拓扑
192.168.10.x---1.1.1.1-----internet------2.2.2.2-----10.2.1.x
两个路由建立了ipsec隧道,显示remote peer也都连上了,就是ping不通。
NAT的accept也加上了。
谁能帮我看看那里还有问题。谢谢。
Route1
[admin@R_Shanghai] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=1.1.1.1/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="***" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@R_Shanghai] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 src-address=10.2.1.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=default
priority=0
[admin@R_Shanghai] > ip ipsec remote-peers print
0 local-address=2.2.2.2 remote-address=1.1.1.1 state=established
side=responder established=49m11s
[admin@R_Shanghai] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=10.2.1.0/24
log=no log-prefix=""
[admin@R_Shanghai] > ping 192.168.10.1 src-address=10.2.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.1 timeout
1 192.168.10.1 timeout
2 192.168.10.1 timeout
sent=3 received=0 packet-loss=100%
Route2
[admin@R_Beijing] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=2.2.2.2/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="***" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5
[admin@R_Beijing] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 src-address=192.168.10.0/24 src-port=any dst-address=10.2.1.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=default
priority=0
[admin@R_Beijing] > ip ipsec remote-peers print
0 local-address=1.1.1.1 remote-address=2.2.2.2 state=established
side=responder established=54m23s
[admin@R_Beijing] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.2.1.0/24 dst-address=192.168.10.0/24
log=no log-prefix=""
1 X chain=srcnat action=masquerade log=no log-prefix=""
[admin@R_Beijing] > ping 10.2.1.1 src-address=192.168.10.1
SEQ HOST SIZE TTL TIME STATUS
0 10.2.1.1 timeout
1 10.2.1.1 timeout
2 10.2.1.1 timeout
sent=3 received=0 packet-loss=100%
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.