• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

在线等,急,分部到总部建立IPSEC VPN 第二阶段建立不起来

2020-05-12提问
  • 0关注
  • 1收藏,1719浏览
zhiliao1111
zhiliao1111 二段
粉丝:0人 关注:1人

问题描述:

第二阶段一直建立不起来,第一阶段没有问题。


最佳答案

已采纳
风干工程师肉干要不要
风干工程师肉干要不要 九段
粉丝:160人 关注:5人

查一下ipsec transfrom策略中2段的认证和加密算法一不一样,再核对下2段的acl感兴趣流,是否为对称配置

2 个回答
按时间 按赞数
漓离原上谱
漓离原上谱 九段
粉丝:111人 关注:1人

两端设备配置发一下

看下两边的ipsec transform-set 1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 这部分的配置是否一样

漓离原上谱 发表时间:2020-05-12
zhiliao1111
zhiliao1111 二段
粉丝:0人 关注:1人

<F100-c-g3>dis cu

#
version 7.1.064, Release 9524P22
#
sysname F100-c-g3
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
dhcp enable
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool bangong
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
#
controller Cellular1/0/0
#
interface Dialer0
mtu 1492
ppp chap password cipher $c$3$i8FLSuOTs/2drBwDluWEe5OOKygAs1F8epl+
ppp chap user 075501632063@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 075501632063@163.gd password cipher $c$3$EK/cE+rHr3z4lu1braPe3naxczhzKFqxxt9z
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1024
nat outbound 3001
ipsec apply policy 2
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
mtu 1492
tcp mss 1492
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer0
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
zone-pair security source Any destination Any
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer0
#
ssh server enable
#
acl advanced 3001
rule 0 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip
#
acl advanced 3005
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session statistics enable
#
ipsec logging negotiation enable
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec policy 2 1 isakmp
transform-set 1
security acl 3005
remote-address 210.21.233.162
ike-profile 3
#
ike identity fqdn 3
ike logging negotiation enable
#
ike profile 3
keychain 11
exchange-mode aggressive
local-identity fqdn 3
match remote identity fqdn 1
#
ike keychain 11
match local address Dialer0
pre-shared-key address 210.21.233.162 255.255.255.255 key cipher $c$3$aJjcjWkDJ+COm43Nadt5nYIniijpS0rv
#
ip https enable
webui log enable
#
security-policy ip
rule 0 name celou
action pass
#
return


