总部是msr3600-28v7版本,已有动态公网ip,分部是内网设备msr2600v7有上级网络,想用野蛮模式ipsec进行连接组网,之前用v5的msr2600+固定IP可以组网但是是v5版本的
#
version 5.20, Release 2513P21
#
sysname zhongshan-ZB-TEMP
#
l2tp enable
#
ike local-name branch
#
domain default enable system
#
dns proxy enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
qos carl 1 destination-ip-address range 10.9.1.1 to 10.9.1.87 per-address
qos carl 2 destination-ip-address range 10.9.1.89 to 10.9.1.200 per-address
#
port-security enable
#
web idle-timeout 999
#
password-recovery enable
#
time-range tr3980 00:00 to 24:00 daily
#
acl number 2600 name SNMP
rule 10 permit source 10.251.92.128 0
acl number 2601 name http
rule 20 permit source 10.251.92.97 0
rule 30 permit source 10.9.0.1 0
#
acl number 3000
description WAN
rule 10 deny ip source 10.9.0.0 0.0.1.255 destination 10.0.0.0 0.255.255.255
rule 20 deny ip source 10.9.0.0 0.0.1.255 destination 192.168.0.0 0.0.1.255
rule 50 permit ip
acl number 3001
description beijing2_IDC
rule 10 permit ip source 10.9.0.0 0.0.1.255 destination 10.251.92.0 0.0.1.255
rule 20 permit ip source 10.9.0.0 0.0.1.255 destination 192.168.0.0 0.0.1.255
acl number 3002
description guangzhou_IDC
rule 10 permit ip source 10.9.0.0 0.0.1.255 destination 10.132.240.0 0.0.1.255
acl number 3003
rule 0 permit ip source 10.9.0.0 0.0.1.255 destination 10.9.0.0 0.0.255.255
acl number 3600 name Terminal
rule 10 permit tcp source 10.251.92.95 0 destination-port eq 22
rule 15 permit tcp source 192.168.0.99 0 destination-port eq 22
rule 20 permit tcp source 192.168.0.135 0 destination-port eq 22
rule 25 permit tcp source 10.251.92.97 0 destination-port eq 22
rule 30 permit tcp source 10.251.92.128 0 destination-port eq 22
rule 35 permit tcp source 124.250.70.97 0 destination-port eq 22
rule 40 permit tcp source 10.9.0.1 0 destination-port eq 22
rule 45 permit tcp source 10.132.241.201 0 destination-port eq 22
acl number 3980
step 1
rule 0 permit ip source 10.9.0.50 0 time-range tr3980
#
vlan 1
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.9.2.50 10.9.2.250
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
#
ike proposal 20
encryption-algorithm 3des-cbc
dh group2
#
ike dpd 1
#
ike dpd center.zs
#
ike peer center.zs
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$MXZYAjtQ/1PxwZSb1ubprnchVjMFvcH8EIc2Lg==
id-type name
remote-name branch.10
local-address 61.142.111.130
local-name zscenter
nat traversal
dpd 1
#
ike peer peer_center_bj
exchange-mode aggressive
proposal 10
pre-shared-key cipher $c$3$DFB5x7MB1m8SX/gBmeUmpQ2+S6kYwnpJfru31so7qll60mB9PcM=
id-type name
remote-name center
remote-address 124.124.124.124
local-name branch.10
nat traversal
dpd 1
#
ike peer peer_center_gz
exchange-mode aggressive
proposal 20
pre-shared-key cipher $c$3$DFB5x7MB1m8SX/gBmeUmpQ2+S6kYwnpJfru31so7qll60mB9PcM=
id-type name
remote-name center
remote-address 120.44.44.44
local-name branch.10
nat traversal
dpd 1
#
ipsec transform-set center.zs
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec transform-set trans_center_bj
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec transform-set trans_center_gz
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy center 1 isakmp
connection-name center.zs
security acl 3003
pfs dh-group2
ike-peer center.zs
transform-set center.zs
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy center 10 isakmp
security acl 3001
pfs dh-group2
ike-peer peer_center_bj
remote-address 124.250.70.1
transform-set trans_center_bj
#
ipsec policy center 20 isakmp
security acl 3002
pfs dh-group2
ike-peer peer_center_gz
remote-address 120.132.241.33
transform-set trans_center_gz
#
traffic classifier acl3980deny operator or
if-match acl 3980
