问题描述:
总部防火墙双出口,一条移动,一条电信。做策略路由,有线用户段优先走电信出口,无线用户优先走移动出口。
分部防火墙为单出口,和总部做IPSEC vpn 。
做了策略路由后,发现VPN断了,分部无法ping通总部公网IP。后将总部移动线路默认路由有限更改后,做为备用线路则恢复正常。
请教,策略路由该怎么做。
组网及组网描述:
总部
acl advanced 3001
rule 0 deny ip source 192.168.231.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 deny ip source 192.168.231.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
rule 15 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
rule 20 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
rule 25 deny ip source 192.168.231.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
rule 30 permit ip
interface GigabitEthernet1/0/3 移动
ip address 1.1.1.2 255.255.255.0
nat outbound 3001
interface GigabitEthernet1/0/5 电信
ip address 2.2.2.2 255.255.255.252
nat outbound 3001
ipsec apply policy 1
interface GigabitEthernet1/0/14
ip address 10.0.1.1 255.255.255.248
ip route-static 0.0.0.0 0 1.1.1.1
ip route-static 0.0.0.0 0 2.2.2.1
ip route-static 192.168.0.0 24 10.0.1.3 服务器段
ip route-static 192.168.80.0 24 10.0.1.3 无线段
ip route-static 192.168.12.0 24 10.0.1.3 有限段
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy-template 1 1
transform-set 1
local-address 2.2.2.2
ike-profile 1
ipsec policy-template 2 1
transform-set 1
local-address 2.2.2.2
ike-profile 2
ipsec policy 1 1 isakmp template 1
ipsec policy 1 2 isakmp template 2
ike profile 1
keychain 1
exchange-mode aggressive
local-identity address 2.2.2.2 match remote identity fqdn 123
ike profile 2
keychain 2
exchange-mode aggressive
local-identity address 2.2.2.2 match remote identity fqdn 124
ike keychain 1
pre-shared-key hostname 123 key simple H3C
ike keychain 2
pre-shared-key hostname 124 key simple 12345
分部1
interface Dialer0
nat outbound 3001
ipsec apply policy 1
interface GigabitEthernet1/0/3
pppoe-client dial-bundle-number 0
interface GigabitEthernet1/0/8 用户段
ip address 192.168.4.1 255.255.255.0
ip route-static 0.0.0.0 0 Dialer0
acl advanced 3000
rule 0 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.231.0 0.0.0.255
rule 5 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
acl advanced 3001
rule 0 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.231.0 0.0.0.255
rule 5 deny ip source 192.168.4.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
remote-address 2.2.2.2
ike-profile 1
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn 123
match remote identity address 2.2.2.2 255.255.255.255
ike keychain 1
pre-shared-key address 2.2.2.2 255.255.255.252 key simple H3C
- 2018-08-03提问
- 举报
-
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
愚蠢如我,忘记了策略路由优先级。在两条默认路由有限相同的时候,做策略路由,导致VPN流量异常。后通过将其中一条默认路由调低,然后针对部分用户做策略路由走就可以了