SecPath F1030与L1000的IPSEC VPN,为什么只能单向通信
- 0关注
- 1收藏,2821浏览
问题描述:
问题:
IPSEC VPN协商成功,从一端可ping 通另一端内网地址,反过来无法ping 通
从192.168.100.0/22和192.168.200.0/24段可以ping 通 10.1.250.0/24 段
反之,无法ping通
组网及组网描述:
一端设备H3C SecPath L1000 Comware Software, Version 5.20, Ess 7904P02
一端设备H3C SecPath F1030 Comware Software, Version 7.1.064, Feature 9319P04
配置:
IPSEC-ACL
两端配置了镜像对称的ACL条目
NAT-ACL
deny了IPSEC-ACL中permit的条目
L1000端的IPSEC ACL
acl advanced name ipsec-acl
rule 0 permit ip source 192.168.201.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 1 permit ip source 10.4.21.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 2 permit ip source 10.1.250.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 3 permit ip source 10.1.250.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 4 permit ip source 10.1.250.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 5 permit ip source 10.1.250.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 6 permit ip source 192.168.201.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 7 permit ip source 172.16.12.0 0.0.3.255 destination 192.168.200.0 0.0.0.255
rule 8 permit ip source 10.4.21.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
F1030端的IPSEC-ACL
acl number 3104 name ipsec-acl
rule 0 permit ip source 192.168.102.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 2 permit ip source 192.168.102.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 3 permit ip source 192.168.100.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 4 permit ip source 192.168.101.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 5 permit ip source 192.168.200.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 6 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 7 permit ip source 192.168.200.0 0.0.0.255 destination 172.16.12.0 0.0.3.255
rule 8 permit ip source 192.168.102.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
rule 9 permit ip source 192.168.200.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
L1000端NAT-ACL
acl advanced name nat-acl
rule 0 deny ip source 10.1.250.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 1 deny ip source 10.1.250.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 2 deny ip source 10.1.250.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 3 deny ip source 10.1.250.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 4 deny ip source 192.168.201.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 5 deny ip source 192.168.201.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 6 deny ip source 192.168.201.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 7 deny ip source 192.168.201.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 8 deny ip source 10.4.21.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 9 deny ip source 10.4.21.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 10 deny ip source 10.4.21.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 11 deny ip source 10.4.21.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 12 deny ip source 210.12.120.248 0.0.0.7
rule 13 deny ip source 10.1.250.0 0.0.0.255 destination 192.168.203.0 0.0.0.255
rule 14 deny ip source 192.168.200.0 0.0.1.255 destination 192.168.203.0 0.0.0.255
rule 15 deny ip source 10.1.250.0 0.0.0.255 destination 10.5.21.0 0.0.0.255
rule 16 deny ip source 192.168.200.0 0.0.1.255 destination 10.5.21.0 0.0.0.255
rule 50 permit ip
F1030端NAT-ACL
acl number 3105 name nat-acl
rule 0 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 1 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 2 deny ip source 192.168.101.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 3 deny ip source 192.168.102.0 0.0.0.255 destination 192.168.201.0 0.0.0.255
rule 4 deny ip source 192.168.200.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 6 deny ip source 192.168.101.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 7 deny ip source 192.168.102.0 0.0.0.255 destination 10.1.250.0 0.0.0.255
rule 8 deny ip source 192.168.200.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
rule 9 deny ip source 192.168.100.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
rule 10 deny ip source 192.168.101.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
rule 11 deny ip source 192.168.102.0 0.0.0.255 destination 10.4.21.0 0.0.0.255
rule 50 permit ip
路由:
对端内部子网为目的网段,下一跳指定到公网网关
F1030端-IPSEC 路由
L1000端-IPSEC 路由
ip route-static 192.168.100.0 22 GigabitEthernet1/0/1 219.234.143.49
ip route-static 192.168.200.0 24 GigabitEthernet1/0/1 219.234.143.49
- 2017-08-30提问
- 举报
-
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
F1030,如何debug,而且还是线上的设备的