VPN隧道不通
- 0关注
- 0收藏,152浏览
问题描述:
<zb>dis cu
#
version 7.1.064, Release 9524P33
#
sysname zb
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip unreachables enable
ip ttl-expires enable
#
dns proxy enable
dns server 114.114.114.114
#
password-recovery enable
#
vlan 1
#
controller Cellular1/0/0
#
interface NULL0
#
interface Vlan-interface1
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 222.134.133.226 255.255.255.252
nat outbound
nat outbound 3888
nat server protocol tcp global 222.134.133.226 446 inside 192.168.100.100 446 rule ServerRule_6 counting
nat server protocol tcp global 222.134.133.226 554 inside 192.168.100.100 554 rule ServerRule_8
nat server protocol tcp global 222.134.133.226 655 inside 192.168.100.100 655 rule ServerRule_10
nat server protocol tcp global 222.134.133.226 1433 inside 192.168.100.102 1433 rule ServerRule_61 counting
nat server protocol tcp global 222.134.133.226 4090 inside 192.168.8.203 4090 rule ServerRule_53 counting
nat server protocol tcp global 222.134.133.226 5060 inside 192.168.100.100 5060 rule ServerRule_42
nat server protocol tcp global 222.134.133.226 5558 inside 192.168.100.102 5558 rule ServerRule_59 counting
nat server protocol tcp global 222.134.133.226 5580 inside 192.168.100.102 5580 rule ServerRule_60 counting
nat server protocol tcp global 222.134.133.226 5872 inside 192.168.8.203 5872 rule ServerRule_41 counting
nat server protocol tcp global 222.134.133.226 6011 inside 192.168.100.100 6011 rule ServerRule_23
nat server protocol tcp global 222.134.133.226 6021 inside 192.168.100.100 6021 rule ServerRule_26
nat server protocol tcp global 222.134.133.226 6022 inside 192.168.100.100 6022 rule ServerRule_27
nat server protocol tcp global 222.134.133.226 6027 inside 192.168.100.100 6027 rule ServerRule_25
nat server protocol tcp global 222.134.133.226 6036 inside 192.168.100.100 6036 rule ServerRule_28
nat server protocol tcp global 222.134.133.226 6037 inside 192.168.100.100 6037 rule ServerRule_33
nat server protocol tcp global 222.134.133.226 6038 inside 192.168.100.100 6038 rule ServerRule_29
nat server protocol tcp global 222.134.133.226 6039 inside 192.168.100.100 6039 rule ServerRule_30
nat server protocol tcp global 222.134.133.226 6040 inside 192.168.100.100 6040 rule ServerRule_24
nat server protocol tcp global 222.134.133.226 6041 inside 192.168.100.100 6041 rule ServerRule_22 counting
nat server protocol tcp global 222.134.133.226 6042 inside 192.168.100.100 6042 rule ServerRule_31
nat server protocol tcp global 222.134.133.226 6044 inside 192.168.100.100 6044 rule ServerRule_1
nat server protocol tcp global 222.134.133.226 6045 inside 192.168.100.100 6045 rule ServerRule_3
nat server protocol tcp global 222.134.133.226 6046 inside 192.168.100.100 6046 rule ServerRule_32
nat server protocol tcp global 222.134.133.226 6111 inside 192.168.100.101 6111 rule ServerRule_34
nat server protocol tcp global 222.134.133.226 6112 inside 192.168.100.100 6112 rule ServerRule_35
nat server protocol tcp global 222.134.133.226 6113 inside 192.168.100.100 6113 rule ServerRule_36
nat server protocol tcp global 222.134.133.226 6114 inside 192.168.100.100 6114 rule ServerRule_37
nat server protocol tcp global 222.134.133.226 6120 inside 192.168.100.100 6120 rule ServerRule_21 counting
nat server protocol tcp global 222.134.133.226 6201 inside 192.168.100.100 6201 rule ServerRule_39
nat server protocol tcp global 222.134.133.226 6304 inside 192.168.100.100 6304 rule ServerRule_13
nat server protocol tcp global 222.134.133.226 7031 inside 192.168.100.100 7031 rule ServerRule_15 counting
nat server protocol tcp global 222.134.133.226 7033 inside 192.168.100.100 7033 rule ServerRule_16
nat server protocol tcp global 222.134.133.226 7087 inside 192.168.100.100 7087 rule ServerRule_45
nat server protocol tcp global 222.134.133.226 7099 inside 192.168.100.100 7099 rule ServerRule_46
nat server protocol tcp global 222.134.133.226 7100 inside 192.168.100.100 7100 rule ServerRule_50
nat server protocol tcp global 222.134.133.226 7110 inside 192.168.100.100 7110 rule ServerRule_44
nat server protocol tcp global 222.134.133.226 7302 inside 192.168.100.100 7302 rule ServerRule_11
nat server protocol tcp global 222.134.133.226 7661 inside 192.168.100.101 7661 rule ServerRule_51
nat server protocol tcp global 222.134.133.226 8000 inside 192.168.100.50 8000 rule ServerRule_55
nat server protocol tcp global 222.134.133.226 8001 inside 192.168.100.50 8001 rule ServerRule_52
