s**********y
发帖数: 3366 | 1 ipsec tunnel, A can bring up the tunnel, and everything works great since
then.
B can not bring the tunnel up.
what is wrong here. |
x*********n
发帖数: 28013 | 2 你这个问题本来就不成立,问得不好,
IPSec要左右2边的router match上了,才能up,才能左右互ping,不然配置里会说要等
另一边搭上了才行。
IPSec要看3点。
access-list的 private IP有没有对上,
crypto的 WAN IP对上,WAN能不能互相ping,
然后才是crypto-map。
################################################################3
你的问题是traffic go through 某个中心center,then,
check center的nonat 部分,要把B点也nonat了,B点就行了。 |
s*****g
发帖数: 1055 | 3 It is possible that A is behind a PAT firewall, so ISAKMP connection request
initiated by A can be established (so will be IPsec SA), but if there is no
traffic and IPsec SA times out and then B tries to initiate, ISAKMP request
will be dropped by A side's firewall.
【在 x*********n 的大作中提到】
: 你这个问题本来就不成立,问得不好,
: IPSec要左右2边的router match上了,才能up,才能左右互ping,不然配置里会说要等
: 另一边搭上了才行。
: IPSec要看3点。
: access-list的 private IP有没有对上,
: crypto的 WAN IP对上,WAN能不能互相ping,
: 然后才是crypto-map。
: ################################################################3
: 你的问题是traffic go through 某个中心center,then,
: check center的nonat 部分,要把B点也nonat了,B点就行了。
|
x*********n
发帖数: 28013 | 4 佩服,佩服。
多谢解释。
request
no
request
【在 s*****g 的大作中提到】
: It is possible that A is behind a PAT firewall, so ISAKMP connection request
: initiated by A can be established (so will be IPsec SA), but if there is no
: traffic and IPsec SA times out and then B tries to initiate, ISAKMP request
: will be dropped by A side's firewall.
|
s**********y
发帖数: 3366 | 5 this is what happened in real network. |
x*********n
发帖数: 28013 | 6 说实话还是没有太懂,不过没关系,过一阵子自然会懂了。 |
