access-list [outside_cryptomap] extended permit ip 192.168.1.0 255.255.255.0 object-group [DM_INLINE_NETWORK]
crypto map [outside_map 1] match address [outside_cryptomap]
上記のように設定したところ、192.168.1.0/24と192.168.2.0/24のどちらか一方のみに繋がる状態となりました。 この「どちらか」に切り替わるタイミングが微妙で、VPNを切断した際など再接続時や、再接続でない時にも替わる場合があります。 同時に繋がる事はありません。 ただ、結局AccessList関連の記述がわからなかったためGUIを使用して設定したので不要な設定が入っている恐れはあります。 VPNはIPsecのみです。 0027ospf2017/04/13(木) 00:19:57.64ID:???>>26 Object group-based ACLs are not supported with IPsec.
まず、以下のようにaccess-list使用してみましたが繋がりませんでした。 access-list [outside_cryptomap] extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list [outside_cryptomap] extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 crypto map [outside_map] 1 match address [vpn] crypto map [outside_map] 1 set pfs crypto map [outside_map] 1 set peer [RTX(1)のGlobal IP] crypto map [outside_map] 1 set ikev1 transform-set [FirstSet] crypto map [outside_map] 1 set reverse-route crypto map [outside_map] interface [outside] 後はNAT Exemptionをそれぞれ設定しています。
この状態で「繋がらない状態のLAN2」からサーバAへPINGを打つと以下のログが出ます。 402116||IPSEC: Received an ESP packet (SPI= 0x506FBD9F, sequence number= 0x45B) from [RTX(1)のGlobal IP] (user= [RTX(1)のGlobal IP]) to [ASAのGlobal IP]. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.10.10, its source as 192.168.2.10, and its protocol as icmp. The SA specifies its local proxy as 192.168.10.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.1.0/255.255.255.0/ip/0. 0033YAMASA2017/04/18(火) 21:25:40.03ID:??? また、以下のようにseq変えて設定してもほぼ同じログが出ます。 access-list [outside_cryptomap_1] extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 crypto map [outside_map] 1 match address [outside_cryptomap_1] crypto map [outside_map] 1 set pfs crypto map [outside_map] 1 set peer [RTX(1)のGlobal IP] crypto map [outside_map] 1 set ikev1 transform-set [FirstSet] crypto map [outside_map] 1 set reverse-route crypto map [outside_map] interface [outside]
access-list [outside_cryptomap_2] extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 crypto map [outside_map] 2 match address [outside_cryptomap_2] crypto map [outside_map] 2 set pfs crypto map [outside_map] 2 set peer [RTX(1)のGlobal IP] crypto map [outside_map] 2 set ikev1 transform-set [FirstSet] crypto map [outside_map] 2 set reverse-route crypto map [outside_map] interface [outside]
402116||IPSEC: Received an ESP packet (SPI= 0x0C398269, sequence number= 0x36) from [RTX(1)のGlobal IP] (user= [RTX(1)のGlobal IP]) to [ASAのGlobal IP]. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.10.10, its source as 192.168.2.10, and its protocol as icmp. The SA specifies its local proxy as 192.168.10.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.1.0/255.255.255.0/ip/0.
interface GigabitEthernet0 ip address 10.0.0.2 255.255.255.0 no shut
--sh l2tp tunnel allでのステータス-------------- 891FJと892Jの両方で Tunnel state is established, time since change **:**:** と表示されます。 0037anonymous@182-166-196-234f1.hyg1.eonet.ne.jp2017/04/19(水) 00:59:26.16ID:???>>36の続き ■891FJのVlan1と892JのFa8でのxconnectの設定■■■■■■■■■■■■■■■ --891FJ---------------------------------------- l2tp-class L2TP_CLASS-TEST
pseudowire-class PW_CLASS-TEST encapsulation l2tpv3 protocol l2tpv3 L2TP_CLASS-TEST ip local interface GigabitEthernet8
interface GigabitEthernet0 ip address 10.0.0.2 255.255.255.0 no shut
--sh l2tp tunnel allでのステータス-------------- 891FJと892Jの両方で Tunnel state is Est-No-User, time since change **:**:** と表示されます。 0046anonymous2017/04/21(金) 22:32:16.26ID:??? 編集ミスにしちゃえらい違うようだが、気を取り直して