• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙 对端为华为防火墙 建立ipsec

2020-05-12提问
  • 0关注
  • 1收藏,1411浏览
junjia 零段
粉丝:0人 关注:0人

问题描述:

ipsec隧道协商成功 但是互相内网ping不通 麻烦帮忙看下

最佳答案

粉丝:1人 关注:0人

首先要排查,防火墙的安全策略有没有将感兴趣流放通。

然后,是否在防火墙的出口配置了nat ,而ipsec的感兴趣流不能参与做 nat 流程。要在nat 引用的 acl 中deny 掉 感兴趣流。

最后在防火墙上查一下感兴趣流的路由,检查会话的下一跳接口是否路由中的下一跳接口匹配。

看看安全策略有没有把接收的 包拦掉

vhuohuov 发表时间:2020-05-12 更多>>

上边是我的配置 您帮我看看 您说的配置流程全都齐全

junjia 发表时间:2020-05-12

但是就是不通

junjia 发表时间:2020-05-12

输出数据包正常 ,接收不到输入

junjia 发表时间:2020-05-12

看看安全策略有没有把接收的 包拦掉

vhuohuov 发表时间:2020-05-12
2 个回答
junjia 知了小白
粉丝:0人 关注:0人

[FW] dis
[FW]display cu
[FW]display current-configuration
#
version 5.20, Release 3181P11
#
sysname FW
#
clock timezone Beijing add 08:00:00
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
ike local-name humblit_bj
#
interzone policy default by-priority
#
nat address-group 1
#
domain default enable system
#
dns server 202.106.196.115
dns server 202.106.0.20
#
telnet server enable
#
web https-authorization mode auto
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
time-range worktime 00:00 to 24:00 daily
#
acl number 2000
rule 0 permit
acl number 2001
rule 0 permit
#
acl number 3000
rule 5 permit ip source 10.0.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
acl number 3001
rule 5 deny ip source 10.0.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 1000 permit ip
#
acl accelerate number 3000
acl accelerate number 3001
#
vlan 1
#
domain humblit
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 192.16.2.2 192.16.2.254
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm aes-cbc 128
dh group5
authentication-algorithm md5
#
ike peer 1
#
ike peer humblit
proposal 1
pre-shared-key cipher $c$3$+RZzNwm7MMyfhiD3o6lWFKkkZzU1RZgCivry
remote-name humblit_cs
local-address 114.253.31.66
#
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy-template map_temp 1
security acl 3000
ike-peer humblit
transform-set 1
sa duration traffic-based 1843200
sa duration time-based 3600
reverse-route
#
ipsec policy map1 10000 isakmp template map_temp
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$0E+9Sq5V9utrwUvQunhVrK65kHCFDnld
authorization-attribute level 3
service-type telnet
service-type web
local-user changsha
password cipher $c$3$ogMNU6D39Ib0ku7WsfnFySZuwy6nrBRrQuH0
authorization-attribute level 2
service-type ppp
local-user itadmin
password cipher $c$3$ch72DSurzQBWtvXHcu9XWwutuG7VNiSX+r3X
authorization-attribute level 2
service-type ppp
local-user lijixiang
password cipher $c$3$2IslouZCaBVLkVhnjeU0hO4HxMxCGXUiHbGx
authorization-attribute level 2
service-type ppp
local-user lixueduo
password cipher $c$3$E3SPmc3shwv+B3I9CWoY0+AlZLlWs64W9MkN
authorization-attribute level 2
service-type ssh telnet terminal
service-type ppp
service-type dvpn
service-type web
local-user pengkun
password cipher $c$3$W9rLtirUfIvok/FE2jCoJSJTNpTHWvIlY6RO
authorization-attribute level 2
service-type ppp
local-user wenjunjia
password cipher $c$3$/penegJit7xmOkTk763Z29YI/RB4pW/gD4Ht
authorization-attribute level 2
service-type ssh telnet terminal
service-type ftp
service-type ppp
service-type dvpn
service-type web
local-user wutianxi
password cipher $c$3$efIsisWaWFn7hGp7nicyfVPxSIMoJsWnoG1b
authorization-attribute level 2
service-type ssh telnet terminal
service-type ftp
service-type ppp
service-type dvpn
service-type web
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain humblit
remote address pool 1
ip address 192.16.2.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet2/0
port link-mode route
nat outbound 3001
ip address 114.253.31.66 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet2/1