nat server protocol tcp global 222.134.133.226 8096 inside 192.168.100.50 8096 rule ServerRule_62
nat server protocol tcp global 222.134.133.226 8098 inside 192.168.100.50 8098 rule ServerRule_57
nat server protocol tcp global 222.134.133.226 8099 inside 192.168.100.50 8099 rule ServerRule_56
nat server protocol tcp global 222.134.133.226 8376 inside 192.168.100.100 8376 rule ServerRule_20
nat server protocol tcp global 222.134.133.226 9308 inside 192.168.100.100 9308 rule ServerRule_18
nat server protocol tcp global 222.134.133.226 15000 16999 inside 192.168.100.100 15000 16999 rule ServerRule_4
nat server protocol tcp global 222.134.133.226 17000 inside 192.168.100.100 17000 rule ServerRule_17
nat server protocol tcp global 222.134.133.226 23336 inside 192.168.100.2 23336 rule ServerRule_58 counting
nat server protocol tcp global 222.134.133.226 26100 26899 inside 192.168.100.100 26100 26899 rule ServerRule_49
nat server protocol udp global 222.134.133.226 5060 inside 192.168.100.100 5060 rule ServerRule_40
nat server protocol udp global 222.134.133.226 7100 inside 192.168.100.100 7100 rule ServerRule_43
nat server protocol udp global 222.134.133.226 7660 inside 192.168.100.100 7660 rule ServerRule_12 counting
nat server protocol udp global 222.134.133.226 8374 inside 192.168.100.100 8374 rule ServerRule_19
nat server protocol udp global 222.134.133.226 15000 16999 inside 192.168.100.100 15000 16999 rule ServerRule_9
nat server protocol udp global 222.134.133.226 26100 26899 inside 192.168.100.100 26100 26899 rule ServerRule_47
nat server protocol tcp global current-interface 1600 2500 inside 192.168.100.2 1600 2500 rule ServerRule_67
nat server protocol tcp global current-interface 5000 5059 inside 192.168.100.2 5000 5059 rule ServerRule_63
nat server protocol tcp global current-interface 5061 5557 inside 192.168.100.2 5061 5557 rule ServerRule_2
nat server protocol tcp global current-interface 5559 5579 inside 192.168.100.2 5559 5579 rule ServerRule_69 counting
nat server protocol tcp global current-interface 5581 5871 inside 192.168.100.2 5581 5871 rule ServerRule_72 counting
nat server protocol tcp global current-interface 5873 6010 inside 192.168.100.2 5873 6010 rule ServerRule_74 counting
nat server protocol tcp global current-interface 6012 6020 inside 192.168.100.2 6012 6020 rule ServerRule_77 counting
nat server protocol tcp global current-interface 6202 6302 inside 192.168.100.2 6202 6302 rule ServerRule_78
nat server protocol tcp global current-interface 6303 7000 inside 192.168.100.2 6303 7000 rule ServerRule_7
nat server protocol tcp global current-interface 8070 inside 192.168.100.2 8070 rule ServerRule_66
nat server protocol udp global current-interface 1600 2500 inside 192.168.100.2 1600 2500 rule ServerRule_68
nat server protocol udp global current-interface 5000 5059 inside 192.168.100.2 5000 5059 rule ServerRule_75
nat server protocol udp global current-interface 5061 5557 inside 192.168.100.2 5061 5557 rule ServerRule_64 counting
nat server protocol udp global current-interface 5559 5579 inside 192.168.100.2 5559 5579 rule ServerRule_70 counting
nat server protocol udp global current-interface 5581 5871 inside 192.168.100.2 5581 5871 rule ServerRule_71 counting
nat server protocol udp global current-interface 5873 6010 inside 192.168.100.2 5873 6010 rule ServerRule_73 counting
nat server protocol udp global current-interface 6012 6020 inside 192.168.100.2 6012 6020 rule ServerRule_76 counting
nat server protocol udp global current-interface 6202 6302 inside 192.168.100.2 6202 6302 rule ServerRule_79
nat server protocol udp global current-interface 6303 7000 inside 192.168.100.2 6303 7000 rule ServerRule_65
nat static enable
ipsec apply policy zongbu
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.100.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 222.134.133.225
ip route-static 192.168.8.0 24 192.168.100.10
ip route-static 192.168.20.0 24 192.168.100.10
#
info-center source FILTER logfile deny
#
ssh server enable
ssh server port 65535
#
acl advanced 3777
description to-neimenggu
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.48.0 0.0.3.255
rule 10 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.10.0 0.0.1.255
rule 15 permit ip source 192.168.88.0 0.0.0.255 destination 192.168.10.0 0.0.1.255
#
acl advanced 3887
description to-ddsy
