F1000-AK115配置IPsec后,对端可以ping通本端网段,本端ping不通对端
- 0关注
- 0收藏,747浏览
问题描述:
折腾了很久,终于配通了,可惜是单通,IPsec隧道也起来了,对端内网可以ping通本端内网,本端内网ping对端内网不通,什么问题呢
以下是本端完整的配置
组网及组网描述:
#
version 7.1.064, Release 9514P17
#
sysname H3C_FW
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
ip vpn-instance 电信
description 电信接口
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
track 1 nqa entry admin dianxin reaction 1
#
track 2 nqa entry admin yidong reaction 1
#
ip unreachables enable
ip ttl-expires enable
#
nat alg h323
nat alg sip
#
password-recovery enable
#
vlan 1
#
object-group ip address IPSec_远端内网
security-zone Untrust
0 network subnet 192.168.1.0 255.255.255.0
#
object-group ip address trust
0 network range 192.168.0.11 192.168.0.254
#
object-group ip address vlan10
0 network range 192.168.10.11 192.168.10.254
#
object-group ip address vlan11
0 network range 192.168.11.11 192.168.11.254
#
object-group ip address vlan2
0 network subnet 192.168.2.0 255.255.255.0
#
object-group ip address vlan3
0 network range 192.168.3.11 192.168.3.254
#
object-group ip address vlan4
0 network range 192.168.4.11 192.168.4.254
#
object-group ip address vlan5
0 network range 192.168.5.11 192.168.5.254
#
object-group ip address vlan6
0 network range 192.168.6.11 192.168.6.254
#
object-group ip address vlan7
0 network range 192.168.7.11 192.168.7.254
#
object-group ip address vlan8
0 network range 192.168.8.1 192.168.8.254
#
object-group ip address vlan9
security-zone Trust
0 network range 192.168.9.1 192.168.9.254
#
object-group ip address 交换机
security-zone Trust
0 network host address 10.255.255.2
#
object-group ip address 远端外网
security-zone Untrust
0 network host address 171.221.248.19
10 network host address 117.173.158.113
#
object-group service 8443
0 service tcp destination eq 8443
#
policy-based-route yidong permit node 0
if-match acl 2001
apply next-hop 222.209.201.1
#
policy-based-route yidong permit node 2
if-match acl 2010
apply next-hop 117.176.139.1
#
nqa entry admin dianxin
type icmp-echo
destination ip 61.139.2.69
frequency 3000
history-record enable
next-hop ip 222.209.201.1
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
reaction 2 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
source ip 10.255.255.1
#
nqa entry admin yidong
type icmp-echo
destination ip 183.221.253.100
frequency 3000
history-record enable
next-hop ip 117.176.139.1
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
reaction 2 checked-element probe-fail threshold-type consecutive 3 action-type trap-only
source ip 10.255.255.1
#
nqa schedule admin dianxin start-time now lifetime forever
nqa schedule admin yidong start-time now lifetime forever
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
description GuideWan Interface
undo jumboframe enable
flow-interval 5
ip address 222.209.201.165 255.255.255.0
nat outbound
nat outbound 3998 vpn-instance 电信 port-preserved
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 117.176.139.73 255.255.255.0
nat outbound
nat server protocol tcp global 117.176.139.73 80 inside 10.255.255.2 80 disable
nat server protocol tcp global 117.176.139.73 443 inside 10.255.255.2 443 disable
nat server protocol tcp global 117.176.139.73 9442 inside 10.255.255.1 23 disable
nat server protocol tcp global 117.176.139.73 9446 inside 10.255.255.2 23 disable
nat server protocol tcp global 117.176.139.73 9448 inside 10.255.255.2 23 disable
#
interface GigabitEthernet1/0/4
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
description GuideLan Interface
undo jumboframe enable
ip address 10.255.255.1 255.255.255.0
nat server protocol tcp global 117.176.139.73 9444 inside 10.255.255.2 80 reversible disable
nat server protocol tcp global 117.176.139.73 9445 inside 10.255.255.2 23 reversible disable
undo dhcp select server
ip policy-based-route yidong
#
interface SSLVPN-AC1
ip address 10.10.10.1 255.255.255.0
#
security-zone name Local
