总部出口使用防火墙对接其他两个分支,两个分支使用路由器组网,使用ipsec主模式租房,使用以后发现分支1与总部通信正常,但是分支2连接都建立了但是就是ping不通私网地址,检查了感兴趣流没有问题,具体配置如下,可以见附件,求大佬支招
总部配置
version 7.1.064, Release 9560P36
#
sysname FW-LYJ
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
dhcp enable
#
dns server 8.8.8.8
dns server 114.114.114.114
#
password-recovery enable
#
vlan 1
#
vlan 1000
#
dhcp server ip-pool 1000
gateway-list 10.1.1.254
network 10.1.1.0 mask 255.255.255.0
dns-list 114.114.114.114
#
ddns policy test
url oray://***.***
username donghunao
password cipher $c$3$q+VwY7pkYi9TvF0leUK/1c1rmIF+cok1j835Kem8
#
ddns policy test3
url oray://***.***
password cipher $c$3$y65ws1vMyYOumFF43DNx41ZqnVNbOj1HPzIS4sk8
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface Vlan-interface1
#
interface Vlan-interface1000
ip address 10.1.1.254 255.255.255.0
tcp mss 1280
nat hairpin enable
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 220.168.150.11 255.255.255.0
nat outbound
nat server protocol tcp global 220.168.150.11 5236 inside 10.1.1.243 5236 rule ServerRule_9
nat server protocol tcp global 220.168.150.11 8066 inside 10.1.1.241 8066 rule ServerRule_5
nat server protocol tcp global 220.168.150.11 8067 inside 10.1.1.240 8067 rule ServerRule_3
nat server protocol tcp global 220.168.150.11 8068 inside 10.1.1.240 8068 rule ServerRule_2
nat server protocol tcp global 220.168.150.11 14443 inside 10.1.1.3 443 rule ServerRule_10
nat server protocol tcp global 220.168.150.11 55240 inside 10.1.1.240 22 rule ServerRule_4
nat server protocol tcp global 220.168.150.11 55241 inside 10.1.1.241 22 rule ServerRule_6
nat server protocol tcp global 220.168.150.11 55242 inside 10.1.1.242 22 rule ServerRule_7
nat server protocol tcp global 220.168.150.11 55243 inside 10.1.1.243 22 rule ServerRule_8
nat hairpin enable
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
ddns apply policy test fqdn "***.*** "
ddns apply policy test3 fqdn ***.***
ipsec apply policy 1
ipsec no-nat-process enable
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 1000
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1000
import interface GigabitEthernet1/0/2 vlan 1000
import interface GigabitEthernet1/0/3 vlan 1000
import interface GigabitEthernet1/0/4 vlan 1000
import interface GigabitEthernet1/0/5 vlan 1000
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 220.168.150.254
#
performance-management
#
ssh server enable
#
arp ip-conflict log prompt
#
ntp-service enable
ntp-service source Vlan-interface1
#
acl advanced 3000
rule 6 deny ip source 10.1.1.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 7 deny ip source 10.1.1.0 0.0.0.255 destination 172.16.30.0 0.0.0.255
rule 10 permit ip
#
acl advanced name IPsec_1_IPv4_1
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.30.0 0.0.0.255
#
undo password-control blacklist all-line
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$5aT7nDkESkg7quE9$9XIQymFi3Ora4ugqkd9sIs9BXi1lKfs6t/P02yr90GSff2izns2Q0WymCzy8ezruzBhyoEUg7ienYjlo9+dMCA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set 1_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group1
#
ipsec policy 1 1 isakmp
transform-set 1_IPv4_1
security acl name IPsec_1_IPv4_1
local-address 220.168.150.11
remote-address ***.***
ike-profile 1_IPv4_1
sa trigger-mode auto
#
ipsec policy 1 3 isakmp
transform-set 1_IPv4_1
security acl name IPsec_1_IPv4_1
local-address 220.168.150.11
remote-address ***.***
ike-profile 3
sa trigger-mode auto
#
ike profile 3
keychain 3
local-identity fqdn zx
match remote identity fqdn fz3
proposal 1
#
ike profile 1_IPv4_1
keychain 1_IPv4_1
local-identity fqdn zx
match remote identity fqdn fz
proposal 1
#
ike proposal 1
#
ike keychain 3
pre-shared-key address 175.4.101.172 255.255.255.255 key cipher $c$3$LWRmZ5kGwWohdbCJTHwBdL0vKmWx48czag==
#
ike keychain 1_IPv4_1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$lZDr59GfVYGEPBooEFrVa6F29mVTNqWs9A==
#
ip https port 8800
ip https enable
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 0 name 1
action pass
rule 2 name IPsec_donghunao_1_20240113160748_IN
action pass
destination-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 1 name IPsec_donghunao_1_20240113155521_IN
action pass
destination-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
[FW-LYJ] dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
2851 175.4.101.172/500 RD IPsec
2852 175.4.101.157/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[FW-LYJ]dis ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 1
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group1
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 220.168.150.11
remote address: 175.4.101.157
