ipsec已经建立,本地(10.1.0.0)与对端(192.168.101.0)的内网不通。请大神们帮分析分析。
怀疑与NAT、路由有关。
version 7.1.064, Release 0707P21
#
sysname MSR5620
#
track 1 nqa entry admin test reaction 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
policy-based-route aaa permit node 0
if-match acl 2100
apply next-hop 1.1.1.1
#
policy-based-route aaa permit node 1
apply next-hop 2.2.2.145
apply next-hop 10.0.201.49
#
nqa entry admin test
type icmp-echo
destination ip 114.114.114.114
frequency 3000
next-hop ip 2.2.2.145
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
#
interface GigabitEthernet2/0/0
port link-mode route
combo enable copper
ip address 10.0.0.1 255.255.255.0
ip policy-based-route aaa
#
interface GigabitEthernet2/0/1
port link-mode route
combo enable copper
ip address 2.2.2.147 255.255.255.240
dns server 202.106.46.151
dns server 202.106.0.20
nat outbound 3002
ipsec apply policy r3
#
interface GigabitEthernet2/0/2
port link-mode route
combo enable copper
ip address 10.0.201.55 255.255.255.240
dns server 114.114.114.114
dns server 223.5.5.5
nat outbound
#
ip route-static 0.0.0.0 0 2.2.2.145 track 1
ip route-static 0.0.0.0 0 10.0.201.49 preference 80
ip route-static 10.0.3.0 24 10.0.0.254
ip route-static 10.1.0.0 23 10.0.0.254
ip route-static 10.1.2.0 23 10.0.0.254
ip route-static 10.1.4.0 23 10.0.0.254
#
undo info-center enable
#
ssh server enable
#
acl basic 2000
rule 1 permit source 10.0.0.0 0.255.255.255
rule 5 deny
#
acl basic 2100
rule 0 permit source 10.0.3.100 0
#
acl advanced 3001
rule 0 permit ip source 10.1.0.0 0.0.3.255 destination 192.168.101.0 0.0.0.255
#
acl advanced 3002
rule 0 deny ip source 10.1.0.0 0.0.3.255 destination 192.168.101.0 0.0.0.255
rule 5 permit ip
#
domain system
#
domain default enable system
#
local-user admin class manage
#
ipsec transform-set r3
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha256
#
ipsec policy r3 1 isakmp
transform-set r3
security acl 3001
remote-address 1.1.1.2
ike-profile r3
#
ike profile r3
keychain r3
local-identity address 2.2.2.147
match remote identity address 1.1.1.2 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group14
authentication-algorithm sha256
#
ike keychain r3
pre-shared-key address 1.1.1.2 255.255.255.255 key cipher $c$3$Ar/JF027FXF7tQKBfFoP69oNzeY4dcmP+Wg=
dis ipsec sa
-----------------------------
IPsec policy: r3
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1424
Tunnel:
local address: 2.2.2.147
remote address: 1.1.1.2
Flow:
sour addr: 10.1.0.0/255.255.252.0 port: 0 protocol: ip
dest addr: 192.168.101.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 879783893 (0x34706fd5)
Connection ID: 433791696898
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA256
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843186/3005
Max received sequence-number: 12469
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 189281369 (0x0b483459)
Connection ID: 433791696899
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA256
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3005
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
33 1.1.1.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
(0)
如果一个节点中未配置任何if-match子句,则认为所有报文都满足该节点的匹配规则,按照“报文满足所有if-match子句”的情况进行后续处理。
(1)
暂无评论
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论