attack-defense apply policy untrunst
#
security-zone name Trust
import interface GigabitEthernet1/0/9
attack-defense apply policy untrunst
#
security-zone name DMZ
attack-defense apply policy untrunst
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
import interface GigabitEthernet1/0/4
import interface GigabitEthernet1/0/5
attack-defense apply policy untrunst
#
security-zone name Management
import interface GigabitEthernet1/0/0
attack-defense apply policy untrunst
#
security-zone name SSLVPN
import interface SSLVPN-AC1
attack-defense apply policy untrunst
#
zone-pair security source Local destination Untrust
packet-filter 2000
#
zone-pair security source Trust destination Local
packet-filter 2000
#
zone-pair security source Untrust destination Local
packet-filter 2000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 117.176.139.1 preference 70 description 移动
ip route-static 0.0.0.0 0 222.209.201.1 description 电信
ip route-static 192.168.0.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.1.0 24 GigabitEthernet1/0/2 222.209.201.1 preference 50
ip route-static 192.168.2.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.3.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.4.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.5.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.6.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.7.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.8.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.9.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.10.0 24 GigabitEthernet1/0/9 10.255.255.2
ip route-static 192.168.11.0 24 GigabitEthernet1/0/9 10.255.255.2
#
undo info-center enable
#
snmp-agent
snmp-agent local-engineid 800063A2805CC999AD2C2400000001
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.9.9 params securityname public
snmp-agent trap enable arp
snmp-agent trap enable syslog
#
acl basic 2000
rule 0 permit
#
acl basic 2001
rule 0 permit source 192.168.9.254 0
rule 5 permit source 192.168.9.5 0
#
acl basic 2010
rule 5 permit source 192.168.5.0 0.0.0.255
rule 15 permit source 192.168.8.0 0.0.0.255
rule 20 permit source 192.168.4.0 0.0.0.255
#
acl advanced 3000
rule 5 permit tcp source-port eq 9444
rule 10 permit tcp source-port eq 9442
rule 15 permit tcp source-port eq 9445
rule 20 permit tcp source-port eq 9446
rule 25 permit tcp source-port eq 9447
rule 30 permit tcp source-port eq 9448
rule 35 permit tcp source-port eq www
#
acl advanced 3001
rule 45 permit tcp source 10.255.255.2 0 source-port eq 22
rule 50 permit tcp source 10.255.255.2 0 source-port eq telnet
rule 55 permit tcp source 10.255.255.2 0 source-port eq www
#
acl advanced 3998
description IPsec到总部专用
rule 0 deny tcp vpn-instance 电信 source 192.168.9.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 logging counting
rule 5 permit tcp vpn-instance 电信 logging counting
#
acl advanced 3999
rule 0 permit ip destination 192.168.9.0 0.0.0.255
rule 5 permit ip destination 10.255.255.0 0.0.0.255
rule 10 permit ip destination 192.168.10.0 0.0.0.255
rule 15 permit ip destination 192.168.11.0 0.0.0.255
#
acl advanced name IPsec_GE1/0/2_IPv4_60
rule 1 permit ip source 192.168.9.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl advanced name IPsec_GE1/0/2_IPv4_61
rule 1 permit ip source 192.168.9.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$PU9/yn7tNExaOBew$B1kBxnq97CR8gcsPA1K1D1e1CTf2ChoBkT/jX89SJ72/DH1GERY49avzyXqV1kNqX3WT/KSlQnc/3468BhwtCw==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user djh class network
password cipher $c$3$6HIvyTjcxxyBiUFxhtyfxN2UqmqhW0kK1oBapQ==
service-type sslvpn
authorization-attribute acl 3999
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
#
ipsec transform-set GE1/0/2_IPv4_60
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group1
#
ipsec transform-set GE1/0/2_IPv4_61
encapsulation-mode transport
