F100和U200野蛮模式建立ipsec失败
- 0关注
- 1收藏,1467浏览
问题描述:
U200侧抓debugging信息显示:
*Oct 26 09:18:59:474 2018 u200 DPIPSEC/7/debug:IPsec_Packet: thread 0, Outbound packets should not be protected by IPsec.
*Oct 26 09:18:59:474 2018 u200 DPIPSEC/7/debug:IPsec_Packet: thread 0, Outbound packets should not be protected by IPsec.
*Oct 26 09:18:59:475 2018 u200 DPIPSEC/7/debug:IPsec_Packet: thread 0, Outbound packets should not be protected by IPsec.
*Oct 26 09:18:59:475 2018 u200 DPIPSEC/7/debug:IPsec_Packet: thread 0, Outbound packets should not be protected by IPsec.
昨天搞了一天了,大佬们能不能帮忙找下问题
组网及组网描述:
这里是两边的配置
<u200>dis cu
#
version 5.20, Release 5116P17
#
sysname u200
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
ike local-name u200
#
ip pool 1 192.168.0.2 192.168.0.254
#
domain default enable system
#
telnet server enable
#
acl number 2000
rule 0 permit
#
acl number 3000
rule 0 permit tcp source 0.0.0.2 255.255.255.252 destination 192.168.0.11 0
acl number 3001
rule 10 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
#
vlan 1
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 172.16.1.2 172.16.1.254
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer 1
exchange-mode aggressive
pre-shared-key simple jmsx@123
remote-name f100
local-address 221.226.82.182
nat traversal
#
ipsec proposal 1
esp encryption-algorithm 3des
#
ipsec policy 1 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
user-group system
#
local-user admin
password cipher \@9>C=-:@@KQ=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
local-user user1
password cipher 0`FUW8DO]`3Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type ppp
local-user usera
password simple usera
service-type ppp
local-user works
password simple gmwork
service-type ppp
#
l2tp-group 1
mandatory-lcp
allow l2tp virtual-template 1
tunnel name LNS
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool 1
ip address 172.16.1.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet0/4
port link-mode route
nat outbound 3002
nat server protocol tcp global 221.226.82.182 4520 inside 192.168.0.11 4520
nat server protocol tcp global 221.226.82.182 4522 inside 192.168.0.11 4522
nat server protocol tcp global 221.226.82.182 4521 inside 192.168.0.11 4521
nat server protocol tcp global 221.226.82.182 4525 inside 192.168.0.11 4525
nat server protocol tcp global 221.226.82.182 4524 inside 192.168.0.11 4524
nat server protocol tcp global 221.226.82.182 4523 inside 192.168.0.11 4523
nat server protocol tcp global 221.226.82.182 ftp inside 192.168.0.11 ftp
nat server protocol tcp global 221.226.82.182 30000 inside 192.168.0.41 30000
nat server protocol udp global 221.226.82.182 snmp inside 192.168.0.41 snmp
nat server protocol tcp global 221.226.82.182 8001 inside 192.168.0.41 www
nat server protocol tcp global 221.226.82.182 22 inside 192.168.0.8 22
nat server protocol udp global 221.226.82.182 14000 inside 192.168.10.2 14000
nat server protocol tcp global 221.226.82.182 14000 inside 192.168.10.2 14000
nat server protocol udp global 221.226.82.182 17000 inside 192.168.10.2 17000
nat server protocol udp global 221.226.82.182 1554 inside 192.168.10.2 1554
nat server protocol tcp global 221.226.82.182 1554 inside 192.168.10.2 1554
nat server protocol tcp global 221.226.82.182 15000 inside 192.168.10.2 15000
nat server protocol udp global 221.226.82.182 15000 inside 192.168.10.2 15000
nat server protocol tcp global 221.226.82.182 17000 inside 192.168.10.2 17000
nat server protocol udp global 221.226.82.182 12000 inside 192.168.10.2 12000
nat server protocol tcp global 221.226.82.182 12000 inside 192.168.10.2 12000
ip address 221.226.82.182 255.255.255.252
ipsec policy 1
#
ip route-static 0.0.0.0 0.0.0.0 221.226.82.181
ip route-static 192.168.0.0 255.255.255.0 GigabitEthernet0/1 172.16.1.22
#
nat static 192.168.0.0 221.226.82.182
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
- 2018-10-26提问
- 举报
-
(0)
<f100>dis cu
#
version 7.1.064, Release 9510P06
#
sysname f100
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
dialer-group 1 rule ip permit
#
dhcp enable
dhcp server forbidden-ip 192.168.1.1 192.168.1.99
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool 1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.1.1
forbidden-ip 192.168.1.99
#
interface Dialer1
