ASA to Route 做dynamic site-to-site ×××

ASA的配置：

ciscoasa(config)# crypto isakmp policy 10

ciscoasa(config-isakmp-policy)# encryption des

ciscoasa(config-isakmp-policy)# hash md5

ciscoasa(config-isakmp-policy)# authentication pre-share

ciscoasa(config-isakmp-policy)# group 2

ciscoasa(config-isakmp-policy)# exit

ciscoasa(config)#

ciscoasa(config)# crypto ipsec transform-set test esp-des esp-md5-hmac

ciscoasa(config)# crypto dynamic-map dymap 500 set transform-set test

ciscoasa(config)# crypto dynamic-map dymap 500 set reverse-route

ciscoasa(config)# crypto map mymap 500 ipsec-isakmp dynamic dymap

ciscoasa(config)# crypto map mymap interface outside

ciscoasa(config)# isakmp enable outside

ciscoasa(config)# isakmp key cisco address 0.0.0.0 netmask 0.0.0.0

对端ADSL接入的路由器配置

R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#encryption des

R1(config-isakmp)#hash md5

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#exit

R1(config)#crypto isakmp key 0 cisco address 11.11.11.11

R1(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac

R1(cfg-crypto-trans)#exit

R1(config)#crypto map mymap 1 ipsec-isakmp

R1(config-crypto-map)#set peer 11.11.11.11

R1(config-crypto-map)#set transform-set vpn

R1(config-crypto-map)#match address 102

R1(config-crypto-map)#exit

R1(config)#int f0/1

R1(config-if)#crypto map mymap

R1(config-if)#exit

按照上面的配置写好后，结果发现×××不通，sh crypto isakmpsa无任何信息，ASA上启用debug后，inside口下面的PC发ping包，结果无任何debug显示。无奈只好在对端路由器上发ping包，在ASA上做debug，出来显示信息了：

Feb 15 12:43:50 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntry

Feb 15 12:44:00 [IKEv1]: IP = 1.1.1.2, Removing peer frompeer table failed, no match!

Feb 15 12:44:00 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntry

Feb 15 12:44:10 [IKEv1]: IP = 1.1.1.2, Removing peer frompeer table failed, no match!

Feb 15 12:44:10 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntry

Feb 15 12:44:20 [IKEv1]: IP = 1.1.1.2, Removing peer frompeer table failed, no match!

Feb 15 12:44:20 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntry

Feb 15 12:44:30 [IKEv1]: IP = 1.1.1.2, Removing peer frompeer table failed, no match!

Feb 15 12:44:30 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntry

Feb 15 12:44:40 [IKEv1]: IP = 1.1.1.2, Removing peer frompeer table failed, no match!

Feb 15 12:44:40 [IKEv1]: IP = 1.1.1.2, Error: Unable toremove PeerTblEntr

ASA上一直重复显示这样的debug信息，在cisco的官网上也没找到解决方法。百度找不到，后来只能google，结果在一家国外的技术论坛上得到了提示（一个CCIE#1937的老前辈写的），自己在网上搜索并总结了

在ASA上敲入isakmp key cisco address 0.0.0.0 netmask 0.0.0.0后，sh run如下：

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

这里L2L用于IPsec ××× site-to-site协商，RA用于Remote IPsec×××（如Easy×××）的积极模式协商，所以在这里我们需要定义一个L2L的tunnel-group，即

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

然后在ASA上定义了数据流的ACL

ciscoasa(config)#access-list test extend permit ip 10.100.1.0 255.255.255.0 10.1.1.0 255.255.255.0

ciscoasa(config)# crypto dynamic-map dymap 500 match address test