总部和分部用的设备都是F100-C-G2。
总部配置IPSec后发现分部连不上,在调试模式下发现如下错误:
*Aug 10 16:41:36:589 2019 H3C IPSEC/7/EVENT:
Could not find tunnel, ike profile name is .
*Aug 10 16:41:36:589 2019 H3C IPSEC/7/EVENT:
The policy's acl or ike profile does not match the flow, Name = GE1/0/1, Seqnum = 1
在ipsec policy-template GE1/0/1 1 增加了security acl 3001。
分部也还是连不上,但是多了几个错误,类似于这样的:
*Aug 10 16:02:53:737 2019 H3C IPSEC/7/ERROR:
Inbound IPsec processing: source address=212.83.178.195, destination address= 233.233.233.233 , protocol=6. Packet was dropped according to IPsec policy GE1/0/1(sequence number: 1).
*Aug 10 16:02:53:737 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is ACL check failed.
我需要还在哪里配置什么的?
总部的公网地址是233.233.233(伪),内网网段是192.168.10.0/24;分部都没有公网地址,分部1的内网网段是192.168.2.0/24。
总部的IPSec配置如下:
#
acl advanced 3001
rule 1 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ipsec transform-set GE1/0/1_IPv4_1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy-template GE1/0/1 1
transform-set GE1/0/1_IPv4_1
local-address 233.233.233.233
ike-profile GE1/0/1_IPv4_1
#
ipsec policy GE1/0/1 1 isakmp template GE1/0/1
#
ike profile GE1/0/1_IPv4_1
keychain GE1/0/1_IPv4_1
exchange-mode aggressive
local-identity address 233.233.233.233
match remote identity address 0.0.0.0 0.0.0.0
match local address GigabitEthernet1/0/1
proposal 65535
#
ike proposal 65535
description GE1/0/1_IPv4_1
#
ike keychain GE1/0/1_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher 123456
#
=================================================
分部的IPSec配置如下:
#
acl advanced 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy v7 1 isakmp
transform-set 1
security acl 3001
remote-address 233.233.233.233
ike-profile v7
#
ike identity fqdn part1
#
ike profile v7
keychain 1
exchange-mode aggressive
local-identity fqdn part1
match remote identity address 233.233.233.233 255.255.255.192
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 233.233.233.233 255.255.255.192 key cipher 123456
#
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
已解决,谢谢,是我的ACL设置错了