msr56-60

msr56-60三出口，策略路由，l2tp vpn连接会中断，有没有办法可以解决。另外，当VPN连接成功时，VPN网段也无法访问内部网络，附相关配置信息，请各位帮忙查找问题的原因，谢谢。

[MSR56-60_2]dis cur

#

 version 7.1.049, Release 0106P21

#

 sysname MSR56-60_2

#

 telnet server enable

#

 bfd echo-source-ip 2.2.2.2

#

 ip pool 0 6.6.6.10 6.6.6.40

#

 ip unreachables enable

 ip ttl-expires enable

#

 lldp global enable

 lldp compliance cdp

#

 password-recovery enable

#

vlan 1

#

policy-based-route 3001 permit node 0

 if-match acl 3001

 apply next-hop 专线网关

#

policy-based-route 3001 permit node 1

 if-match acl 3002

 apply next-hop Internet出口1网关 track 4

#

policy-based-route 3001 permit node 2

 if-match acl 3003

 apply next-hop Internet出口2网关 track 3

#

policy-based-route 3001 permit node 3

#

policy-based-route pbr1 permit node 0

#

nqa entry dianxin 1

 type icmp-echo

  description ip

  destination ip

  frequency 5000

  next-hop Internet出口1网关

  probe count 3

  probe timeout 500

  reaction 2 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

  source ip Internet出口1地址

#

nqa entry liantong 1

 type icmp-echo

  description ip

  destination ip

  frequency 5000

  next-hop Internet出口2网关

  probe count 3

  probe timeout 500

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

  source ip Internet出口2地址

#

 nqa schedule dianxin 1 start-time now lifetime forever

 nqa schedule liantong 1 start-time now lifetime forever

#

controller Cellular2/0/0

#

controller Cellular2/0/1

#

interface Aux0/0/1

#

interface Virtual-Template1

 ppp authentication-mode chap

 remote address pool 0

 ip address 6.6.6.1 255.255.255.0

#

interface NULL0

#

interface GigabitEthernet2/0/0

 port link-mode route

 description Network export for dianxin

 bandwidth 1024000

 combo enable copper

 ip address 出口1地址

 nat outbound 3000

 ipsec apply policy l2tp

#

interface GigabitEthernet2/0/1

 port link-mode route

 description Lower link

 bandwidth 1024000

 combo enable copper

 ip address 内网联接口

 nat hairpin enable

 ip policy-based-route 3001

#

interface GigabitEthernet2/0/2

 port link-mode route

 description Network export for liantong

 bandwidth 1024000

 combo enable copper

 ip address 出口2地址

 vrrp vrid 2 track 1 reduced 20

 undo lldp enable

 nat outbound 3000

#

interface GigabitEthernet2/0/3

 port link-mode route

 description Network special line to liaoyang

 combo enable copper

 ip address 专线出口地址

 ip policy-based-route pbr1

#

 ip route-static 0.0.0.0 0 出口2网关  track 3

 ip route-static 0.0.0.0 0 出口1网关 track 4

 

 

 ssh server enable

#

 nqa server enable

#

acl number 3000

 rule 5 deny ip source 6.6.6.0 0.0.0.255

 rule 10 deny ip destination 6.6.6.0 0.0.0.255

 rule 100 permit ip

#

acl number 3001

 rule 425 deny ip source 6.6.6.0 0.0.0.255

 rule 430 deny ip destination 6.6.6.0 0.0.0.255

#

acl number 3002

 rule 90 deny ip source 6.6.6.0 0.0.0.255

 rule 91 deny ip destination 6.6.6.0 0.0.0.255

#

acl number 3003

 rule 3 permit ip source 6.6.6.0 0.0.0.255

 rule 4 permit ip destination 6.6.6.0 0.0.0.255

 

#

domain system

#

domain ykvpn

 authentication ppp local

#

 aaa session-limit ftp 32

 aaa session-limit telnet 32

 aaa session-limit http 32

 aaa session-limit ssh 32

 aaa session-limit https 32

 domain default enable system

 

#

local-user vpnuser class network

 password cipher $c$3$zlXBSDOelot5mu7pJsHJfiXZh6zXPgeDA5CM9cgA

 access-limit 20

 service-type ppp

 authorization-attribute user-role network-operator

#

local-user vpnuser0 class network

 service-type ppp

 authorization-attribute user-role network-operator

#

 

 ssl version ssl3.0 disable

#

 nat log enable

#

 

l2tp-group 1 mode lns

 allow l2tp virtual-template 1

 undo tunnel authentication

 tunnel name lns

#

 l2tp enable

#

 

#             

return