port link-mode route
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet2/2
port link-mode route
#
interface GigabitEthernet2/3
port link-mode route
#
vd Root id 1
#
zone name Management id 0
priority 100
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet2/1
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface GigabitEthernet2/0
import interface Virtual-Template1
switchto vd Root
object network subnet 10.0.0.0/0.0.255.255
subnet 10.0.0.0 0.0.255.255
object network subnet 10.1.1.0/0.0.0.255
subnet 10.1.1.0 0.0.0.255
object network subnet 10.1.1.1/0.0.0.255
subnet 10.1.1.0 0.0.0.255
object network subnet 10.10.10.0/0.0.0.255
subnet 10.10.10.0 0.0.0.255
object network subnet 114.253.31.66/0.0.0.255
subnet 114.253.31.66 0.0.0.255
object network subnet 172.16.0.0/0.0.255.255
subnet 172.16.0.0 0.0.255.255
object network subnet 172.16.11.0/0.0.0.255
subnet 172.16.11.0 0.0.0.255
object network subnet humblit_bj
subnet 10.10.10.0 0.0.0.255
object network subnet humblit_bj01
subnet 10.0.0.0 0.0.255.255
object network subnet humblit_cs
subnet 10.1.1.0 0.0.0.255
object network subnet humblit_cs01
subnet 172.16.0.0 0.0.255.255
object network subnet humblit_cs02
subnet 10.100.0.0 0.0.255.255
object network host untrust
host address 114.253.31.66
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
interzone source Management destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule accelerate
interzone source Local destination Trust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Local destination Untrust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
rule 1 permit
source-ip 10.0.0.0/0.0.255.255
destination-ip 172.16.0.0/0.0.255.255
service any_service
rule enable
interzone source Trust destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
rule accelerate
interzone source Trust destination Untrust
rule 1 permit
source-ip any_address
destination-ip humblit_cs
destination-ip humblit_cs01
destination-ip humblit_cs02
service any_service
rule accelerate
interzone source Untrust destination Local
rule 0 permit logging
source-ip 172.16.0.0/0.0.255.255
destination-ip 10.0.0.0/0.0.255.255
service any_service
rule enable
interzone source Untrust destination Trust
rule 0 permit logging
source-ip 172.16.0.0/0.0.255.255
destination-ip 10.0.0.0/0.0.255.255
service any_service
rule enable
rule accelerate
#
ip route-static 0.0.0.0 0.0.0.0 114.253.31.65
ip route-static 10.0.1.0 255.255.255.0 10.10.10.2
ip route-static 10.0.2.0 255.255.255.0 10.10.10.2
ip route-static 10.0.3.0 255.255.255.0 10.10.10.2
ip route-static 10.0.4.0 255.255.255.0 10.10.10.2
ip route-static 10.0.5.0 255.255.255.0 10.10.10.2
ip route-static 10.0.6.0 255.255.255.0 10.10.10.2
ip route-static 10.0.7.0 255.255.255.0 10.10.10.2
ip route-static 10.0.8.0 255.255.255.0 10.10.10.2
ip route-static 10.0.9.0 255.255.255.0 10.10.10.2
ip route-static 10.0.10.0 255.255.255.0 10.10.10.2
ip route-static 10.0.11.0 255.255.255.0 10.10.10.2
ip route-static 10.0.12.0 255.255.255.0 10.10.10.2
ip route-static 10.0.13.0 255.255.255.0 10.10.10.2
ip route-static 10.0.14.0 255.255.255.0 10.10.10.2
ip route-static 172.16.0.0 255.255.0.0 114.253.31.65
ip route-static 176.16.6.0 255.255.255.0 10.10.10.2
#
ssh server enable
#
nat static 10.10.10.1 114.253.31.66
#
ip https enable
#
load xml-configuration
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return

粉丝:113人 关注:1人

感兴趣流有没有被匹配上 ,对端的明细路由指了吗?


明细路由做指向了, 包括还做了反向路由注入 。没有效果

junjia 发表时间:2020-05-12 更多>>

明细路由做指向了, 包括还做了反向路由注入 。没有效果

junjia 发表时间:2020-05-12

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明