区里最靓的仔,f1030防火墙ipsec问题
ipsec的回包数量是否以感兴趣流为准?
如果感兴趣流的数量匹配是否说明ipsec都回包了,是否还要看公网的会话
Slot 1:
Initiator:
Source IP/port: 35.17.135.42/3
Destination IP/port: 172.18.12.254/2
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP
Inbound interface: GigabitEthernet1/
Source security zone: Untrust
Responder:
Source IP/port: 172.18.12.254/3
Destination IP/port: 35.17.135.42/
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP
Inbound interface: Route-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: ICMP
Start time: 2
Initiator->Responder: 35 packets 294
Responder->Initiator: 35 packets 294
组网及组网描述:
ipsec的回包数量是否以感兴趣流为准?
如果感兴趣流的数量匹配是否说明ipsec都回包了,是否还要看公网的会话
Slot 1:
Initiator:
Source IP/port: 35.17.135.42/3
Destination IP/port: 172.18.12.254/2
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP
Inbound interface: GigabitEthernet1/
Source security zone: Untrust
Responder:
Source IP/port: 172.18.12.254/3
Destination IP/port: 35.17.135.42/
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP
Inbound interface: Route-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: ICMP
Start time: 2
Initiator->Responder: 35 packets 294
Responder->Initiator: 35 packets 294
2
是以感兴趣流为准,ipsec sa里面也会显示保护流的范围,就是你配置的ACL范围,不匹配的话不会走IPsec
2
CRM论坛(CRMbbs.com)——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容,欢迎向我们投稿,共建CRM多元化生态体系,创建CRM客户管理一体化生态解决方案。,f1030防火墙ipsec问题
