1、组网：总部一台路由设备，两个分部分别用两台AR3260做出口设备，两两建立IPSec VPN

2、总部和两台分部的AR设备分别建立起IPSec VPN，且内部用户网络可以相互通信

3、两台AR3260建立了IPSec VPN，但是内网用户无法互相访问

两端AR3260关于IPSec VPN的配置

AR3260-1

acl number 3000  
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 permit ip 
acl number 3001  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 15 deny ip 
acl number 3002  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 deny ip                                                  
# 
ipsec proposal To_HJJT 
esp encryption-algorithm 3des 
ipsec proposal To_WFZ_Office 
esp encryption-algorithm 3des 
# 
ike proposal 5 
encryption-algorithm 3des-cbc 
dh group2 
authentication-algorithm md5 
# 
ike peer To_WFZ_Office v1 
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@ 
ike-proposal 5 
remote-address 61.184.89.252 
ike peer To_HJJT v1 
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@ 
ike-proposal 5 
remote-address 61.184.80.157 
# 
ipsec policy WFZ 10 isakmp 
security acl 3001 
ike-peer To_HJJT 
proposal To_HJJT                         
ipsec policy WFZ 20 isakmp 
security acl 3002 
ike-peer To_WFZ_Office 
proposal To_WFZ_Office 
#
interface GigabitEthernet0/0/0 
ip address 58.53.160.62 255.255.255.240 
ipsec policy WFZ 
combo-port auto 
nat outbound 3000

AR3260---2

acl number 3000  
rule 5 deny ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
rule 10 deny ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
rule 15 permit ip 
acl number 3001  
rule 5 permit ip source 172.31.32.0 0.0.1.255（本地网段）destination 10.82.0.0 0.0.255.255（总部网段） 
rule 15 deny ip 
acl number 3002  
rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255（不通的对端网段） 
rule 15 deny ip                          
# 
ipsec proposal To_HJJT 
esp encryption-algorithm 3des 
ipsec proposal To_WFZ_Office 
esp encryption-algorithm 3des 
# 
ike proposal 5 
encryption-algorithm 3des-cbc 
dh group2 
authentication-algorithm md5 
# 
ike peer To_WFZ_Office v1 
pre-shared-key cipher %@%@y$87PFTzz*e(*YYHRn~J]'"-%@%@ 
ike-proposal 5 
remote-address 61.184.89.252 
ike peer To_HJJT v1 
pre-shared-key cipher %@%@Q~62$UwSSV75)cGWD`DW]-M2%@%@ 
ike-proposal 5 
remote-address 61.184.80.157 
# 
ipsec policy WFZ 10 isakmp 
security acl 3001 
ike-peer To_HJJT 
proposal To_HJJT                         
ipsec policy WFZ 20 isakmp 
security acl 3002 
ike-peer To_WFZ_Office 
proposal To_WFZ_Office 
#

interface GigabitEthernet0/0/0 
ip address 58.53.160.62 255.255.255.240 
ipsec policy WFZ 
combo-port auto 
nat outbound 3000

 

1、首先查看两端的SA信息，下为其中一端的IPSec sa，发现sa信息都已经正常建立，IPsec是已经建立成功的

<WFZ_DianChang_AR3260>dis ike sa 
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  --------------------------------------------------------------- 
       57    61.184.89.252   0     RD|ST                  2     
       56    61.184.89.252   0     RD|ST                  1     
       60    61.184.80.157   0     RD|ST                  2     
       59    61.184.80.157   0     RD|ST                  1     

  Flag Description: 
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT 
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

----------------------------- 
  IPSec policy name: "WFZ" 
  Sequence number  : 20 
  Acl group        : 3002 
  Acl rule         : 5 
  Mode             : ISAKMP 
  ----------------------------- 
    Connection ID     : 57 
    Encapsulation mode: Tunnel 
    Tunnel local      : 58.53.160.62 
    Tunnel remote     : 61.184.89.252 
    Flow source       : 172.31.32.0/255.255.254.0 0/0 
    Flow destination  : 172.31.34.0/255.255.255.0 0/0 
    Qos pre-classify  : Disable 
    Qos group         : - 

    [Outbound ESP SAs] 
      SPI: 960343579 (0x393dae1b) 
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5 
      SA remaining key duration (bytes/sec): 1887436800/2641 
      Max sent sequence-number: 0 
      UDP encapsulation used for NAT traversal: N 

    [Inbound ESP SAs] 
      SPI: 718339035 (0x2ad0fbdb) 
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5 
      SA remaining key duration (bytes/sec): 1887436800/2641 
      Max received sequence-number: 0 
      Anti-replay window size: 32 
      UDP encapsulation used for NAT traversal: N

2、查看NAT，去往目的网段的流量是否有被地址转换。

3、为避免是因为内部PC开启了防火墙导致ping不通，告知ping对端的网关地址，发现还是不通。

4、再次查看配置，使用一个IPSec policy的两个节点来建立的IPSec VPN，再次查看安全ACL的信息：

     acl number 3001  
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 10.82.0.0 0.0.255.255 
     rule 15 deny ip 
     acl number 3002  
     rule 5 permit ip source 172.31.32.0 0.0.1.255 destination 172.31.34.0 0.0.0.255 
     rule 15 deny ip 

 去掉acl3001里面的rule 15 deny ip，两端可以ping通。

因为是只使用了一个IPSec policy ,所以流量来到之后会先匹配ipsec policy WFZ 10中的ACL，去往总部匹配到了acl number 3000的rule 5，因此可以通信，但是去往另外一台AR3260匹配到的是acl number 3000的rule 15 deny ip，流量就被deny拒绝转发。

去掉两边设备的ACL中的deny条目。