• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

F1020&F100-C-G2 IPSEC VPN建立

2018-05-04提问
  • 1关注
  • 1收藏,1645浏览
粉丝:0人 关注:0人

问题描述:

F1020是IPSec VPN服务器端

F100-C-G2是IPSec VPN客户端

现在是ike阶段已ready,ipsec无法建立


组网及组网描述:

F1020(IPSec VPN服务器端  

外网口:ge1/0/16    122.119.15.241   

内网口:ge1/0/17    172.16.96.41

Lo10:172.16.97.41


F100-C-G2(IPSec VPN客户端  

外网口: ge1/0/6       59.173.61.178

内网口: ge1/0/7       172.16.132.65



最佳答案

粉丝:0人 关注:1人

acl 引流写的不对?

暂无评论

3 个回答

这个信息太少 需要debug来看

暂无评论

具体配置贴一下吧

暂无评论

粉丝:0人 关注:0人

F1020:

<HSY-3A3-F1020-VPNISD1A>disp cur # version 7.1.064, Release 9313P1901 # sysname HSY-3A3-F1020-VPNISD1A # context Admin id 1 # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # object-group ip address CLINET 0 network subnet 172.16.132.0 255.255.255.0 1 network host address 59.173.61.178 # object-group ip address SERVER 0 network subnet 172.16.0.0 255.255.0.0 1 network host address 122.119.15.241 # object-group service ICMP 0 service icmp 10 service udp destination eq 500 # object-group service tcp_22 0 service tcp destination eq 22 # object-group service tcp_23 0 service tcp destination eq 23 # interface NULL0 # interface LoopBack10 ip address 172.16.97.41 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route ip address 172.16.100.246 255.255.255.0 # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route duplex full speed 1000 ip address 122.119.15.241 255.255.255.0 ipsec apply policy ipsecpolicy-test1 # interface GigabitEthernet1/0/17 port link-mode route ip address 172.16.96.41 255.255.255.0 # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # object-policy ip ICMP rule 0 pass service ICMP logging counting rule 2 pass service ipsec-esp logging counting rule 3 pass service ike # object-policy ip Local-Trust rule 0 pass service ICMP # object-policy ip Local-Untrust rule 0 pass service ICMP rule 5 pass service ike rule 10 pass service ipsec-esp rule 15 pass source-ip CLINET destination-ip SERVER # object-policy ip Trust-Local rule 0 pass service ICMP # object-policy ip Untrust-Local rule 0 pass service ICMP rule 5 pass service ike rule 10 pass service ipsec-esp rule 15 pass source-ip SERVER destination-ip CLINET # object-policy ip any-any rule 0 pass # object-policy ip cli-sev rule 0 pass source-ip CLINET destination-ip SERVER # object-policy ip sev-cli rule 0 pass source-ip SERVER destination-ip CLINET # security-zone name Local # security-zone name Trust import interface LoopBack10 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/16 # security-zone name Management import interface GigabitEthernet1/0/4 import interface GigabitEthernet1/0/17 # zone-pair security source Any destination Any object-policy apply ip any-any # zone-pair security source Local destination Trust object-policy apply ip Local-Trust # zone-pair security source Local destination Untrust object-policy apply ip Untrust-Local # zone-pair security source Trust destination Local object-policy apply ip Trust-Local # zone-pair security source Trust destination Trust object-policy apply ip any-any # zone-pair security source Trust destination Untrust object-policy apply ip sev-cli # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip cli-sev # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.0.0 16 172.16.96.44 ip route-static 172.16.0.0 17 172.16.96.44 ip route-static 172.16.129.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.130.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.131.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.132.0 24 GigabitEthernet1/0/16 122.119.15.254 preference 10 ip route-static 172.16.133.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.134.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.135.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.136.0 24 GigabitEthernet1/0/16 122.119.15.254 # ssh server enable # acl advanced 3001 rule 1 permit ip source 172.16.0.0 0.0.127.255 destination 172.16.132.0 0.0.0.255 rule 2 permit ip source 172.16.97.0 0.0.0.255 destination 172.16.132.0 0.0.0.255 # acl advanced 3002 rule 0 permit ip source 172.16.0.0 0.0.255.255 rule 10 permit ip source 59.173.61.178 0 rule 15 permit ip destination 59.173.61.178 0 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$/JQ2b/1dt6qUC3I0$Z+wlWbrYZ5Zngj/8IHyTc7NT8NGm27bAzI4yUKhWqkuWR9owqaSuQbSfE5X8Xwel2mOgSdLiHbzK4KAB7gPNmg== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ipsec transform-set ipsec-test1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy ipsecpolicy-test1 1 isakmp transform-set ipsec-test1 security acl 3001 local-address 122.119.15.241 ike-profile ike-test1 # ike identity fqdn HSY-3A3-F1020-VPNISD1 # ike profile ike-test1 keychain keychain-test1 local-identity fqdn HSY-3A3-F1020-VPNISD1 match remote identity fqdn wuh_xa_vpn # ike keychain keychain-test1 pre-shared-key address 59.173.61.178 255.255.255.255 key cipher $c$3$E6yrOEma4Oos1LJI66KPkQmytSKiekEpq3PL0Q== # ip https enable # ips policy default # anti-virus policy default # return <HSY-3A3-F1020-VPNISD1A>ping -a 172.16.132.65 172.16.97.41 Ping 172.16.97.41 (172.16.97.41) from 172.16.132.65: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.16.97.41 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss <HSY-3A3-F1020-VPNISD1A>disp ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 60 59.173.61.178 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY <HSY-3A3-F1020-VPNISD1A>disp ipsec sa