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.16.10.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2997064320 (0xb2a39280)
Connection ID: 61645665599491
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1465766/3489
Max received sequence-number: 344181
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2232953870 (0x85182c0e)
Connection ID: 8129844810350593
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1837287/3489
Max sent sequence-number: 87856
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 1
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group1
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 220.168.150.11
remote address: 175.4.101.157
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.16.10.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1559447314 (0x5cf34712)
Connection ID: 45943265165318
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 368284/3053
Max received sequence-number: 1345197
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 149360580 (0x08e70fc4)
Connection ID: 52497385259008
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1820022/3053
Max sent sequence-number: 344586
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: 1
Sequence number: 3
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group1
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 220.168.150.11
remote address: 175.4.101.172
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.16.30.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3509755609 (0xd1329ed9)
Connection ID: 59850369269762
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3057
Max received sequence-number: 10
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3697056526 (0xdc5c9b0e)
Connection ID: 52523155062788
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3057
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
分部1配置如下:
<DHN>dis ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
257 175.4.101.157 220.168.150.11 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<DHN>dis ips
<DHN>dis ipsec sa
-------------------------------
Interface: Dialer0
-------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 65535
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group1
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1420
Tunnel:
local address: 175.4.101.157
remote address: 220.168.150.11
Flow:
sour addr: 172.16.10.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3313794379 (0xc5847d4b)
Connection ID: 29003914149890
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1831690/3367
Max received sequence-number: 171286
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2473439473 (0x936db0f1)
Connection ID: 29003914149891
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1112458/3367
Max sent sequence-number: 666814
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: 1
Sequence number: 65535
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group1
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1420
Tunnel:
local address: 175.4.101.157
remote address: 220.168.150.11
Flow:
sour addr: 172.16.10.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 149360580 (0x08e70fc4)
Connection ID: 14246406520836
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1842364/3585
Max received sequence-number: 12405
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1559447314 (0x5cf34712)
Connection ID: 14246406520837
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1787446/3585
Max sent sequence-number: 50490
UDP encapsulation used for NAT traversal: N
Status: Active
<DHN>
<DHN>
<DHN>ping -a 172.16.10.1 10.1.1.254
Ping 10.1.1.254 (10.1.1.254) from 172.16.10.1: 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=7.264 ms
56 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=7.528 ms
56 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=5.594 ms
56 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=8.042 ms
56 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=6.288 ms
--- Ping statistics for 10.1.1.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.594/6.943/8.042/0.883 ms
<DHN>
<DHN>
<DHN>dis cu
#
version 7.1.064, Release 0821P18
#
sysname DHN
#
wlan global-configuration
#
telnet server enable
#
dialer-group 1 rule ip permit
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server forbidden-ip 172.16.10.1
dhcp server always-broadcast
#
dns server 114.114.114.114
dns server 119.29.29.29
dns server 223.5.5.5
#
system-working-mode standard
password-recovery enable
#
vlan 1
#
vlan 10
#
dhcp server ip-pool 10
gateway-list 172.16.10.1
network 172.16.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
ddns policy WAN0(GE0/0)
url oray://***.***
username donghunao
password cipher $c$3$IUeaRi2w1JgJGGun860LuOSN+GZWMx5JYk2T3Ia1
