网络世界的“隐形斗篷”:IPsec NAT穿越技术
前言:
在网络技术领域,我们经常会遇到一种称为IPsec NAT穿越(NAT-T)的技术,它也被称作UDP封装。这项技术的核心作用是在设备缺乏公网IP地址的情况下,确保数据流量能够顺利抵达预定目标。NAT-T的工作原理是在流量通过网关时,保持IPsec VPN连接的畅通无阻。这种情况通常出现在您的互联网服务提供商(ISP)执行网络地址转换(NAT)操作,或者是您的防火墙外部接口连接到了一个启用了NAT功能的设备时。
在我们的网络架构中,存在一个位于中心位置的NAT设备,它可能会破坏数据的完整性和真实性,有时甚至可能对数据包束手无策。众所周知,NAT与IPsec在本质上是不相容的,但幸运的是,我们有了NAT穿越技术这一解决方案。
NAT穿越技术(NAT-T)通过在IPsec数据包中嵌入一个UDP头部以及一个特殊的有效载荷,使得该数据包在NAT设备看来就像是一条普通的UDP数据流。这样一来,NAT设备就能够识别并对数据包进行必要的转换处理,从而确保消息能够顺利传达。这项技术的应用,为我们在复杂的网络环境中实现安全、高效的数据传输提供了可能。
目标
- 根据图配置拓扑
- 将IP地址分配给各自的端口
- 在SITE-A-ROUTER 1 和 2 上配置通往R3 的默认路由
- 在充当 ISP NAT 设备的路由器 3 上配置静态路由
- 为需要打通的网段配置 扩展 ACL
- 启用加密 ISAKMP
- 配置加密 ISAKMP 策略
- 配置预共享密钥
- 在两个站点上配置 IPsec 转换集
- 配置IPsec安全关联生命周期
- 配置加密映射
- 在接口上应用加密映射
- 在路由器3上配置IP静态NAT
- 在路由器3上配置内部和外部NAT
- 确保 192.168.10.1 可以通过 IPsec 到达 192.168.20.1,并将 IP 转换为 100.100.100.100
配置:
将IP地址分配给各自的端口
SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit
SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#no keepalive
SITE-A-ROUTER(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip address 192.168.1.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip address 192.168.2.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exitSITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
SITE-B-ROUTER(config-if)#no shutdown
SITE-B-ROUTER(config-if)#exit
SITE-B-ROUTER(config)#interface fastethernet 0/0
SITE-B-ROUTER(config-if)#ip address 192.168.20.1 255.255.255.0
SITE-B-ROUTER(config-if)#no shutdown
SITE-B-ROUTER(config-if)#exit各设备上查看下配置的ip
SITE-A-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
SITE-B-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Internet-NAT-Device#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
在SITE-A-ROUTER 1 和 2 上配置通往R3 的默认路由
SITE-A-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
SITE-B-ROUTER(config)#end
Internet-NAT-Device(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
Internet-NAT-Device(config)#end
为需要打通的网段配置 扩展 ACL
SITE-A-ROUTER(config)#ip access-list extended important-traffic
SITE-A-ROUTER(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-A-ROUTER(config-ext-nacl)#exitSITE-B-ROUTER(config)#ip access-list extended important-traffic
SITE-B-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-B-ROUTER(config-ext-nacl)#end
查看配置ACL
SITE-A-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-B-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255启用加密 ISAKMP
SITE-A-ROUTER(config)#crypto isakmp enable
SITE-B-ROUTER(config)#crypto isakmp enable配置加密 ISAKMP 策略
SITE-A-ROUTER(config)#crypto isakmp policy 20
SITE-A-ROUTER(config-isakmp)#authentication pre-share
SITE-A-ROUTER(config-isakmp)#encryption aes 256
SITE-A-ROUTER(config-isakmp)#hash sha
SITE-A-ROUTER(config-isakmp)#group 5
SITE-A-ROUTER(config-isakmp)#lifetime 3600
SITE-A-ROUTER(config-isakmp)#exit
SITE-B-ROUTER(config)#crypto isakmp policy 20
SITE-B-ROUTER(config-isakmp)#authentication pre-share
SITE-B-ROUTER(config-isakmp)#encryption aes 256
SITE-B-ROUTER(config-isakmp)#hash sha
SITE-B-ROUTER(config-isakmp)#group 5
SITE-B-ROUTER(config-isakmp)#lifetime 3600
SITE-B-ROUTER(config-isakmp)#end查看 配置的ISAKMP 策略
SITE-A-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-B-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit置预共享密钥
SITE-A-ROUTER(config)#crypto isakmp key 0 internetworks address 192.168.2.1
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#crypto isakm key 0 internetworks address 100.100.100.100
SITE-B-ROUTER(config)#end
//在上面的命令中,我已经将路由器2上的地址从192.168.1.1更改为100.100.100.100,因为路由器1的IP 192.168.1.1在另一端看起来会不同,即100.100.100.100。接下来,我打算只在路由器2上更改加密映射中的对等地址,因此我们需要将地址更改为静态NAT地址,以便获得成功的IPsec VPN结果。
