 Global (R) MM_NO_STATE

*Dec 5 06:39:42.715: ISAKMP:(1006):purging SA., sa=6506D7C0, delme=6506D7C0

*Dec 5 06:39:42.723: ISAKMP:(1005):purging SA., sa=65072C34, delme=65072C34

*Dec 5 06:41:43.535: ISAKMP (0:1002): received packet from 192.1.1.1 dport 500 sport 500 Global (I) QM_IDLE相比较的是,R3接着收到了来自R1的包(应该是OSPF HELLO包,用来维持VPN连接),下面是这个过程

*Dec 5 06:41:43.535: ISAKMP: set new node -241508441 to QM_IDLE

*Dec 5 06:41:43.539: ISAKMP:(1002): processing HASH payload. message ID = -241508441

*Dec 5 06:41:43.539: ISAKMP:(1002): processing SA payload. message ID = -241508441

*Dec 5 06:41:43.539: ISAKMP:(1002):Checking IPSec proposal 1

*Dec 5 06:41:43.539: ISAKMP: transform 1, ESP_AES

*Dec 5 06:41:43.539: ISAKMP:   attributes in transform:

*Dec 5 06:41:43.539: ISAKMP:      encaps is 2 (Transport)

*Dec 5 06:41:43.539: ISAKMP:      SA life type in seconds

*Dec 5 06:41:43.539: ISAKMP:      SA life duration (basic) of 3600

*Dec 5 06:41:43.539: ISAKMP:      SA life type in kilobytes

*Dec 5 06:41:43.539: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Dec 5 06:41:43.539: ISAKMP:      authenticator is HMAC-SHA

*Dec 5 06:41:43.543: ISAKMP:      key length is 128

*Dec 5 06:41:43.543: ISAKMP:(1002):atts are acceptable.

*Dec 5 06:41:43.547: ISAKMP:(1002): processing NONCE payload. message ID = -241508441

*Dec 5 06:41:43.547: ISAKMP:(1002): processing ID payload. message ID = -241508441

*Dec 5 06:41:43.547: ISAKMP:(1002): processing ID payload. message ID = -241508441

*Dec 5 06:41:43.547: ISAKMP:(1002):QM Responder gets spi

*Dec 5 06:41:43.547: ISAKMP:(1002):Node -241508441, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Dec 5 06:41:43.547: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

*Dec 5 06:41:43.551: ISAKMP:(1002): Creating IPSec SAs

*Dec 5 06:41:43.551:         inbound SA from 192.1.1.1 to 192.1.1.3 (f/i) 0/ 0

        (proxy 192.1.1.1 to 192.1.1.3)

*Dec 5 06:41:43.551:         has spi 0xAC55E9F5 and conn_id 0

*Dec 5 06:41:43.551:         lifetime of 3600 seconds

*Dec 5 06:41:43.551:         lifetime of 4608000 kilobytes

*Dec 5 06:41:43.551:         outbound SA from 192.1.1.3 to 192.1.1.1 (f/i) 0/0

        (proxy 192.1.1.3 to 192.1.1.1)

*Dec 5 06:41:43.551:         has spi 0x410AF9B7 and conn_id 0

*Dec 5 06:41:43.551:         lifetime of 3600 seconds

*Dec 5 06:41:43.551:         lifetime of 4608000 kilobytes

*Dec 5 06:41:43.551: ISAKMP:(1002): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE

*Dec 5 06:41:43.551: ISAKMP:(1002):Node -241508441, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Dec 5 06:41:43.551: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

*Dec 5 06:41:43.567: ISAKMP (0:1002): received packet from 192.1.1.1 dport 500 sport 500 Global (I) QM_IDLE

*Dec 5 06:41:43.567: ISAKMP:(1002):deleting node -241508441 error FALSE reason "QM done (await)"

*Dec 5 06:41:43.567: ISAKMP:(1002):Node -241508441, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Dec 5 06:41:43.567: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

*Dec 5 06:42:13.567: ISAKMP: set new node -1062896646 to QM_IDLE

*Dec 5 06:42:13.567: ISAKMP:(1002): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE

*Dec 5 06:42:13.571: ISAKMP:(1002):purging node -1062896646

*Dec 5 06:42:13.571: ISAKMP:(1002):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Dec 5 06:42:13.571: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Dec 5 06:42:33.575: ISAKMP:(1002):purging node -241508441

R3#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.1.1.1       192.1.1.3       QM_IDLE           1002    0 ACTIVE

这时只和中心站保持VPN连接,原因很简单,因为路由KEEPLIVE包在传递,激活了VPN进程,但是分支站都是DROTHER,是不传递路由KEEPLIVE信息的,最后处理的VPN包500S之后,将删除连接

http://hi.baidu.com/dengyusu/blog/item/68ccf20934f975ac2eddd493.html

  评论这张
 
阅读(469)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018