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group24
#
ipsec policy GE1/0/2 60 isakmp
transform-set GE1/0/2_IPv4_60
security acl name IPsec_GE1/0/2_IPv4_60
local-address 222.209.201.165
remote-address 117.173.158.113
description 公司电信到总部移动
ike-profile GE1/0/2_IPv4_60
sa duration time-based 86400
sa duration traffic-based 200000000
sa idle-time 86400
#
ipsec policy GE1/0/2 61 isakmp
transform-set GE1/0/2_IPv4_61
security acl name IPsec_GE1/0/2_IPv4_61
local-address 222.209.201.165
remote-address 171.221.248.19
description 公司电信到总部电信
ike-profile GE1/0/2_IPv4_61
sa duration time-based 86400
sa duration traffic-based 200000000
sa idle-time 86400
#
nat server-group 2
inside ip 10.255.255.2 port 23
#
ike profile GE1/0/2_IPv4_60
keychain GE1/0/2_IPv4_60
local-identity address 222.209.201.165
match remote identity address 117.173.158.113 255.255.255.255
match local address GigabitEthernet1/0/2
proposal 60
#
ike profile GE1/0/2_IPv4_61
keychain GE1/0/2_IPv4_61
local-identity address 222.209.201.165
match remote identity address 171.221.248.19 255.255.255.255
match local address GigabitEthernet1/0/2
proposal 60
#
ike proposal 60
encryption-algorithm aes-cbc-128
#
ike keychain GE1/0/2_IPv4_60
match local address GigabitEthernet1/0/2
pre-shared-key address 117.173.158.113 255.255.255.255 key cipher $c$3$RJ28n5SLDMWZX+a/jxJl2HRMTOk=
#
ike keychain GE1/0/2_IPv4_61
match local address GigabitEthernet1/0/2
pre-shared-key address 171.221.248.19 255.255.255.255 key cipher $c$3$n0Zk+voqqeEoJ5mhHKD4z8lH95Y=
#
ip http enable
ip https port 9443
ip https enable
webui log enable
#
client-verify tcp protected ip 192.168.0.0
#
attack-defense policy untrunst
scan detect level medium action drop logging
syn-flood detect non-specific
syn-flood action logging
ack-flood detect non-specific
ack-flood action logging
syn-ack-flood detect non-specific
syn-ack-flood action logging
rst-flood detect non-specific
rst-flood action logging
fin-flood detect non-specific
fin-flood action logging
udp-flood detect non-specific
udp-flood action logging
icmp-flood detect non-specific
icmp-flood action logging
icmpv6-flood detect non-specific
icmpv6-flood action logging
dns-flood detect non-specific
dns-flood action logging
http-flood detect non-specific
http-flood action logging
syn-flood detect ip 192.168.0.0 threshold 1000
signature detect fragment action drop logging
signature detect impossible action drop logging
signature detect teardrop action drop logging
signature detect tiny-fragment action drop logging
signature detect ip-option-abnormal action drop logging
signature detect smurf action drop logging
signature detect traceroute action drop logging
signature detect ping-of-death action drop logging
signature detect large-icmp action drop logging
signature detect large-icmpv6 action drop logging
signature detect tcp-invalid-flags action drop logging
signature detect tcp-null-flag action drop logging
signature detect tcp-all-flags action drop logging
signature detect tcp-syn-fin action drop logging
signature detect tcp-fin-only action drop logging
signature detect land action drop logging
signature detect winnuke action drop logging
signature detect udp-bomb action drop logging
signature detect snork action drop logging
signature detect fraggle action drop logging
#
app-profile 4_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
app-profile 7_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
traffic-policy
rule name QOS
action qos profile QOS
source-address address-set trust
source-zone Trust
destination-zone Untrust
rule name vlan3-QOS
action qos profile vlan3-QOS
source-address address-set vlan3
source-zone Trust
destination-zone Untrust
rule name vlan4-QOS
action qos profile vlan4-QOS
source-address address-set vlan4
source-zone Trust
destination-zone Untrust
rule name vlan5-QOS
action qos profile vlan5-QOS
source-address address-set vlan5
source-zone Trust