=====================================================

F100-C-G2: 

武汉客户端配置和排查命令: <WUH-F100C-XA1>dis cur # version 7.1.064, Release 9510P05 # sysname WUH-F100C-XA1 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # object-group ip address CLINET 0 network subnet 172.16.132.0 255.255.255.0 1 network host address 59.173.61.178 # object-group ip address SERVER 0 network subnet 172.16.0.0 255.255.0.0 1 network host address 122.119.15.241 # object-group service ICMP 0 service icmp 10 service udp destination eq 500 # object-group service ipsec # object-group service tcp_22 0 service tcp destination eq 22 # object-group service tcp_23 0 service tcp destination eq 23 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable fiber ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route ip address 59.173.61.178 255.255.255.248 ipsec apply policy wuh_xa_vpn # interface GigabitEthernet1/0/7 port link-mode route ip address 172.16.132.65 255.255.255.0 # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # object-policy ip Local-Trust rule 0 pass service ICMP rule 5 pass service tcp_22 rule 10 pass service tcp_23 # object-policy ip Local-Untrust rule 0 pass service ipsec rule 5 pass service tcp_22 rule 10 pass service tcp_23 rule 15 pass service ike rule 20 pass service ipsec-esp rule 25 pass service ICMP counting rule 30 pass source-ip CLINET destination-ip SERVER # object-policy ip Trust-Local rule 0 pass service ICMP rule 5 pass service tcp_22 rule 10 pass service tcp_23 # object-policy ip Untrust-Local rule 0 pass service ICMP rule 15 pass service ike rule 20 pass service ipsec-esp rule 25 pass source-ip SERVER destination-ip CLINET # object-policy ip cli-sev rule 0 pass source-ip CLINET destination-ip SERVER # object-policy ip ipsec rule 2 pass service ike rule 2 append service ipsec-esp # object-policy ip sev-cli rule 0 pass source-ip SERVER destination-ip CLINET # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/7 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/6 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # zone-pair security source Local destination Trust object-policy apply ip Local-Trust # zone-pair security source Local destination Untrust object-policy apply ip Local-Untrust # zone-pair security source Trust destination Local object-policy apply ip Trust-Local # zone-pair security source Trust destination Untrust object-policy apply ip cli-sev # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip sev-cli # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/6 59.173.61.177 # ssh server enable # acl advanced 3001 rule 1 permit ip source 172.16.128.0 0.0.127.255 destination 172.16.0.0 0.0.127.255 rule 2 permit ip source 172.16.132.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 # acl advanced 3002 rule 0 permit ip source 172.16.0.0 0.0.255.255 rule 5 permit ip destination 122.119.15.241 0 rule 10 permit ip source 122.119.15.241 0 rule 15 permit icmp counting rule 20 permit ip destination 172.16.0.0 0.0.255.255 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$WKsxM6Za+wOJ73me$veauo4Vxnx43X+07cw9GgwxEqdVoFWlnMGuolLXCX/oTg656NmWiW1U+4dlQLZP9TgaeH/cnTsbefZYq7QlYhQ== service-type ssh telnet terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user ncc class manage password hash $h$6$QJL0nyotr5rmnFON$K46gX9u7FnmW/pM9sTe/CPfwp2+3Nxr5a+klRehL/XdLmkZGFzFUe4WVKR33f9Zeij+/UXtX2deZkf4TfvtNvA== service-type ssh telnet terminal authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ipsec transform-set 1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy wuh_xa_vpn 1 isakmp transform-set 1 security acl 3001 remote-address 122.119.15.241 ike-profile 1 # ike identity address 59.173.61.178 # ike profile 1 keychain keychain-test1 local-identity address 59.173.61.178 match remote identity address 122.119.15.241 255.255.255.255 match remote identity fqdn HSY-3A3-F1020-VPNISD1 # ike keychain keychain-test1 pre-shared-key address 122.119.15.241 255.255.255.255 key cipher $c$3$rvEAz+nLl/KG6ogIAl9Dgwbha8sOdsE7Y+zjUw== # ip https enable # return <WUH-F100C-XA1> <WUH-F100C-XA1> <WUH-F100C-XA1>ping -a 172.16.132.65 172.16.97.41 Ping 172.16.97.41 (172.16.97.41) from 172.16.132.65: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.16.97.41 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss <WUH-F100C-XA1>dis ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 69 122.119.15.241 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY <WUH-F100C-XA1>dis ipsec sa <WUH-F100C-XA1>

暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明