问
F1000-AK110
2019-12-25提问
- 0关注
- 1收藏,1506浏览
问题描述:
H3C工程师,你好,我有一台H3C的防火墙F1000-AK110,现尝试配置L2TP VPN,一直拨号不上,下面为配置资料,L2TP拨号后的IP地址为192.168.225.100-192.168.225.200,现用L2TP拨号提示错误788,请问如何修改,谢谢。
#
version 7.1.064, Release 9510P05
#
sysname H3C
#
clock timezone Beijing add 08:00:00
clock protocol ntp context 1
#
context Admin id 1
#
ip vpn-instance management
route-distinguisher 1000000000:1
vpn-target 1000000000:1 import-extcommunity
vpn-target 1000000000:1 export-extcommunity
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip pool aaa 192.168.225.100 192.168.225.200
ip pool aaa gateway 192.168.225.1
#
nat address-group 1
address 120.86.190.226 120.86.190.226
#
dns server 168.95.1.1
dns server 116.116.116.116
#
password-recovery enable
#
vlan 1
#
interface Virtual-Template1
ppp authentication-mode chap domain sys
remote address pool aaa
ip address 192.168.225.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable fiber
ip binding vpn-instance management
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip binding vpn-instance management
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 120.86.190.226 255.255.255.248
nat outbound 3000
nat server protocol tcp global 120.86.190.226 25 inside 192.168.222.5 25
nat server protocol tcp global 120.86.190.226 80 inside 192.168.222.5 80
nat server protocol tcp global 120.86.190.226 88 inside 192.168.222.5 88
nat server protocol tcp global 120.86.190.226 110 inside 192.168.222.5 110
nat server protocol tcp global 120.86.190.226 143 inside 192.168.222.5 143
nat server protocol tcp global 120.86.190.226 465 inside 192.168.222.5 146
nat server protocol tcp global 120.86.190.226 888 inside 192.168.222.5 888
nat server protocol tcp global 120.86.190.226 995 inside 192.168.222.5 995
nat server protocol tcp global 120.86.190.226 8888 inside 192.168.222.5 8888
ipsec apply policy GE1/0/3
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
ip address 192.168.222.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/8
port link-mode bridge
#
interface GigabitEthernet1/0/9
port link-mode bridge
#
interface GigabitEthernet1/0/10
port link-mode bridge
#
object-policy ip Local-Trust
rule 0 pass counting
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass counting
#
object-policy ip Trust-Trust
rule 0 pass counting
#
object-policy ip Trust-Untrust
rule 0 pass counting
#
object-policy ip Untrust-Local
rule 0 pass counting
#
object-policy ip Untrust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/4
import interface GigabitEthernet1/0/11
import interface GigabitEthernet1/0/8 vlan 1
import interface GigabitEthernet1/0/9 vlan 1
import interface GigabitEthernet1/0/10 vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/3
import interface Virtual-Template1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source Any destination Any
packet-filter 3000
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
packet-filter 3000
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
#
ip route-static 0.0.0.0 0 120.86.190.230 preference 100
ip route-static 192.168.1.0 24 GigabitEthernet1/0/3 192.168.222.254
ip route-static 192.168.222.0 24 GigabitEthernet1/0/3 192.168.222.3
ip route-static 192.168.223.0 24 192.168.222.1
#
ssh server enable
#
acl advanced 3000
rule 0 deny ip source 192.168.222.4 0
rule 1 deny ip source 192.168.222.99 0
rule 3 deny ip destination 192.168.223.0 0.0.0.255
rule 4 deny ip destination 192.168.32.0 0.0.0.255
rule 1000 permit ip
#
acl advanced name IPsec_GE1/0/3_IPv4_1
rule 1 permit ip source 192.168.223.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
rule 2 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.223.0 0.0.0.255
rule 5 permit ip source 192.168.222.0 0.0.0.255
rule 6 permit ip destination 192.168.222.0 0.0.0.255
#
domain system
authentication ppp local
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$JWTG5tpLQf3Um1Ex$YD2djBrihLD60wwC0a9JX3fO2scsByYWkaZcm3yITKgwh+hvGCX+rpE6A/fT1o6JZ+gyv5ubg+mecEgJjbpxGw==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user howard class network
password cipher $c$3$PP9xx8Mwhb+mNh+uwHr4IFjcCs7vdZwriIUd
service-type ppp
authorization-attribute user-role network-operator
#
ipsec sa global-duration time-based 86400
#
ipsec transform-set GE1/0/3_IPv4_1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
pfs dh-group1
#
ipsec policy GE1/0/3 1 isakmp
transform-set GE1/0/3_IPv4_1
security acl name IPsec_GE1/0/3_IPv4_1
local-address 120.86.190.226
remote-address 211.23.27.139
ike-profile GE1/0/3_IPv4_1
sa duration time-based 43200
sa idle-time 86400
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name LNS
#
l2tp enable
#
ike profile GE1/0/3_IPv4_1
keychain GE1/0/3_IPv4_1
local-identity address 120.86.190.226
match remote identity address 211.23.27.139 255.255.255.255
match local address GigabitEthernet1/0/3
proposal 65535
#
ike proposal 65535
dh group14
authentication-algorithm sha256
description GE1/0/3_IPv4_1
#
ike keychain GE1/0/3_IPv4_1
match local address GigabitEthernet1/0/3
pre-shared-key address 211.23.27.139 255.255.255.255 key cipher $c$3$jnPWDmAzt8adspAhf7/TtNq+YUp8/G2OxydHyw==
#
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
return
<H3C>
- 2019-12-25提问
- 举报
-
(0)
最佳答案
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
收集什么的debug?电脑的还是防火墙的?