//在配置IPsec VPN时,确保两端的对等设备能够正确识别对方的地址至关重要。在这个场景中,路由器1的内部IP地址是192.168.1.1,而这个地址在通过NAT设备后,在外部网络中将被转换为100.100.100.100。为了确保路由器2能够正确地识别并建立与路由器1的VPN连接,我们需要在路由器2的加密映射配置中更新对等地址,将其设置为经过NAT转换后的静态IP地址100.100.100.100。
//这样,当路由器2尝试与路由器1建立VPN隧道时,它将使用正确的IP地址进行通信,从而确保IPsec VPN连接的成功建立和稳定运行。通过这种方式,即使在NAT环境下,也能够实现跨网络的安全数据传输。 在两个站点上配置 IPsec 转换集
SITE-A-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-A-ROUTER(cfg-crypto-trans)#end
SITE-B-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-B-ROUTER(cfg-crypto-trans)#end查看配置的IPsec 转换集
SITE-A-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-B-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },配置IPsec安全关联生命周期
SITE-A-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-A-ROUTER(config)#exit
SITE-B-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-B-ROUTER(config)#end查看配置的IPsec安全关联生命周期
SITE-A-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds
SITE-B-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds配置加密映射
SITE-A-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-A-ROUTER(config-crypto-map)#match address important-traffic
SITE-A-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-A-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-A-ROUTER(config-crypto-map)#exit
SITE-A-ROUTER(config)#end
SITE-B-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-B-ROUTER(config-crypto-map)#match address important-traffic
SITE-B-ROUTER(config-crypto-map)#set peer 100.100.100.100
SITE-B-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-B-ROUTER(config-crypto-map)#END查看配置的加密映射
ITE-A-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:SITE-B-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
在接口上应用加密映射
SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-A-ROUTER(config-if)#exitSITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-B-ROUTER(config-if)#end
查看接口上的加密映射
SITE-B-ROUTER#show crypto map interface serial 4/1
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/1
先ping测试下
SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/100 ms
SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0xFD7D51CD(4252848589)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 32/62/96 ms
SITE-B-ROUTER#show crypto ipsec sa
interface: Serial4/1
Crypto map tag: CRYPTO-MAP, local addr 192.168.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
current outbound spi: 0x367632C(57107244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
在R3上配置IP静态NAT
Internet-NAT-Device(config)#ip nat inside source static 192.168.1.1 100.100.100.100
在R3上配置内部和外部NAT
Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip nat inside
Internet-NAT-Device(config-if)#exit
Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip nat outside
Internet-NAT-Device(config-if)#exit
确保 192.168.10.1 可以通过 IPsec 到达 192.168.20.1,并将 IP 转换为 100.100.100.100
SITE-A-ROUTER#clear crypto isakmp
SITE-A-ROUTER#clear crypto session
SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/60/140 ms
SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 24/60/144 ms ---Internet-NAT-Device#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 100.100.100.100:4500 192.168.1.1:4500 192.168.2.1:4500 192.168.2.1:4500
--- 100.100.100.100 192.168.1.1 --- ---
SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2219, #pkts encrypt: 2219, #pkts digest: 2219
#pkts decaps: 2219, #pkts decrypt: 2219, #pkts verify: 2219
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0x3BD9F3C0(1004139456)
PFS (Y/N): N, DH group: none本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2024-03-26,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
VPN 连接
VPN 连接(VPN Connections)是一种基于网络隧道技术,实现本地数据中心与腾讯云上资源连通的传输服务,它能帮您在 Internet 上快速构建一条安全、可靠的加密通道。VPN 连接具有配置简单,云端配置实时生效、可靠性高等特点,其网关可用性达到 99.95%,保证稳定、持续的业务连接,帮您轻松实现异地容灾、混合云部署等复杂业务场景。
腾讯云开发者
