问

msr3620 配置ipsec问题

IPSec VPN

2024-11-11提问

1关注
0收藏，172浏览

zhiliao_0Csohg

zhiliao_0Csohg 零段

粉丝：0人关注：0人

问题描述：

ipsec显示建立成功，但无法ping通对方主机

组网及组网描述：

# version 7.1.064, Release 6749P2108 # sysname H3C # clock timezone Beijing add 08:00:00 clock protocol none # wlan global-configuration # telnet server enable # ip pool l2tp111 100.100.10.10 100.100.10.200 # dhcp enable dhcp server always-broadcast # dns proxy enable # system-working-mode standard password-recovery enable # vlan 1 # dhcp server ip-pool GigabitEthernet0/1 gateway-list 192.168.1.1 network 192.168.0.0 mask 255.255.252.0 address range 192.168.0.2 192.168.3.254 dns-list 114.114.114.114 # dhcp server ip-pool GigabitEthernet0/2 gateway-list 192.168.10.1 network 192.168.8.0 mask 255.255.248.0 address range 192.168.10.2 192.168.15.254 dns-list 114.114.114.114 # dhcp server ip-pool lan1 gateway-list 100.100.1.1 network 100.100.0.0 mask 255.255.254.0 address range 100.100.1.1 100.100.1.254 dns-list 114.114.114.114 # controller Cellular0/0 # interface Virtual-PPP0 ppp chap password cipher $c$3$E8fV/ADYf0GSP39U+MdMm1oMreaGevuK9RQ5 ppp chap user zongbu ip address ppp-negotiate l2tp-auto-client l2tp-group 2 # interface Virtual-Template0 # interface Virtual-Template1 ppp authentication-mode chap remote address pool l2tp111 ip address 100.100.10.2 255.255.255.0 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 100.100.1.1 255.255.254.0 tcp mss 1280 # interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 192.168.1.1 255.255.252.0 # interface GigabitEthernet0/2 port link-mode route combo enable fiber ip address 192.168.10.1 255.255.248.0 # interface GigabitEthernet0/3 port link-mode route combo enable copper # interface GigabitEthernet0/4 port link-mode route # interface GigabitEthernet0/5 port link-mode route description Multiple_Line ip address 39.170.26.42 255.255.255.252 dns server 211.140.13.188 dns server 211.140.188.188 nat outbound nat outbound 3112 nat server protocol tcp global current-interface 8000 inside 192.168.1.252 8000 ipsec apply policy 123 # scheduler logfile size 16 # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-operator # ip route-static 0.0.0.0 0 GigabitEthernet0/5 39.170.26.41 ip route-static 120.199.1.218 32 39.170.26.42 ip route-static 192.168.100.0 22 39.170.26.42 # performance-management # acl advanced 3010 rule 0 permit icmp source 192.168.10.128 0 destination 192.168.100.27 0 rule 5 permit icmp source 192.168.100.27 0 destination 192.168.10.128 0 # acl advanced 3111 rule 0 permit ip source 192.168.8.0 0.0.7.255 destination 192.168.100.0 0.0.3.255 # acl advanced 3112 rule 0 deny ip source 192.168.8.0 0.0.7.255 destination 192.168.100.0 0.0.3.255 rule 5 permit ip # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control update-interval 0 password-control login idle-time 0 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage service-type ftp service-type ssh telnet terminal http https authorization-attribute user-role network-admin # local-user test class network password cipher $c$3$fh42RxBzJcb1DYGkMZ80z2Mpnhnku04= access-limit 10 service-type ppp authorization-attribute user-role network-operator # local-user zengming class network password cipher $c$3$ZMDEhXRaL10DJ//g/USpU+8LpXxUYhYCIiho access-limit 10 service-type ppp authorization-attribute user-role network-operator # local-user zongbumes class network password cipher $c$3$xr6TZxsrbsUGS7y5MOSlLMRicvRV6E77tus= access-limit 100 service-type ppp authorization-attribute user-role network-operator description mes # security-enhanced level 1 # ssl version gm-tls1.1 disable undo ssl renegotiation disable undo ssl version ssl3.0 disable undo ssl version tls1.0 disable undo ssl version tls1.1 disable undo ssl version tls1.2 disable undo ssl version tls1.3 disable # ipsec transform-set 123 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy 123 65535 isakmp transform-set 123 security acl 3111 remote-address 120.199.1.218 ike-profile 123 sa duration time-based 3600 sa duration traffic-based 1843200 # l2tp-group 2 mode lac lns-ip 120.199.1.218 122.224.130.148 undo tunnel authentication tunnel name gongchang # l2tp-group 111 mode lns allow l2tp virtual-template 1 remote kehuduan undo tunnel authentication tunnel name kehu # ike profile 123 keychain 123 local-identity address 39.170.26.42 match remote identity address 120.199.1.218 255.255.255.255 proposal 65535 # ike keychain 123 pre-shared-key address 120.199.1.218 255.255.255.255 key cipher $c$3$3cQQutk35tXRN3qtUTgs4tiwnO/PwkASqGT5BKQq # ip http port 8899 ip https port 4433 ip http enable # wlan ap-group default-group priority 7 vlan 1 # return