F1020&F100-C-G2 IPSEC VPN建立
- 1关注
- 1收藏,1618浏览
问题描述:
F1020是IPSec VPN服务器端
F100-C-G2是IPSec VPN客户端
现在是ike阶段已ready,ipsec无法建立
组网及组网描述:
F1020(IPSec VPN服务器端 )
外网口:ge1/0/16 122.119.15.241
内网口:ge1/0/17 172.16.96.41
Lo10:172.16.97.41
F100-C-G2(IPSec VPN客户端 )
外网口: ge1/0/6 59.173.61.178
内网口: ge1/0/7 172.16.132.65
- 2018-05-04提问
- 举报
-
(0)
最佳答案
F1020:
<HSY-3A3-F1020-VPNISD1A>disp cur # version 7.1.064, Release 9313P1901 # sysname HSY-3A3-F1020-VPNISD1A # context Admin id 1 # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # object-group ip address CLINET 0 network subnet 172.16.132.0 255.255.255.0 1 network host address 59.173.61.178 # object-group ip address SERVER 0 network subnet 172.16.0.0 255.255.0.0 1 network host address 122.119.15.241 # object-group service ICMP 0 service icmp 10 service udp destination eq 500 # object-group service tcp_22 0 service tcp destination eq 22 # object-group service tcp_23 0 service tcp destination eq 23 # interface NULL0 # interface LoopBack10 ip address 172.16.97.41 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route ip address 172.16.100.246 255.255.255.0 # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route duplex full speed 1000 ip address 122.119.15.241 255.255.255.0 ipsec apply policy ipsecpolicy-test1 # interface GigabitEthernet1/0/17 port link-mode route ip address 172.16.96.41 255.255.255.0 # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # object-policy ip ICMP rule 0 pass service ICMP logging counting rule 2 pass service ipsec-esp logging counting rule 3 pass service ike # object-policy ip Local-Trust rule 0 pass service ICMP # object-policy ip Local-Untrust rule 0 pass service ICMP rule 5 pass service ike rule 10 pass service ipsec-esp rule 15 pass source-ip CLINET destination-ip SERVER # object-policy ip Trust-Local rule 0 pass service ICMP # object-policy ip Untrust-Local rule 0 pass service ICMP rule 5 pass service ike rule 10 pass service ipsec-esp rule 15 pass source-ip SERVER destination-ip CLINET # object-policy ip any-any rule 0 pass # object-policy ip cli-sev rule 0 pass source-ip CLINET destination-ip SERVER # object-policy ip sev-cli rule 0 pass source-ip SERVER destination-ip CLINET # security-zone name Local # security-zone name Trust import interface LoopBack10 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/16 # security-zone name Management import interface GigabitEthernet1/0/4 import interface GigabitEthernet1/0/17 # zone-pair security source Any destination Any object-policy apply ip any-any # zone-pair security source Local destination Trust object-policy apply ip Local-Trust # zone-pair security source Local destination Untrust object-policy apply ip Untrust-Local # zone-pair security source Trust destination Local object-policy apply ip Trust-Local # zone-pair security source Trust destination Trust object-policy apply ip any-any # zone-pair security source Trust destination Untrust object-policy apply ip sev-cli # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip cli-sev # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.0.0 16 172.16.96.44 ip route-static 172.16.0.0 17 172.16.96.44 ip route-static 172.16.129.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.130.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.131.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.132.0 24 GigabitEthernet1/0/16 122.119.15.254 preference 10 ip route-static 172.16.133.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.134.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.135.0 24 GigabitEthernet1/0/16 122.119.15.254 ip route-static 172.16.136.0 24 GigabitEthernet1/0/16 122.119.15.254 # ssh server enable # acl advanced 3001 rule 1 permit ip source 172.16.0.0 0.0.127.255 destination 172.16.132.0 0.0.0.255 rule 2 permit ip source 172.16.97.0 0.0.0.255 destination 172.16.132.0 0.0.0.255 # acl advanced 3002 rule 0 permit ip source 172.16.0.0 0.0.255.255 rule 10 permit ip source 59.173.61.178 0 rule 15 permit ip destination 59.173.61.178 0 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$/JQ2b/1dt6qUC3I0$Z+wlWbrYZ5Zngj/8IHyTc7NT8NGm27bAzI4yUKhWqkuWR9owqaSuQbSfE5X8Xwel2mOgSdLiHbzK4KAB7gPNmg== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ipsec transform-set ipsec-test1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy ipsecpolicy-test1 1 isakmp transform-set ipsec-test1 security acl 3001 local-address 122.119.15.241 ike-profile ike-test1 # ike identity fqdn HSY-3A3-F1020-VPNISD1 # ike profile ike-test1 keychain keychain-test1 local-identity fqdn HSY-3A3-F1020-VPNISD1 match remote identity fqdn wuh_xa_vpn # ike keychain keychain-test1 pre-shared-key address 59.173.61.178 255.255.255.255 key cipher $c$3$E6yrOEma4Oos1LJI66KPkQmytSKiekEpq3PL0Q== # ip https enable # ips policy default # anti-virus policy default # return <HSY-3A3-F1020-VPNISD1A>ping -a 172.16.132.65 172.16.97.41 Ping 172.16.97.41 (172.16.97.41) from 172.16.132.65: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.16.97.41 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss <HSY-3A3-F1020-VPNISD1A>disp ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 60 59.173.61.178 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY <HSY-3A3-F1020-VPNISD1A>disp ipsec sa
