首页 科技问答 VsIICB,SecPath F1000-AK135 vpn 单通

VsIICB,SecPath F1000-AK135 vpn 单通

科技问答 193
1677165960,CRM论坛(CRMbbs.com)——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容,欢迎向我们投稿,共建CRM多元化生态体系,创建CRM客户管理一体化生态解决方案。内容来源:知了社区

问题描述:

总公司使用SecPath F1000-AK135防火墙,分公司使用tp_link路由器,现在是分公司能ping通总公司,总公司ping不通分公司,请各位大佬指点

组网及组网描述:

object-group ip address 192.168.1.0

security-zone Trust

0 network subnet 192.168.1.0 255.255.255.0

#

object-group ip address 192.168.3.0

security-zone Untrust

0 network subnet 192.168.3.0 255.255.255.0

#

object-group ip address ipsec-local

security-zone Local

0 network host address 公网ip

#

object-group ip address ipsec-remote

security-zone Untrust

0 network host address 对端公网ip

#

object-group ip address thg

0 network host address 192.168.1.149

#

dhcp server ip-pool 10

gateway-list 172.16.0.254

network 172.16.0.0 mask 255.255.0.0

dns-list

#

interface GigabitEthernet1/0/0

port link-mode route

ip address 192.168.0.1 255.255.255.0

#

interface GigabitEthernet1/0/1

port link-mode route

ip address 公网ip 255.255.255.240

tcp mss 1300

nat outbound disable

nat outbound 3999

gateway 61.54.4.30

#

interface GigabitEthernet1/0/2

port link-mode route

ip address 192.168.1.1 255.255.255.0

nat hairpin enable

#

security-zone name Local

#

security-zone name Trust

import interface GigabitEthernet1/0/2

#

security-zone name DMZ

#

security-zone name Untrust

import interface GigabitEthernet1/0/1

#

security-zone name Management

import interface GigabitEthernet1/0/0

#

security-zone name un

#

zone-pair security source Any destination Any

#

zone-pair security source Local destination Trust

object-policy apply ip Local-Trust

packet-filter 3000

#

zone-pair security source Local destination Untrust

object-policy apply ip Local-Untrust

packet-filter 3000

#

zone-pair security source Trust destination Local

object-policy apply ip Trust-Local

packet-filter 3000

#

zone-pair security source Trust destination Trust

object-policy apply ip Trust-Trust

packet-filter 3000

#

zone-pair security source Trust destination Untrust

object-policy apply ip Trust-Untrust

packet-filter 3000

#

zone-pair security source Untrust destination Local

object-policy apply ip Untrust-Local

packet-filter 3000

#

zone-pair security source Untrust destination Trust

object-policy apply ip Untrust-Trust

packet-filter 3000

#

ip route-static 0.0.0.0 0 61.54.4.30

#

info-center source FILTER logfile deny

#

ssh server enable

ssh server acl

#

acl basic

description 设备访问限制

rule 0 permit source 192.168.1.0 0.0.0.255

#

acl advanced 3000

rule 0 permit ip

#

acl advanced 3999

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 5 permit ip

#

acl advanced name IPsec_piaoliu_IPv4_1

rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

#

domain system

#

domain default enable system

#

role name level-0

description Predefined level-0 role

#

user-group system

#

local-user admin class manage

password hash 8767g==

service-type ssh telnet terminal https

authorization-attribute user-role level-3

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

#

local-user thdxg class manage

service-type telnet

authorization-attribute user-role network-operator

#

session statistics enable

session synchronization enable

session synchronization http

#

ipsec logging negotiation enable

#

ipsec transform-set piaoliu_IPv4_1

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm sha1

#

ipsec smart-link policy piaoliu_1

smart-link enable

link 1 interface GigabitEthernet1/0/1 local 公网ip nexthop 61.54.4.30 remote 对端公网ip

#

ipsec policy piaoliu 1 isakmp

transform-set piaoliu_IPv4_1

security acl name IPsec_piaoliu_IPv4_1

ike-profile piaoliu_IPv4_1

smart-link policy piaoliu_1

#

ike logging negotiation enable

#

ike profile piaoliu_IPv4_1

keychain piaoliu_IPv4_1

local-identity address 公网ip

match remote identity address 对端公网ip 255.255.255.255

proposal 1

#

ike proposal 1

encryption-algorithm aes-cbc-128

#

ike keychain piaoliu_IPv4_1

pre-shared-key address 对端公网ip 255.255.255.255 key cipher $c$3$KO7q3vXyJcYbdGQ6NOuZsNH2DSHuNtq

#

ip http acl

ip https acl

ip http enable

ip https enable

#

inspect logging parameter-profile av_logging_default_parameter

#

inspect logging parameter-profile ips_logging_default_parameter

#

inspect logging parameter-profile url_logging_default_parameter

#

loadbalance isp file flash:/lbispinfo_v1.5.tp

#

security-policy ip

rule 0 name vpn-local-remote

action pass

counting enable

source-zone Local

destination-zone Untrust

source-ip ipsec-local

destination-ip ipsec-remote

rule 1 name vpn-remote-local

action pass

counting enable

source-zone Untrust

destination-zone Local

source-ip ipsec-remote

destination-ip ipsec-local

rule 2 name vpn-1-3

action pass

counting enable

source-zone Trust

destination-zone Untrust

source-ip 192.168.1.0

destination-ip 192.168.3.0

rule 3 name vpn-3-1

action pass

counting enable

source-zone Untrust

destination-zone Trust

source-ip 192.168.3.0

destination-ip 192.168.1.0

#

ips logging parameter-profile ips_logging_default_parameter

#

anti-virus logging parameter-profile av_logging_default_parameter

#

return

附件下载: Dingtalk_
3小时前提问

搜集debug信息看看呢

2小时前回答

暂无

vpn单通检查下两边的感兴趣流、安全策略

2小时前回答

暂无

你正在,SecPath F1000-AK135 vpn 单通

IPSec VPN

相关推荐

热门文章

广告

文章目录

    标签列表

    扫码二维码

    本站内容源自互联网,如有内容侵犯了您的权益,请联系删除相关内容。

    Copyright © 2019-2023 CRM论坛. All Rights Reserved. |文章投稿|关于CRM论坛|豫ICP备17017144号
    Theme By CATBEI