mtu 1450
ppp chap password cipher $c$3$GUfeJHWJOvC0i1EDaZJEIuHWXv8L0Y5FOA==
ppp chap user pppoe_jiemsx804
ppp pap local-user pppoe_jiemsx804 password cipher $c$3$p/ZkZlMM71C11g/YnO2z60atYn6kpKdaPA==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1024
nat outbound 3002
ipsec apply policy 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description waiwang
combo enable copper
pppoe-client dial-bundle-number 1
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface GigabitEthernet1/0/3 vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source DMZ destination Local
packet-filter 3000
#
zone-pair security source DMZ destination Trust
packet-filter 3000
#
zone-pair security source DMZ destination Untrust
packet-filter 3000
#
zone-pair security source Local destination DMZ
packet-filter 3000
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 3000
#
zone-pair security source Trust destination DMZ
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination DMZ
packet-filter 3000
#
zone-pair security source Untrust destination Local
packet-filter 3000
#
zone-pair security source Untrust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip
#
acl advanced 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
#
acl advanced 3002
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$qlSd6v6XTza3GBaJ$WAwvyKZynjIAlckEmm3vJ481VMU2kMQHgf6MQo+OLBV6lAL8ps2PduIYwZ+NyTOvWmKP9rQoIL02bM+IchkiqA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 1
security acl 3001
remote-address 221.226.82.182
ike-profile 1
#
ipsec policy 1 1 isakmp template 1
#
ike identity fqdn f100
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn f100
match remote identity address 0.0.0.0 0.0.0.0
match local address Dialer1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address Dialer1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$q+ioTTx4SmUhuzn7Ge5Qt5OxMdmsVgxs836J
#
ip https enable
#
return<f100>dis cu
#
version 7.1.064, Release 9510P06
#
sysname f100
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
dialer-group 1 rule ip permit
#
dhcp enable
dhcp server forbidden-ip 192.168.1.1 192.168.1.99
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool 1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.1.1
forbidden-ip 192.168.1.99
#
interface Dialer1
mtu 1450
ppp chap password cipher $c$3$GUfeJHWJOvC0i1EDaZJEIuHWXv8L0Y5FOA==
ppp chap user pppoe_jiemsx804
ppp pap local-user pppoe_jiemsx804 password cipher $c$3$p/ZkZlMM71C11g/YnO2z60atYn6kpKdaPA==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1024
nat outbound 3002
ipsec apply policy 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description waiwang
combo enable copper
pppoe-client dial-bundle-number 1
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface GigabitEthernet1/0/3 vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source DMZ destination Local
packet-filter 3000
#
zone-pair security source DMZ destination Trust
packet-filter 3000
#
zone-pair security source DMZ destination Untrust
packet-filter 3000
#
zone-pair security source Local destination DMZ
packet-filter 3000
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 3000
#
zone-pair security source Trust destination DMZ
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination DMZ
packet-filter 3000
#
zone-pair security source Untrust destination Local
packet-filter 3000
#
zone-pair security source Untrust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip
#
acl advanced 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
#
acl advanced 3002
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$qlSd6v6XTza3GBaJ$WAwvyKZynjIAlckEmm3vJ481VMU2kMQHgf6MQo+OLBV6lAL8ps2PduIYwZ+NyTOvWmKP9rQoIL02bM+IchkiqA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 1
security acl 3001
remote-address 221.226.82.182
ike-profile 1
#
ipsec policy 1 1 isakmp template 1
#
ike identity fqdn f100
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn f100
match remote identity address 0.0.0.0 0.0.0.0
match local address Dialer1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address Dialer1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$q+ioTTx4SmUhuzn7Ge5Qt5OxMdmsVgxs836J
#
ip https enable
#
return
- 2018-10-26回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论