x*********n
发帖数: 28013 | 1 A要能建立tunnel和所有1,2,3,4,5,6 site
在site A的router上:
crypto isakmp key 111 address location1
crypto isakmp key 111 address location2
crypto isakmp key 222 address location3
crypto isakmp key 222 address location4
crypto isakmp key 333 address location5
crypto isakmp key 333 address location6
然后呢。
就是crypto map vpnmap 1 ipsec-isakmp
。。。。。。。
问题一:
A site 和 B site建立 tunnel,这个key是不是需要一样?如果一样,那么为什么配置
里没有siteA的key和WAN ip呢?
问题二:
配置里的key,可以都用111么?比如所有的site都用一个key,还是只有tunnel的2边才
能用一个key。 |
|
a***n
发帖数: 262 | 2 key should be symmetric.
you could use crypto isakmp key KEY address 0.0.0.0 as wildcard key. |
|
x*********n
发帖数: 28013 | 3 我ping了一下,通的。
但是sh crypto isakmp sa,看不到任何东西。
有大侠能解释一下么? |
|
|
x*********n
发帖数: 28013 | 5 我ping了一下,通的。
但是sh crypto isakmp sa,看不到任何东西。
有大侠能解释一下么? |
|
|
x*********n
发帖数: 28013 | 7 客户说VPN tunnel 上不了,ping xxxx source xxxx,不work。
然后我看router,发现2个tunnel,其中一个move掉了,第二个其实是work的。结果把
第一个crypto remove,问题就解决了。
但是我不明白,为啥多一个crypto就有问题呢?router不是像ACL一样,找一个,找不
到再往下找的么?
crypto map vpnmap 6 ipsec-isakmp
description To_Providence_new
set peer WAN IP 1
set transform-set vpnset
match address To_Providence
crypto map vpnmap 7 ipsec-isakmp
description To_Providence_new
set peer WAN IP 2
set transform-set vpnset
match address To_Providence |
|
x*********n
发帖数: 28013 | 8 crypto isakmp key muRPHYtracTORS address 67.130.92.126
crypto map vpnmap 39 ipsec-isakmp
description To_kansascity
set peer 67.130.92.126
set transform-set vpnset
match address To_kansascity
qos pre-classify
ip access-list extended To_kansascity
permit ip 10.70.241.0 0.0.0.255 172.25.248.1 0.0.0.255
!
我弄了这个配置,team member叫我改2个地方,我不太确定,想问一下大家。
问题一:第二行vpnmap里面的39,他叫我改成1,因为cryptomap是有sequence的,改成1
,那么就有priority了,是这样么?
问题2:最后一行ACL,我觉得应该是建tunnel用的,这个10.70.241.0是siteA的LAN IP
,在fa上,而172.25.248.1呢,是site ... 阅读全帖 |
|
s*****g
发帖数: 1055 | 9 It is possible that A is behind a PAT firewall, so ISAKMP connection request
initiated by A can be established (so will be IPsec SA), but if there is no
traffic and IPsec SA times out and then B tries to initiate, ISAKMP request
will be dropped by A side's firewall. |
|
x*********n
发帖数: 28013 | 10 ---10.0.0.0-----R1-208.80.80.80---------------208.10.10.10--R2---10.1.1.0-
R1.
ACL set好了
crypto map vpnmap 3 ipsec-isakmp
description To_Roselle
set peer 208.10.10.10
set transform-set vpnset
match address ACL
然后
ip 0.0.0.0 0.0.0.0 208.80.80.79
R2
ACL
crypto map vpnmap 3 ipsec-isakmp
set peer 208.80.80.80
set transform-set vpnset
match address ACL
然后static是到firewall,所以我加了
ip 208.80.80.80 255.255.255.255 208.10.10.9让它能reach R1.
现在的问题就是这样不work,我还要加一个static
ip route 10.0.0.0 255.255.255.0 208.10.10... 阅读全帖 |
|
h*****h
发帖数: 1392 | 11 敝公司位於矽谷Sunnyvale,是美國公司,我們現請人做QA Engineer。我們是做home
router/modem的,公司狀況非常好,工作穩定。應聘者必須有足夠網絡方面的知識,並
且勤勉敬業。年資要求不高。有1-3年經驗就好。資深者請另覓他家。New grads如果確
實優秀,也會考慮。公司有Medical/Vision/Dental Insurance。辦H1和綠卡。資深人
士不適合。不能接受平時和週末偶爾加班的人士也不要申請了。根據資歷和knowledge
,時薪從20到25美金不等。有意者請用站內郵箱、站內短信聯絡,或發email到hshensc
@gmail.com。拜託謝謝!
