问

f1020防火墙做VPN的GRE不通

2020-11-06提问

0关注
1收藏，1483浏览

阿里给钙

阿里给钙零段

粉丝：0人关注：1人

问题描述：

想在f1020的防火墙上做VPN的GRE，却一直不通，请大佬们帮忙看看哪里有问题，附上组网方式和防火墙B的配置信息，A防火墙配置相同。

公网网关61.178.99.1

G1/0/0 g1/0/161.178.99.68 g1/0/7 61.178.99.48 g1/0/8

内网地址内网地址

10.50.0.15 tunnel0 tunnel0 10.60.1.1/24

10.60.2.1/24 10.60.2.2/24

[H3C]dis cu # version 7.1.064, Release 9313P11 # sysname H3C # telnet server enable # security-zone intra-zone default permit # nat address-group 1 address 61.178.99.48 61.178.99.48 # object-group ip address 10.50.0.15 0 network subnet 10.50.0.0 255.255.248.0 # object-group ip address 10.60.1.1 0 network subnet 10.60.1.0 255.255.255.0 # object-group service 47 0 service tcp destination eq 47 # interface NULL0 # interface GigabitEthernet1/0/7 port link-mode route ip address 61.178.99.48 255.255.255.0 nat outbound address-group 1 # interface GigabitEthernet1/0/8 port link-mode route ip address 10.60.1.1 255.255.255.0 # interface GigabitEthernet1/0/9 port link-mode route # interface Tunnel0 mode gre ip address 10.60.2.2 255.255.255.0 source 61.178.99.48 destination 61.178.99.68 # object-policy ip 47 rule 0 pass service 47 # object-policy ip local-trust rule 0 pass counting # object-policy ip local-untrust rule 0 pass counting # object-policy ip trust-local rule 0 pass counting # object-policy ip trust-untrust rule 0 pass counting # object-policy ip untrust-local rule 0 pass counting # object-policy ip untrust-trust rule 0 pass counting rule 1 pass source-ip 10.60.1.1 rule 2 pass source-ip 10.50.0.15 # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/8 import interface Tunnel0 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/7 # security-zone name Management # zone-pair security source Local destination Trust object-policy apply ip local-trust # zone-pair security source Local destination Untrust object-policy apply ip 47 # zone-pair security source Trust destination Local object-policy apply ip trust-local # zone-pair security source Trust destination Untrust object-policy apply ip trust-untrust # zone-pair security source Untrust destination Local object-policy apply ip 47 # zone-pair security source Untrust destination Trust object-policy apply ip untrust-trust # scheduler logfile size 16 # line class vty user-role context-operator # line vty 0 63 authentication-mode scheme user-role context-admin user-role context-operator # ip route-static 0.0.0.0 0 61.178.99.1 ip route-static 10.50.0.0 21 Tunnel0 # acl basic 2000 rule 0 permit source 0.0.0.1 255.255.255.0 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$7kSzbkqYRyJvVtDl$L13Y21JC4ueoM/0wEYZ5d9iYwTqpo0KhiuhntIhX23eoJlfL8UWQs5zFVzOcTSRA3dUdB7seG6Ri1NT9DDN1eA== service-type telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role context-admin authorization-attribute user-role context-operator # return