rule 0 permit ip source 192.168.8.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.1.255 destination 192.168.6.0 0.0.0.255
rule 15 permit ip source 10.10.48.0 0.0.3.255 destination 192.168.6.0 0.0.0.255
#
acl advanced 3888
description no-nat
rule 0 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 1 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 2 deny ip source 192.168.100.0 0.0.0.255 destination 10.10.48.0 0.0.3.255
rule 3 deny ip source 10.10.48.0 0.0.3.255 destination 192.168.88.0 0.0.0.255
rule 4 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 6 deny ip source 192.168.88.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 7 deny ip source 192.168.88.0 0.0.0.255 destination 10.10.48.0 0.0.3.255
rule 8 deny ip source 192.168.88.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 9 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 10 permit ip
#
acl advanced 3998
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 5 permit ip source 192.168.8.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
rule 10 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 15 permit ip source 10.10.48.0 0.0.3.255 destination 192.168.88.0 0.0.0.255
rule 20 permit ip source 192.168.10.0 0.0.1.255 destination 192.168.88.0 0.0.0.255
#
acl advanced 3999
description to-jinan-fenzhi1
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 5 permit ip source 192.168.8.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 10 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 15 permit ip source 10.10.48.0 0.0.3.255 destination 192.168.88.0 0.0.0.255
rule 20 permit ip source 192.168.10.0 0.0.1.255 destination 192.168.88.0 0.0.0.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$dydcS3h3y4kNEdAI$oqPgyFF5kG5sIxhKhX2G+Lsjz8trkKNfWKbUG1AWL0twt5kVXHSehUBAIMo9AYg17QINE8bKcQ6GdSpTdYHboQ==
service-type ssh telnet terminal http https
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session synchronization enable
session synchronization http
#
ipsec logging negotiation enable
#
ipsec transform-set 1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set 2
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy-template ddsy 1
transform-set 1
security acl 3887
local-address 222.134.133.226
ike-profile ddsy
#
ipsec policy-template ssdy 1
transform-set 1
#
ipsec policy-template zb 1
transform-set 1
security acl 3999
local-address 222.134.133.226
remote-address 222.175.161.186
ike-profile 1
#
ipsec policy-template zb2 1
transform-set 2
security acl 3777
local-address 222.134.133.226
remote-address 111.57.58.147
ike-profile 2
#
ipsec policy zongbu 1 isakmp template zb
#
ipsec policy zongbu 2 isakmp template zb2
#
ipsec policy zongbu 3 isakmp template ddsy
#
ike identity fqdn zb
ike logging negotiation enable
#
ike profile 1
keychain 1
local-identity address 222.134.133.226
match remote identity address 222.175.161.186 255.255.255.255
proposal 1
#
ike profile 2
keychain 2
keychain 1
local-identity address 222.134.133.226
match remote identity address 111.57.58.147 255.255.255.255
proposal 1
#
ike profile ddsy
keychain ddsy
dpd interval 10 on-demand
exchange-mode aggressive
local-identity fqdn zb
match remote identity fqdn ddsy
match remote identity address 0.0.0.0 0.0.0.0
proposal 1
#
ike profile ssdy
keychain ssdy
exchange-mode aggressive
match remote identity fqdn ddsy
proposal 1
#
ike proposal 1
#
ike proposal 2
#
ike keychain 1
pre-shared-key address 222.175.161.186 255.255.255.255 key cipher $c$3$CHWEY/7fjnpnvH62d2OOv8x2cflmM3sPKA==
#
ike keychain 2
pre-shared-key address 111.57.58.147 255.255.255.255 key cipher $c$3$djPuqgUIc7M1njjPDvVka8oxWscslQ8RZA==
#
ike keychain ssdy
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$2n7JxWUE4JbSHUtdB5ZeTMqABvBNJH/ynmCCj0Au2Q==
pre-shared-key hostname ddsy key cipher $c$3$2TdfPwXaI6LXHipl0lXD2iN9CgtvU84SUpjFLZ9L8g==
#
ip http enable
ip https enable
#
ips signature auto-update
update schedule weekly sun start-time 02:00:00 tingle 120
#
app-profile 2_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 2 name Any???2_IPv4
action pass
counting enable
profile 2_IPv4
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus signature auto-update
update schedule weekly sun start-time 02:00:00 tingle 120
#
anti-virus logging parameter-profile av_logging_default_parameter
#
- 2024-07-06提问
- 举报
-
(0)
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
- 2024-07-06回答
- 评论(0)
- 举报
-
(1)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
还是不行
一二阶段协商成功了吗