华三防火墙ipsec无法创建隧道
- 0关注
- 0收藏,693浏览
问题描述:
组网及组网描述:
FW1:
sysname FW1
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 10.11.0.2 255.255.255.252
manage http outbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh outbound
manage telnet outbound
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.0.1 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet outbound
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0 10.11.0.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl advanced name IPsec_1_IPv4_1
rule 0 permit ip source 10.0.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
#
ipsec transform-set 1_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set 1_IPv4_1
security acl name IPsec_1_IPv4_1
local-address 10.11.0.2
remote-address 10.12.0.2
ike-profile 1_IPv4_1
#
nat global-policy
rule name out
action snat easy-ip
#
ike profile 1_IPv4_1
keychain 1_IPv4_1
match remote identity address 10.12.0.2 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha256
#
ike keychain 1_IPv4_1
match local address GigabitEthernet1/0/0
pre-shared-key address 10.12.0.2 255.255.255.255 key cipher $c$3$udDxoT70GGa3vk0p20T6cESkUx3tzym0KCAF
#
security-policy ip
rule 3 name all_to_local
action pass
counting enable
destination-zone Local
rule 0 name trust_to_untrust
action pass
counting enable
source-zone Trust
destination-zone Untrust
rule 1 name untrust_to_trust
action pass
counting enable
source-zone Untrust
destination-zone Trust
rule 2 name local_to_all
action pass
logging enable
counting enable
source-zone Local
FW2:
sysname FW2
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 10.12.0.2 255.255.255.252
manage http outbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh outbound
manage telnet outbound
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 172.16.0.1 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet outbound
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0 10.12.0.1
#
acl advanced name IPsec_1_IPv4_1
rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec transform-set 1_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy 1 1 isakmp
transform-set 1_IPv4_1
security acl name IPsec_1_IPv4_1
local-address 10.12.0.2
remote-address 10.11.0.2
ike-profile 1_IPv4_1
#
nat global-policy
rule name out
action snat easy-ip
#
ike profile 1_IPv4_1
keychain 1_IPv4_1
match remote identity address 10.11.0.2 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha256
#
ike keychain 1_IPv4_1
match local address GigabitEthernet1/0/0
pre-shared-key address 10.11.0.2 255.255.255.255 key cipher $c$3$vwwgOQSOKmZTcJvuOvEWBE8yyCLhD4KHQrcB
#
security-policy ip
rule 1 name all_to_local
action pass
counting enable
source-zone Untrust
destination-zone Local
rule 0 name local_to_all
action pass
logging enable
counting enable
source-zone Local
rule 2 name untrust_to_trust
action pass
logging enable
source-zone Untrust
destination-zone Trust
rule 3 name trust_to_untrust
action pass
logging enable
source-zone Trust
destination-zone Untrust
- 2024-01-10提问
- 举报
-
(0)
最佳答案
两端配置都没问题的话,debug看下吧
- 2024-01-10回答
- 评论(3)
- 举报
-
(0)
debug里面一条信息都没有,,我看着有点迷茫......
https://zhiliao.h3c.com/theme/details/102865
你有没有发现,他们的配置,实际直接路由也能通....
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
你有没有发现,他们的配置,实际直接路由也能通....