这个是分支的

<H3C SecPath F1030>dis cu # version 7.1.064, Release 9333P22 # sysname H3C SecPath F1030 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dialer-group 1 rule ip permit # dhcp enable # password-recovery enable # vlan 1 # policy-based-route aaa deny node 0 if-match acl 3002 # policy-based-route aaa permit node 2 if-match acl 3003 apply output-interface Dialer0 # policy-based-route aaa permit node 5 if-match acl 3001 apply next-hop 210.21.233.162 # interface Dialer0 mtu 1492 ppp chap password cipher $c$3$r7T4P2ndXyQRliczyyMygEJpqapr8lFp+vjo ppp chap user 075507397790@163.gd ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user 075507397790@163.gd password cipher $c$3$yescaBcgD1rDSFLx4jW1Sltyhd+kCAaADQ/q dialer bundle enable dialer-group 1 dialer timer idle 0 dialer timer autodial 5 ip address ppp-negotiate tcp mss 1400 nat outbound 3003 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route mtu 1492 undo jumboframe enable ip address 210.21.233.162 255.255.255.252 ipsec apply policy 总部 gateway 210.21.233.161 # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.10.1 255.255.255.0 ip policy-based-route aaa # interface GigabitEthernet1/0/3 port link-mode route mtu 1492 tcp mss 1024 nat outbound 3003 pppoe-client dial-bundle-number 0 # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route # interface GigabitEthernet1/0/17 port link-mode route # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # interface SSLVPN-AC11 ip address 192.168.100.1 255.255.255.0 # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/2 # security-zone name DMZ # security-zone name Untrust import interface Dialer0 import interface GigabitEthernet1/0/1 import interface GigabitEthernet1/0/3 import interface SSLVPN-AC11 # security-zone name Management import interface GigabitEthernet1/0/0 # zone-pair security source Any destination Any packet-filter 3003 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class usb user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 192.168.2.0 24 192.168.10.2 ip route-static 192.168.3.0 24 192.168.10.2 # ssh server enable # acl advanced 3000 step 10 rule 0 permit ip # acl advanced 3001 rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 20 deny ip # acl advanced 3002 rule 0 permit ip destination 192.168.100.0 0.0.0.255 rule 5 permit ip source 192.168.100.0 0.0.0.255 rule 10 permit ip source 192.168.30.0 0.0.0.255 rule 15 permit ip destination 192.168.30.0 0.0.0.255 rule 20 permit ip source 192.168.20.0 0.0.0.255 rule 25 permit ip destination 192.168.20.0 0.0.0.255 # acl advanced 3003 rule 0 deny ip source 192.168.100.0 0.0.0.255 rule 5 deny ip source 192.168.30.0 0.0.0.255 rule 10 deny ip source 192.168.20.0 0.0.0.255 rule 15 deny ip destination 192.168.100.0 0.0.0.255 rule 20 deny ip destination 192.168.30.0 0.0.0.255 rule 25 deny ip destination 192.168.20.0 0.0.0.255 rule 30 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 45 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 50 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 55 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 60 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 65 permit ip source 192.168.2.0 0.0.0.255 rule 70 permit ip source 192.168.3.0 0.0.0.255 rule 75 permit ip source 192.168.10.0 0.0.0.255 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user 123 class manage authorization-attribute user-role network-operator # local-user admin class manage password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ== service-type ssh telnet terminal https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user admin class network password cipher $c$3$rjDlrz3Mb/lxlcMbyZCiolgBAHX/5bltUlZwXw== access-limit 600 service-type sslvpn authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group ziyuan # session statistics enable # ipsec transform-set 总部_IPv4_1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 # ipsec policy-template 总部 1 transform-set 总部_IPv4_1 local-address 210.21.233.162 description 总 ike-profile 总部_IPv4_1 # ipsec policy 总部 1 isakmp template 总部 # ike identity fqdn 1 ike logging negotiation enable # ike profile 总部_IPv4_1 keychain 总部_IPv4_1 exchange-mode aggressive local-identity fqdn 1 match remote identity fqdn 2 match remote identity fqdn 3 match local address GigabitEthernet1/0/1 # ike keychain 总部_IPv4_1 match local address GigabitEthernet1/0/1 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$3aeSh00Ux74JmvzhICn6VyC75tI41W2D # ip https enable webui log enable # sslvpn ip address-pool ippool 192.168.100.2 192.168.100.254 # sslvpn gateway wangguan ip address 210.21.233.162 port 1025 service enable # sslvpn context test gateway wangguan ip-tunnel interface SSLVPN-AC11 ip-tunnel address-pool ippool mask 255.255.255.0 ip-route-list test include 192.168.2.0 255.255.255.0 include 192.168.3.0 255.255.255.0 include 192.168.4.0 255.255.255.0 include 192.168.5.0 255.255.255.0 policy-group ziyuan filter ip-tunnel acl 3000 ip-tunnel access-route ip-route-list test ip-tunnel address-pool ippool mask 255.255.255.0 max-users 600 log user-login enable log resource-access enable session-connections 600 max-onlines 600 service enable # security-policy ip rule 0 name 放通所有策略 action pass # return 这个是总部的,总部的另一个分支是正常,只有这个分支,之前是好好的

zhiliao1111 发表时间:2020-05-12

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +
网站相关
关于我们
服务条款
帮助中心
经验与权限
积分规则
联系我们
联系我们
建议反馈
常用链接
标杆的神器下载
关注我们
H3C官网
新华三服务公众号
安仔远程运维服务
新华三商城
内容许可
除特别说明外,用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

Copyright©2024新华三集团保留一切权利 当前呈现版本 NO.1

本图标版权归新华三集团所有,仅限本社区使用,切勿用做商业目的,违者必究

浙ICP备09064986号-1   浙公网安备 33010802004416号

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明