interval 0 0 1
#
interface Dialer0
mtu 1492
ppp chap password cipher $c$3$gSdugs23k0pfDjTxP293O7HwHX/GWZO3Ay+7
ppp chap user 073700000821582
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 073700000821582 password cipher $c$3$agB90l6V+5ZwlfMfFDN+EBdY5wqAefO0dGb/
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1280
nat outbound 3001
ddns apply policy WAN0(GE0/0) fqdn ***.***
ipsec apply policy 1
#
interface Dialer1
#
interface Dialer2
#
interface Dialer3
#
interface Dialer4
#
interface Dialer5
#
interface Dialer6
#
interface Dialer7
#
interface Dialer8
#
interface Dialer1023
#
interface Virtual-Template0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface10
ip address 172.16.10.1 255.255.255.0
#
interface GigabitEthernet0/0
port link-mode route
description Single_Line1
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/4
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/5
port link-mode bridge
port access vlan 10
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role level-15
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0
#
info-center loghost 127.0.0.1 port 3301
info-center source CFGLOG loghost level informational
#
performance-management
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip source 172.16.10.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$eFniAKr35Glqd/3h$14W0KkRqQrs8r2IbJ91iC0x0EsksQAM6RJ+lWfg4wfBK50lcGmXHMxS1FmICbJ7sdF2TPOGSwSpBL5ZSMENALg==
service-type ssh telnet http https
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
#
ipsec transform-set 1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group1
#
ipsec policy 1 65535 isakmp
transform-set 1
security acl 3000
remote-address 220.168.150.11
ike-profile 1
sa duration time-based 3600
sa duration traffic-based 1843200
#
ike identity fqdn ER
#
ike profile 1
keychain 1
local-identity fqdn fz
match remote identity fqdn zx
proposal 65535
#
ike proposal 65535
#
ike keychain 1
pre-shared-key address 220.168.150.11 255.255.255.255 key cipher $c$3$sUmavLkCam6KOqjlb2PLO4KNpM+gU3VDVA==
出问题的分部2的配置如下
<SiHuShang>dis cu
#
version 7.1.064, Release 0707P16
#
sysname SiHuShang
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server forbidden-ip 172.16.30.1
dhcp server always-broadcast
#
dns proxy enable
dns server 114.114.114.114
dns server 119.29.29.29
dns server 223.5.5.5
#
sysid SiHuShang
#
password-recovery enable
#
vlan 1
#
vlan 30
#
dhcp server ip-pool 30
gateway-list 172.16.30.1
network 172.16.30.0 mask 255.255.255.0
dns-list 114.114.114.114
#
ddns policy WAN0(GE0/0)
url oray://***.***
username sihusan
password cipher $c$3$H+8J70wEXZ0DjurO8hXzgXYebrcWG9+iu42+XXHw
interval 0 0 1
#
interface Dialer0
mtu 1492
ppp chap password cipher $c$3$EjIY+/Et4w7jebeA005vebaTS1JwVPV2Kfue
ppp chap user 073700000814213
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 073700000814213 password cipher $c$3$/d2on7EU/ctvrNtzrxunnbkUXz2TXnRbhjYW
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1280
nat outbound 3001
ddns apply policy WAN0(GE0/0) fqdn ***.***
ipsec apply policy 1
#
interface Dialer1
#
interface Dialer2
#
interface Dialer3
#
interface Dialer4
#
interface Dialer5
#
interface Dialer6
#
interface Dialer7
#
interface Dialer8
#
interface Dialer1023
#
interface NULL0
#
interface Vlan-interface30
ip address 172.16.30.1 255.255.255.0
#
interface GigabitEthernet0/0
port link-mode route
description Single_Line1
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 30
#
interface GigabitEthernet0/3
port link-mode bridge
port access vlan 30
#
interface GigabitEthernet0/4
port link-mode bridge
port access vlan 30
#
interface GigabitEthernet0/5
port link-mode bridge
port access vlan 30
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role level-15
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip source 172.16.30.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
password-control complexity user-name check
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type ssh telnet http https
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
#
ipsec transform-set 1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group1
#
ipsec policy 1 65535 isakmp
transform-set 1
security acl 3000
remote-address 220.168.150.11
ike-profile 1
sa duration time-based 3600
sa duration traffic-based 1843200
#
ike identity fqdn ER3
#
ike profile 1
keychain 1
local-identity fqdn fz3
match remote identity fqdn zx
proposal 65535
#
ike proposal 65535
#
ike keychain 1
pre-shared-key address 220.168.150.11 255.255.255.255 key cipher $c$3$/I822m46phaKpCHiHO/wPFriY2D2N7qARA==
#
(0)
检查下安全策略,配置下保持上一条功能
(0)
安全是any到any,保持上一跳开了也不通
对端的安全策略
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
对端的安全策略