=====================================================
F100-C-G2:
武汉客户端配置和排查命令: <WUH-F100C-XA1>dis cur # version 7.1.064, Release 9510P05 # sysname WUH-F100C-XA1 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # object-group ip address CLINET 0 network subnet 172.16.132.0 255.255.255.0 1 network host address 59.173.61.178 # object-group ip address SERVER 0 network subnet 172.16.0.0 255.255.0.0 1 network host address 122.119.15.241 # object-group service ICMP 0 service icmp 10 service udp destination eq 500 # object-group service ipsec # object-group service tcp_22 0 service tcp destination eq 22 # object-group service tcp_23 0 service tcp destination eq 23 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable fiber ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route ip address 59.173.61.178 255.255.255.248 ipsec apply policy wuh_xa_vpn # interface GigabitEthernet1/0/7 port link-mode route ip address 172.16.132.65 255.255.255.0 # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # object-policy ip Local-Trust rule 0 pass service ICMP rule 5 pass service tcp_22 rule 10 pass service tcp_23 # object-policy ip Local-Untrust rule 0 pass service ipsec rule 5 pass service tcp_22 rule 10 pass service tcp_23 rule 15 pass service ike rule 20 pass service ipsec-esp rule 25 pass service ICMP counting rule 30 pass source-ip CLINET destination-ip SERVER # object-policy ip Trust-Local rule 0 pass service ICMP rule 5 pass service tcp_22 rule 10 pass service tcp_23 # object-policy ip Untrust-Local rule 0 pass service ICMP rule 15 pass service ike rule 20 pass service ipsec-esp rule 25 pass source-ip SERVER destination-ip CLINET # object-policy ip cli-sev rule 0 pass source-ip CLINET destination-ip SERVER # object-policy ip ipsec rule 2 pass service ike rule 2 append service ipsec-esp # object-policy ip sev-cli rule 0 pass source-ip SERVER destination-ip CLINET # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/7 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/6 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # zone-pair security source Local destination Trust object-policy apply ip Local-Trust # zone-pair security source Local destination Untrust object-policy apply ip Local-Untrust # zone-pair security source Trust destination Local object-policy apply ip Trust-Local # zone-pair security source Trust destination Untrust object-policy apply ip cli-sev # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip sev-cli # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/6 59.173.61.177 # ssh server enable # acl advanced 3001 rule 1 permit ip source 172.16.128.0 0.0.127.255 destination 172.16.0.0 0.0.127.255 rule 2 permit ip source 172.16.132.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 # acl advanced 3002 rule 0 permit ip source 172.16.0.0 0.0.255.255 rule 5 permit ip destination 122.119.15.241 0 rule 10 permit ip source 122.119.15.241 0 rule 15 permit icmp counting rule 20 permit ip destination 172.16.0.0 0.0.255.255 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$WKsxM6Za+wOJ73me$veauo4Vxnx43X+07cw9GgwxEqdVoFWlnMGuolLXCX/oTg656NmWiW1U+4dlQLZP9TgaeH/cnTsbefZYq7QlYhQ== service-type ssh telnet terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user ncc class manage password hash $h$6$QJL0nyotr5rmnFON$K46gX9u7FnmW/pM9sTe/CPfwp2+3Nxr5a+klRehL/XdLmkZGFzFUe4WVKR33f9Zeij+/UXtX2deZkf4TfvtNvA== service-type ssh telnet terminal authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ipsec transform-set 1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy wuh_xa_vpn 1 isakmp transform-set 1 security acl 3001 remote-address 122.119.15.241 ike-profile 1 # ike identity address 59.173.61.178 # ike profile 1 keychain keychain-test1 local-identity address 59.173.61.178 match remote identity address 122.119.15.241 255.255.255.255 match remote identity fqdn HSY-3A3-F1020-VPNISD1 # ike keychain keychain-test1 pre-shared-key address 122.119.15.241 255.255.255.255 key cipher $c$3$rvEAz+nLl/KG6ogIAl9Dgwbha8sOdsE7Y+zjUw== # ip https enable # return <WUH-F100C-XA1> <WUH-F100C-XA1> <WUH-F100C-XA1>ping -a 172.16.132.65 172.16.97.41 Ping 172.16.97.41 (172.16.97.41) from 172.16.132.65: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 172.16.97.41 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss <WUH-F100C-XA1>dis ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 69 122.119.15.241 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY <WUH-F100C-XA1>dis ipsec sa <WUH-F100C-XA1>
- 2018-05-04回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论