traffic classifier acl3981deny operator or
if-match acl 3981
#
traffic behavior behaviorfordeny
filter deny
traffic behavior acldeny
filter deny
#
qos policy PolicyLimit
classifier acl3980deny behavior acldeny
#
dhcp server ip-pool zhongshan-zb-temp
network 10.9.0.0 mask 255.255.254.0
gateway-list 10.9.1.254
dns-list 120.80.88.88 221.5.88.88
#
user-group system
group-attribute allow-guest
#
local-user Netmgmt
password cipher $c$3$ZPZxYaf+Iym6teGTyjcoyYkIPf2ftqnSAkGusbPaSVBB8A==
authorization-attribute level 3
service-type ssh terminal
service-type web
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
tunnel name LNS
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
qos apply policy PolicyLimit outbound
#
interface Virtual-Template0
ppp authentication-mode chap domain system
ppp ipcp remote-address forced
remote address pool 1
ip address 10.9.2.254 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
description TO_WAN
nat outbound 3000
nat server 1 protocol tcp global current-interface 2018 inside 10.9.0.1 5900
nat server 2 protocol tcp global current-interface ftp inside 10.9.0.1 ftp
nat server 3 protocol tcp global current-interface 1080 inside 10.9.0.1 1080
nat server 4 protocol tcp global current-interface 48999 inside 10.9.1.99 4899
nat server 7 protocol tcp global current-interface 3888 inside 10.9.0.100 8000
nat server 9 protocol tcp global current-interface 5501 inside 10.9.0.1 5500
nat server 5 protocol tcp global current-interface 24 inside 10.9.0.1 445
nat server 6 protocol tcp global current-interface 37777 inside 10.9.0.99 37777
nat server 10 protocol tcp global current-interface 246 inside 10.9.0.1 246
nat server 12 protocol tcp global current-interface 59000 inside 10.9.1.188 5900
nat server 14 protocol tcp global current-interface cmd inside 10.9.0.1 cmd
nat server 11 protocol tcp global current-interface 47999 inside 10.9.0.111 4899
nat server 15 protocol tcp global current-interface 8088 inside 10.9.0.1 www
nat server 8 protocol tcp global current-interface 33899 inside 10.9.0.1 3389
nat server 16 protocol tcp global current-interface 2333 inside 10.9.0.1 19999
ip address 221.4.197.114 255.255.255.248
tcp mss 2048
qos apply policy PolicyLimit outbound
ipsec no-nat-process enable
ipsec policy center
qos car inbound carl 1 cir 31720 cbs 1982500 ebs 0 green pass red discard
qos car inbound carl 2 cir 31720 cbs 1982500 ebs 0 green pass red discard
ip flow-ordering external
#
interface GigabitEthernet0/1
port link-mode route
ip address 10.9.1.254 255.255.254.0
tcp mss 1024
qos apply policy PolicyLimit outbound
ip flow-ordering internal
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
interface GigabitEthernet0/6
port link-mode bridge
#
interface GigabitEthernet0/7
port link-mode bridge
#
interface GigabitEthernet0/8
port link-mode bridge
#
interface GigabitEthernet0/9
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 221.4.197.113
#
dhcp server forbidden-ip 10.9.98.254
dhcp server forbidden-ip 10.9.98.1 10.9.98.20
#
ssh server enable
#
arp static 10.9.0.29 408d-5c24-f569
arp static 10.9.0.132 94de-8041-2a32
arp static 10.9.0.153 0017-6f30-e9cc
#
nms primary monitor-interface GigabitEthernet0/0
#
ip flow-ordering stat-interval 5
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
acl 3600 inbound
authentication-mode scheme
protocol inbound ssh
#
return
(0)
您好,一边必须有固定地址
(0)
ddns都不行吗?我再看分部的ipsec信息是显示总部的IP,因我用的 remote-address 域名
ddns都不行吗?我再看分部的ipsec信息是显示总部的IP,因我用的 remote-address 域名
拨号后获取到的IP是公网IP吗,还是100开头的IP
(0)
是公网IP,外网可以通过ddns的域名访问端口,分部利用remote-address+域名可以解析出总部的IP地址
是公网IP,外网可以通过ddns的域名访问端口,分部利用remote-address+域名可以解析出总部的IP地址
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
总部已经是ddns组网了,但是就是连接不通过