Tweet
Mình cấu hình một router vừa làm VPN site-to-site vừa làm VPN server. VPN site-to-site đã chạy rồi nhưng còn phần VPN server thì bị trục trặc. Khi mình dùng VPN Client connect vào thì vẫn lấy được IP nhưng không thể ping được mạng LAN (mình lấy pool ip VPN trong ip LAN luôn). Sau đây là cấu hình của mình, các bạn xem có chỗ nào sai thì chỉ giúp mình với :
Building configuration...
Current configuration : 1974 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn2611
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 password 0 cisco
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip ssh break-string
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 172.18.123.199 no-xauth
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.123.199
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 172.18.124.159 255.255.255.0
serial restart-delay 0
crypto map clientmap
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
!
ip local pool ippool 10.10.10.100 10.10.10.200
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
Building configuration...
Current configuration : 1974 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn2611
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 password 0 cisco
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip ssh break-string
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 172.18.123.199 no-xauth
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.123.199
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 172.18.124.159 255.255.255.0
serial restart-delay 0
crypto map clientmap
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
!
ip local pool ippool 10.10.10.100 10.10.10.200
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
Comment