HCL SecPath F1060无法建立IPsec VPN的问题
- 0关注
- 1收藏,1211浏览
问题描述:
Device A =F1060_7
Device B =F1060_12
DeviceA配置:
Advanced IPv4 ACL 3101, 1 rule,
ACL's step is 5
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
ip route-static 2.2.3.0 24 2.2.2.2
ip route-static 10.1.2.0 24 GigabitEthernet1/0/23 2.2.2.3
IPsec transform set: tran1
State: complete
Encapsulation mode: tunnel
ESN: Disabled
PFS:
Transform: ESP
ESP protocol: Integrity: SHA1
Encryption: AES-CBC-128
ike keychain keychain1
pre-shared-key address 2.2.3.1 255.255.255.0 key cipher $c$3$F9hRe4mo1Urt8uxbc2nQnj2zm3wXoucv1w==
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3101
local-address 2.2.2.1
remote-address 2.2.3.1
ike-profile profile1
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 2.2.2.1 255.255.255.0
ipsec apply policy map1
DeviceB 配置:
Advanced IPv4 ACL 3101, 1 rule,
ACL's step is 5
rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
ip route-static 2.2.2.0 24 2.2.3.2
ip route-static 10.1.1.0 24 GigabitEthernet1/0/23 2.2.3.2
IPsec transform set: tran1
State: complete
Encapsulation mode: tunnel
ESN: Disabled
PFS:
Transform: ESP
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$zC25VoknspgjcrOhjIlORJWkmLc/+nRxfQ==
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0
ipsec policy use1 10 isakmp
transform-set tran1
security acl 3101
local-address 2.2.3.1
remote-address 2.2.2.1
ike-profile profile1
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 2.2.3.1 255.255.255.0
ipsec apply policy use1
配置完成后,从HostA ping HostB 的10.1.2.2无法ping通。
在DeviceA上display ipsec sa,没有任何显示,ipsec VPN似乎没有建立成功。想问问是哪里配置没对吗?
组网及组网描述:
- 2019-07-16提问
- 举报
-
(0)
最佳答案
debug ike sa all看下error提醒什么
- 2019-07-16回答
- 评论(1)
- 举报
-
(0)
开启了一下debugging [F1060_7]display debugging IKE error debugging is on IKE event debugging is on IKE packet debugging is on IKE dpd debugging is on IKE keepalive debugging is on IKE nat-keepalive debugging is on 没有收到什么error输出到终端嗯?
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
开启了一下debugging [F1060_7]display debugging IKE error debugging is on IKE event debugging is on IKE packet debugging is on IKE dpd debugging is on IKE keepalive debugging is on IKE nat-keepalive debugging is on 没有收到什么error输出到终端嗯?