ipsec组网测试,ike sa能建立,但是ipsec sa死活建立不了
- 0关注
- 0收藏,793浏览
问题描述:
麻烦大神给看一下,我实在是找不到问题的原因,两端都能ping通,两端都能有ike的sa,但是就是看不到ipsec的sa,带源ping也ping不通,但是单独ping公网都没问题
公网配置如下
两端均为防火墙,两端的Untrust端口都是1/0/23,局域网端口都是1/0/2
两个设备间加了一个路由器,配了两个ip做网关
公司端的局域网是192.168.10.0/24,公网IP是1.1.1.254,网关是1.1.1.1
机房端的局域网是172.16.10.0/24,公网IP是2.2.2.254,网关是2.2.2.2
两端相互ping公网地址都能通,但是带源ping局域网就是不通,求谁能帮忙看一下,我去掉了一些系统自带的信息,感激感激!
======================以下是公司端的配置文件=================
#
version 7.1.064, Alpha 7164
#
sysname com
#
#
nat address-group 1
address 1.1.1.254 1.1.1.254
#
dhcp enable
#
vlan 100
#
dhcp server ip-pool pool-1
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
interface NULL0
#
interface Vlan-interface100
ip address 192.168.10.1 255.255.255.0
nat hairpin enable
dhcp server apply ip-pool pool-1
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 1.1.1.254 255.255.255.0
nat outbound 3000 address-group 1
ipsec apply policy compol
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 100
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface100
import interface GigabitEthernet1/0/2 vlan 100
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/23
#
security-zone name Management
#
#
ip route-static 0.0.0.0 0 1.1.1.1
ip route-static 192.168.10.0 24 192.168.10.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl advanced 3000
rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 20 permit ip source 192.168.10.0 0.0.0.255
#
acl advanced 3001
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
#
ipsec transform-set trans1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy compol 100 isakmp
transform-set trans1
security acl 3001
local-address 1.1.1.254
remote-address 2.2.2.254
ike-profile com-pofile
#
ike profile com-profile
keychain comkey
local-identity address 1.1.1.254
match remote identity address 2.2.2.254 255.255.255.0
proposal 10
#
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain comkey
pre-shared-key address 2.2.2.254 255.255.255.0 key cipher $c$3$+prV9Od/X5TkKUKhLZijb4HWjQ4zljRGQg==
#
security-policy ip
rule 10 name lan_untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.10.0 255.255.255.0
destination-ip-subnet 0.0.0.0 0.0.0.0
rule 20 name lan_local
action pass
source-zone trust
destination-zone local
rule 30 name local_lan
action pass
source-zone local
destination-zone trust
rule 40 name untrust_lan
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 0.0.0.0 0.0.0.0
destination-ip-subnet 192.168.10.0 255.255.255.0
rule 50 name internet_internet
action pass
source-zone untrust
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 60 name trust_trust
action pass
source-zone trust
destination-zone trust
source-ip-subnet 192.168.10.0 255.255.255.0
destination-ip-subnet 172.16.10.0 255.255.255.0
rule 70 name local_internet
action pass
source-zone local
destination-zone untrust
rule 80 name internet_local
action pass
source-zone untrust
destination-zone local
rule 90 name trust_trust_in
action pass
source-zone trust
destination-zone trust
source-ip-subnet 172.16.10.0 255.255.255.0
destination-ip-subnet 192.168.10.0 255.255.255.0
rule 100 name internet_internet_in
action pass
source-zone untrust
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
#
return
============================以下是机房端配置文件==================
#
version 7.1.064, Alpha 7164
#
sysname idc
#
nat address-group 1
address 2.2.2.254 2.2.2.254
#
dhcp enable
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
vlan 100
#
dhcp server ip-pool pool
gateway-list 172.16.10.1
network 172.16.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool pool1
#
interface NULL0
#
interface Vlan-interface100
ip address 172.16.10.1 255.255.255.0
nat hairpin enable
dhcp server apply ip-pool pool
#
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 2.2.2.254 255.255.255.0
nat outbound 3000 address-group 1
ipsec apply policy idcpol
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 100
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface100
import interface GigabitEthernet1/0/2 vlan 100
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/23
#
security-zone name Management
#
#
ip route-static 0.0.0.0 0 2.2.2.2
ip route-static 172.16.10.0 24 172.16.10.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl advanced 3000
rule 10 deny ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 20 permit ip source 172.16.10.0 0.0.0.255
#
acl advanced 3001
rule 10 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
#
ipsec transform-set trans1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy idcpol 100 isakmp
transform-set trans1
security acl 3001
local-address 2.2.2.254
remote-address 1.1.1.254
ike-profile idc-profile
#
ipsec policy idepol 100 isakmp
#
ike profile idc-profile
keychain idckey
local-identity address 2.2.2.254
match remote identity address 1.1.1.254 255.255.255.0
proposal 10
#
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain idckey
pre-shared-key address 1.1.1.254 255.255.255.0 key cipher $c$3$NYI8+Ea9k0ZTPqEuXU9ETHwg6e+0XRB/Qg==
#
ip http enable
ip https enable
#
security-policy ip
rule 10 name lan_untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 172.16.10.0 255.255.255.0
destination-ip-subnet 0.0.0.0 0.0.0.0
rule 20 name lan_local
action pass
source-zone trust
destination-zone local
rule 30 name local_lan
action pass
source-zone local
destination-zone trust
rule 40 name untrust_lan
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 0.0.0.0 0.0.0.0
destination-ip-subnet 172.16.10.0 255.255.255.0
rule 50 name internet_internet
action pass
source-zone untrust
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
rule 60 name trust_trust
action pass
source-zone trust
destination-zone trust
source-ip-subnet 172.16.10.0 255.255.255.0
destination-ip-subnet 192.168.10.0 255.255.255.0
rule 70 name local_internet
action pass
source-zone local
destination-zone untrust
rule 80 name internet_local
action pass
source-zone untrust
destination-zone local
rule 90 name trust_trust_in
action pass
source-zone trust
destination-zone trust
source-ip-subnet 192.168.10.0 255.255.255.0
destination-ip-subnet 172.16.10.0 255.255.255.0
rule 100 name internet_internet_in
action pass
source-zone untrust
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
#
return
- 2023-12-05提问
- 举报
-
(0)
最佳答案
参考 排查手册:
https://zhiliao.h3c.com/theme/Chart
- 2023-12-05回答
- 评论(1)
- 举报
-
(0)
感谢,自己犯了低级错误,有一个地方把profile写成了pofile,眼花了
把Any-Any放通试试呢
- 2023-12-05回答
- 评论(1)
- 举报
-
(0)
感谢回答,我犯了个低级错误,ipsec policy里的规则名称拼错了一个字母
感谢回答,我犯了个低级错误,ipsec policy里的规则名称拼错了一个字母
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
感谢,自己犯了低级错误,有一个地方把profile写成了pofile,眼花了