问
msr830 6EI ipsec不成功
2020-05-18提问
- 0关注
- 1收藏,619浏览
问题描述:
dis ike sa 啥都没用,感觉就没有发起,以前msr830 v5设置都没有问题,现在是V7不晓得啥子情况了,烦请大神看看啊。
分支:192.168.110.0段,总部:192.168.1.0段,总部固定IP,分支自动获取
- #
- version 7.1.064, Release 0615P15
- #
- sysname H3C
- #
- clock timezone Beijing add 08:00:00
- clock protocol ntp
- #
- telnet server enable
- #
- ip load-sharing mode per-flow src-ip global
- #
- dhcp enable
- dhcp server always-broadcast
- #
- dns proxy enable
- #
- password-recovery enable
- #
- vlan 1
- #
- dhcp server ip-pool lan1
- gateway-list 192.168.110.1
- network 192.168.110.0 mask 255.255.254.0
- address range 192.168.110.2 192.168.110.254
- dns-list 192.168.110.1
- #
- interface Dialer0
- #
- interface Dialer1
- #
- interface Dialer2
- #
- interface Dialer3
- #
- interface Dialer4
- #
- interface Dialer5
- #
- interface Dialer6
- #
- interface Dialer7
- #
- interface Dialer8
- #
- interface Dialer1023
- #
- interface Virtual-Template0
- #
- interface NULL0
- #
- interface Vlan-interface1
- ip address 192.168.110.1 255.255.254.0
- tcp mss 1280
- #
- interface GigabitEthernet0/0
- port link-mode route
- description Single_Line1
- ip address dhcp-alloc
- packet-filter name GigabitEthernet0/0 inbound
- nat outbound
- ipsec apply policy tochengdu
- #
- interface GigabitEthernet0/1
- port link-mode route
- #
- interface GigabitEthernet0/2
- port link-mode bridge
- #
- interface GigabitEthernet0/3
- port link-mode bridge
- #
- interface GigabitEthernet0/4
- port link-mode bridge
- #
- interface GigabitEthernet0/5
- port link-mode bridge
- #
- security-zone name Local
- #
- security-zone name Trust
- #
- security-zone name DMZ
- #
- security-zone name Untrust
- #
- security-zone name Management
- #
- scheduler logfile size 16
- #
- line class console
- user-role network-admin
- #
- line class tty
- user-role network-operator
- #
- line class vty
- user-role network-operator
- #
- line con 0
- user-role network-admin
- #
- line vty 0 63
- authentication-mode scheme
- user-role network-operator
- #
- ip route-static 0.0.0.0 0 GigabitEthernet0/0 192.168.10.1
- ip route-static 192.168.1.0 24 GigabitEthernet0/0 192.168.10.1
- #
- ntp-service enable
- ntp-service unicast-server 202.118.1.130
- #
- acl advanced 3000
- rule 0 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
- #
- acl advanced name GigabitEthernet0/0
- rule 0 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
- #
- password-control enable
- undo password-control aging enable
- undo password-control history enable
- password-control length 6
- password-control login-attempt 3 exceed lock-time 10
- password-control update-interval 0
- password-control login idle-time 0
- password-control complexity user-name check
- #
- domain system
- #
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user admin class manage
- service-type telnet http
- authorization-attribute user-role network-admin
- #
- ipsec transform-set tochengdu
- protocol ah-esp
- esp encryption-algorithm des-cbc
- esp authentication-algorithm md5
- ah authentication-algorithm sha1
- #
- ipsec policy tochengdu 65535 isakmp
- transform-set tochengdu
- security acl 3000
- remote-address 125.71.215.174
- ike-profile tochengdu
- sa duration time-based 3600
- sa duration traffic-based 1843200
- #
- ike profile tochengdu
- keychain tochengdu
- dpd interval 10 on-demand
- exchange-mode aggressive
- match remote identity address 125.71.215.174 255.255.255.255
- proposal 65535
- #
- ike proposal 65535
- #
- ike keychain tochengdu
- pre-shared-key address 125.71.215.174 255.255.255.255 key cipher $c$3$DLuSHY4BTdXto6+u4cM1ajoQ+28+KybmJxLPuzM=
- #
- ip http enable
- #
- wlan global-configuration
- nas-id cm-0-824821-219801A13FM18600002X
- #
- wlan ap-group default-group
- #
- cloud-management server domain oasis.h3c.com
- #
- return
- 2020-05-18提问
- 举报
-
(0)
最佳答案
已采纳
我是一只没有感情的柚子
九段
acl advanced 3001
rule 0 deny ip source 192.168.110.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0
undo nat outbound
nat outbound 3001
你nat outbound里面要把感兴趣流deny掉
- 2020-05-18回答
- 评论(1)
- 举报
-
(0)
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
搞定,还要加个rule 1 permit ip