MSR930 IPSEC动态域名组网 VOIP电话单通
- 0关注
- 1收藏,1807浏览
问题描述:
MSR930 PPPoE动态域名IPSEC VPN组网,总部(192.168.100.0/24)和分支(192.168.2.0/24)均可ping通,网关间也可web互相访问,VOIP电话服务器放置在总部局域网内(192.168.100.0/24),通过内网访问,VOIP电话单通,即总部可以打到分支,分支却无法打通总部,请问各位高手问题出在哪里?
组网及组网描述:
[H3C]dis cur
#
version 5.20, Release 2516P19
#
sysname H3C
#
clock timezone Beijing add 08:00:00
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control password update interval 0
password-control login idle-time 0
password-control complexity user-name check
#
l2tp enable
#
undo nat alg h323
undo nat alg sip
#
domain default enable system
#
dns resolve
dns proxy enable
dns server 61.132.163.68
dns server 202.102.213.68
#
telnet server enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
ndp enable
#
ntdp enable
#
cluster enable
#
port-security enable
#
password-recovery enable
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.103.0 0.0.0.255
rule 20 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
vlan 1
#
domain system
authentication ppp local
authorization ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 192.168.92.150 192.168.92.200
#
ike proposal 1
#
ike peer office
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$ZaAdHeNlsx6YiCfsGJMLgJj2xWpEaSnmHSrU
id-type name
remote-name ***.***
remote-address ***.*** dynamic
local-name ***.***
nat traversal
#
ipsec transform-set office
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy 720896 1 isakmp
connection-name office
security acl 3000
ike-peer office
transform-set office
sa duration traffic-based 1843200
sa duration time-based 3600
ddns policy xmrf
interval 0 0 5
url ***.***/dyndns/update?system=dyndns&hostname=<h>&myip=<a>
username root
password cipher $c$3$oe2sNYpG7sJzBl/JFjMk0Kwm2AG/0+g2yr4d
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
tunnel name LNS
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
tcp mss 1024
#
interface Dialer10
nat outbound
link-protocol ppp
ppp chap user 055191715959
ppp chap password cipher $c$3$4f2IsbqJ3M3iNkoVXDhMgPdze0hb09PpIA==
ppp pap local-user 055191715959 password cipher $c$3$G1znMz0dTj1YuI6YZk85srCB65S/wkN3Vw==
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec no-nat-process enable
ipsec policy 720896
ddns apply policy xmrf fqdn ***.***
- 2018-11-27提问
- 举报
-
(0)
最佳答案
能ping通说明IPsec是好的,路由器不会去区分是什么报文,只是根据目的地址转发,所以路由器有问题的可能性也很小,首先查一下在总部服务器和分支之间有没有防火墙,通常这种单通都是因为有防火墙阻断了单向流量导致,然后就需要抓包查看,打不通的时候,报文到底丢到了那里,然后才能有针对性的排查
- 2018-11-27回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论