现在是在分支防火墙上做了ike和IPSec 但是ike通道起不来。大牛们帮忙排查下问题吧
# sysname Wuqiao-h3c # ike local-name p_wuqiao2 # firewall packet-filter enable firewall packet-filter default permit # undo insulate # firewall statistic system enable # ip http acl 2099 # radius scheme system server-type extended # domain system # local-user admin password simple admin28 service-type telnet level 3 # ike proposal 1 encryption-algorithm 3des-cbc authentication-algorithm md5 # ike dpd 1 # ike dpd dpdgroup interval-time 5 # ike peer p_wuqiao2 exchange-mode aggressive pre-shared-key 130928 id-type name remote-name cn_wuqiao remote-address 221.195.135.226 nat traversal dpd dpdgroup # ipsec card-proposal cardpro use encrypt-card 1/0 # ipsec proposal 1 # ipsec policy-template branch 101 ike-peer p_wuqiao2 proposal 1 # ipsec policy vpn 1 isakmp security acl 3100 ike-peer p_wuqiao2 proposal 1 # dhcp server ip-pool 1 network 172.16.18.0 mask 255.255.255.0 gateway-list 172.16.18.1 dns-list 222.222.222.222 222.222.202.202 # acl number 2099 rule 0 permit # acl number 3000 description To-Nat rule 10 deny ip source 172.16.18.0 0.0.0.255 destination 172.16.2.0 0.0.0.255 rule 20 deny ip source 172.16.18.0 0.0.0.255 destination 10.217.91.0 0.0.0.255 rule 100 permit ip source 172.16.18.0 0.0.0.255 acl number 3100 rule 10 permit ip source 172.16.18.0 0.0.0.255 destination 172.16.2.0 0.0.0.255 rule 20 permit ip source 172.16.18.0 0.0.0.255 destination 10.217.91.0 0.0.0.25 5 # interface Aux0 async mode flow # interface Ethernet0/0 description Local-net tcp mss 1024 ip address 172.16.18.1 255.255.255.0 # interface Ethernet0/4 tcp mss 1024 ip address 192.168.37.250 255.255.255.0 nat outbound 3000 ipsec policy vpn # interface Encrypt1/0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust add interface Ethernet0/0 set priority 85 # firewall zone untrust add interface Ethernet0/4 set priority 5 # firewall zone DMZ set priority 50 # firewall interzone local trust # firewall interzone local untrust # firewall interzone local DMZ # firewall interzone trust untrust # firewall interzone trust DMZ # firewall interzone DMZ untrust # dhcp server forbidden-ip 172.16.18.1 # ip route-static 0.0.0.0 0.0.0.0 192.168.37.1 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return
(0)
最佳答案
首先,建议您检查以下事项:
确认远程对等体地址以及预共享密钥是否正确。
确认防火墙上的IKE策略是否与远程对等体的IKE策略匹配。
检查防火墙是否阻止了IPSec流量。您可以通过查看防火墙日志或在防火墙上执行一些调试命令来确定此问题。
确认IPSec策略是否正确配置,并与远程对等体的IPSec策略匹配。
以下是一些可能有用的命令:
通过命令“display ike sa”查看IKE安全联盟状态。
通过命令“display ipsec sa”查看IPSec安全联盟状态。
通过命令“debugging ike”和“debugging ipsec”启用IKE和IPSec调试。
请注意,开启调试命令会产生大量的日志信息,可能会影响防火墙的性能,建议在需要时才开启。
(0)
(0)
这个版本的防火墙能配置网页登录吗?有好多信息想从网页上找下
防火墙都可以web登录
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
debugging ike 怎么关掉呢