destination-zone Untrust
rule name vlan6-QOS
action qos profile vlan6-QOS
source-address address-set vlan6
source-zone Trust
destination-zone Untrust
rule name vlan7-QOS
action qos profile vlan7-QOS
source-address address-set vlan7
source-zone Trust
destination-zone Untrust
rule name vlan9-QOS
action qos profile vlan9-QOS
source-address address-set vlan9
source-zone Trust
destination-zone Untrust
rule name vlan8-QOS
disable
action qos profile vlan8-QOS
source-address address-set vlan8
source-zone Trust
destination-zone Untrust
rule name vlan10-QOS
action qos profile vlan10-QOS
source-address address-set vlan10
source-zone Trust
destination-zone Untrust
rule name vlan11-QOS
action qos profile vlan11-QOS
source-address address-set vlan11
source-zone Trust
destination-zone Untrust
profile name 10
profile name QOS
bandwidth upstream maximum per-ip 4000
bandwidth downstream maximum per-ip 8000
profile name vlan10-QOS
bandwidth upstream maximum per-ip 16000
bandwidth downstream maximum per-ip 25000
profile name vlan11-QOS
bandwidth upstream maximum per-ip 16000
bandwidth downstream maximum per-ip 25000
profile name vlan3-QOS
bandwidth upstream maximum per-ip 8000
bandwidth downstream maximum per-ip 64000
profile name vlan4-QOS
bandwidth upstream maximum per-ip 16000
bandwidth downstream maximum per-ip 25000
profile name vlan5-QOS
bandwidth upstream maximum per-ip 8000
bandwidth downstream maximum per-ip 16000
profile name vlan6-QOS
bandwidth upstream maximum per-ip 8000
bandwidth downstream maximum per-ip 16000
profile name vlan7-QOS
bandwidth upstream maximum per-ip 4000
bandwidth downstream maximum per-ip 8000
profile name vlan8-QOS
bandwidth upstream maximum per-ip 100000
bandwidth downstream maximum per-ip 100000
profile name vlan9-QOS
bandwidth upstream maximum per-ip 16000
bandwidth downstream maximum per-ip 25000
#
sslvpn ip address-pool SSLPOOL 10.10.10.2 10.10.10.254
#
sslvpn gateway ssl_vpn
ip address 222.209.201.165 port 8443
#
sslvpn context ssl_vpn
gateway ssl_vpn
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool SSLPOOL mask 255.255.255.0
logo none
ip-route-list neiwang
include 10.255.255.0 255.255.255.0
include 192.168.9.0 255.255.255.0
include 192.168.10.0 255.255.255.0
include 192.168.11.0 255.255.255.0
policy-group SSLVPNZIYUAN
filter ip-tunnel acl 3999
ip-tunnel access-route ip-route-list neiwang
#
uapp-control
#
security-policy ip
rule 17 name 总部公网访问LOCAL
action pass
logging enable
counting enable
source-zone Untrust
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Management
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
destination-zone Management
destination-zone SSLVPN
source-ip 远端外网
source-ip IPSec_远端内网
rule 7 name 交换机管理
description SW telnet管理
action pass
disable
logging enable
counting enable
profile 7_IPv4
source-zone Untrust
destination-zone Trust
destination-ip 交换机
service telnet
rule 1 name GuideSecPolicy
action pass
counting enable
source-zone Trust
destination-zone Untrust
destination-zone DMZ
rule 5 name local-trunst
action pass
logging enable
counting enable
source-zone Local
destination-zone Trust
rule 3 name 管理
action pass
counting enable
source-zone Trust
destination-zone Local
rule 4 name 外网管理
description 总部远程管理
action pass
logging enable
counting enable
profile 4_IPv4
source-zone Untrust
destination-zone Local
source-ip trust
source-ip vlan10
source-ip vlan11
source-ip vlan3
source-ip vlan4
source-ip vlan5
source-ip vlan6
source-ip vlan7
source-ip vlan8
source-ip vlan9
source-ip vlan2
rule 8 name local-untrust
action pass
counting enable
source-zone Local
destination-zone Untrust
rule 2 name deny
logging enable
counting enable
#
return
- 2025-01-02提问
- 举报
-
(0)
单侧配置看不出啥
建议检查端配置和目标主机配置
有条件临时2端策略放行确认具体那丢包或策略拒绝吧
或抓包进一步定位吧
- 2025-01-02回答
- 评论(2)
- 举报
-
(0)
做过策略放开,应该不是策略的问题;对端做了好几个ipsec都没有问题;问题基本上在本端。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
既然认为本端问题,那么抓包或打400热线定位吧。