Network QA Engineer
We are looking for a self-motivated and detail-oriented Network QA Engineer.
The candidate will be responsible for testing our networking devices and
will be involved in all aspe... 阅读全帖 |
|
f****y
发帖数: 70 | 12 有谁解释一下:
use Net::Telnet::Cisco;
my $session1 = Net::Telnet::Cisco->new(Host => '111.157.143.5');
$session1->login('', 'ciscophee');
@shver1 = $session1->enable('pheecisco');
@shver1 = $session1->cmd('clear crypto isakmp');
@shver1 = $session1->cmd('clear crypto sa');
$session1->close;
foreach $line (@shver1){
print "$line";
}
是重起cisco router?
除了perl,还有其他方法可以实现吗?(远程操作cisco router)
比如,可以用jsp or asp... |
|
a***n
发帖数: 262 | 13 上次包子给了没?
crypto map vpnmap 39 ipsec-isakmp
I would use 10 as number, so you still have headroom
for later addition.
this access-list is used to classify which traffic
will be sent thru the IPsec tunnel. It usually is
both side LAN ip subnet.
if 10.7[123].241.0 are your local LANs, then yes
you may want to include them in your ACL.
One ACL is enough
permit ip 10.70.241.0 0.3.0.255 172.25.248.0 0.0.0.255
Please read thru Network Technologyies and Solutions book :-) |
|
|
x*********n
发帖数: 28013 | 15 哦。。就是连啥都没有。
ping xxxx source xxxx是通的。
本来应该有个source iP destination IP 然后状态啥的。 |
|
|
x*********n
发帖数: 28013 | 17 哦。。就是连啥都没有。
ping xxxx source xxxx是通的。
本来应该有个source iP destination IP 然后状态啥的。 |
|
n*********a
发帖数: 1956 | 18 I guess your IPSec is not working. Your network is connected in regular IP
without IPSec. |
|
n**********1
发帖数: 70 | 19 you should see
"show crypto IPsec sa"
in theory, phase II ipsec sa does not need phase I ike sa.
Until phase II rekey happens, it will request phase I to rekey if phase I
does not exist. |
|
a***t
发帖数: 39 | 20 描述
中断
don't know exactly what happened. Could you give more details on the settings?
My guess is that it's a IPSec VPN between two Cisco routers, and there might
be some sort of time settings for IPSec, e.g. IKE SA lifetime was set to 24
hours (it's usually default to 86400 sec)... you can look at your IKE policy
by typing 'show crypto isakmp policy' in Cisso router's CLI.
but the funny thing is that you had to wait 6-7 hours to reconnect... |
|
f****y
发帖数: 70 | 21 有谁解释一下:
use Net::Telnet::Cisco;
my $session1 = Net::Telnet::Cisco->new(Host => '111.157.143.5');
$session1->login('', 'ciscophee');
@shver1 = $session1->enable('pheecisco');
@shver1 = $session1->cmd('clear crypto isakmp');
@shver1 = $session1->cmd('clear crypto sa');
$session1->close;
foreach $line (@shver1){
print "$line";
}
是重起cisco router?
除了perl,还有其他方法可以实现吗?(远程操作cisco router) |
|
m******y
发帖数: 511 | 22 【 以下文字转载自 Software 讨论区 】
【 原文由 military 所发表 】
最基本的系统进程(也就是说,这些进程是系统运行的基本条件,有了这些进程,系统就
能正常运行)
smss.exe Session Manager
csrss.exe 子系统服务器进程
winlogon.exe 管理用户登录
services.exe 包含很多系统服务
lsass.exe 管理 IP 安全策略以及启动 ISAKMP/Oakley (IKE) 和 IP 安全驱动程序。(系
统服务)
产生会话密钥以及授予用于交互式客户/服务器验证的服务凭据(ticket)。(系统服务)
svchost.exe 包含很多系统服务
svchost.exe
SPOOLSV.EXE 将文件加载到内存中以便迟后打印。(系统服务)
explorer.exe 资源管理器
internat.exe 托盘区的拼音图标
附加的系统进程(这些进程不是必要的,你可以根据需要通过服务管理器来增加或减
少)
mstask.exe 允许程序在指定时间运行。(系统服务)
regsvc.exe 允许远程注册表操作。(系统服务)
winm |
|
