版块 安全类 SSL VPN/EMM IPsec vpn-总部深信服 SSL M7.5设备旁挂对接分布华三防 ...
IPsec vpn-总部深信服 SSL M7.5设备旁挂对接分布华三防火墙

新手031191 2024-6-18 09:091117

{{ttag.title}}
大佬们,IPsec vpn-总部深信服 SSL M7.5设备旁挂核心对接分部出口华三防火墙(野蛮模式),对接不上。可以帮忙看看吗?
  1. 华三侧配置
  2. <yanglao>
  3. <yanglao>
  4. <yanglao>
  5. <yanglao>
  6. <yanglao>
  7. <yanglao>dis cu
  8. #
  9. version 7.1.064, Ess 8394P05
  10. #
  11. sysname yanglao
  12. #
  13. clock protocol none
  14. #
  15. telnet server enable
  16. #
  17. irf mac-address persistent timer
  18. irf auto-update enable
  19. undo irf link-delay
  20. irf member 1 priority 1
  21. #
  22. dialer-group 1 rule ip permit
  23. dialer-group 3 rule ip permit
  24. #
  25. dns server 8.8.8.8
  26. dns server 114.114.114.114
  27. #
  28. lldp global enable
  29. #
  30. password-recovery enable
  31. #              
  32. vlan 1
  33. #
  34. policy-based-route 1 permit node 0
  35. if-match acl 3200
  36. #
  37. policy-based-route 1 permit node 5
  38. if-match acl 3100
  39. apply default-output-interface Dialer1
  40. #
  41. policy-based-route 1 permit node 10
  42. if-match acl 3300
  43. apply default-output-interface Dialer3
  44. #
  45. interface Dialer1
  46. ppp chap password cipher $c$3$f5lGKV3pD7sM/fTgDl4iWy00Fy61xpZPoDzL
  47. ppp chap user 075508273848@163.com
  48. ppp ipcp dns admit-any
  49. ppp ipcp dns request
  50. ppp pap local-user 075508273848@163.com password cipher $c$3$esMeHJvVLXIxt+ET6dxptux19c9klCv4pr1I
  51. dialer bundle enable
  52. dialer-group 1
  53. dialer timer idle 0
  54. dialer timer autodial 5
  55. dialer number 1 autodial
  56. ip address ppp-negotiate
  57. tcp mss 1024
  58. nat outbound 3000
  59. #
  60. interface Dialer3
  61. ppp chap password cipher $c$3$YXPROvJK5Xv6k0jOJgrycWJL3lwVplyF8NQn
  62. ppp chap user 075507670267@163.com
  63. ppp ipcp dns admit-any
  64. ppp ipcp dns request
  65. ppp pap local-user 075507670267@163.com password cipher $c$3$3+0FuM6/zEwPIDKWJugJQcTtaOSZaJ5JIIbM
  66. dialer bundle enable
  67. dialer-group 3
  68. dialer timer idle 0
  69. dialer timer autodial 5
  70. dialer number 3 autodial
  71. ip address ppp-negotiate
  72. tcp mss 1024
  73. nat outbound 3501
  74. ipsec apply policy yanglao
  75. #
  76. interface NULL0
  77. #              
  78. interface GigabitEthernet1/0/0
  79. port link-mode route
  80. ip address 192.168.0.1 255.255.255.0
  81. #
  82. interface GigabitEthernet1/0/1
  83. port link-mode route
  84. pppoe-client dial-bundle-number 1
  85. #
  86. interface GigabitEthernet1/0/2
  87. port link-mode route
  88. #
  89. interface GigabitEthernet1/0/3
  90. port link-mode route
  91. pppoe-client dial-bundle-number 3
  92. #
  93. interface GigabitEthernet1/0/4
  94. port link-mode route
  95. #
  96. interface GigabitEthernet1/0/5
  97. port link-mode route
  98. #
  99. interface GigabitEthernet1/0/6
  100. port link-mode route
  101. #
  102. interface GigabitEthernet1/0/7
  103. port link-mode route
  104. ip address 10.10.10.1 255.255.255.0
  105. ip policy-based-route 1
  106. #
  107. interface GigabitEthernet1/0/8
  108. port link-mode route
  109. #
  110. interface GigabitEthernet1/0/9
  111. port link-mode route
  112. #
  113. interface Ten-GigabitEthernet1/0/10
  114. port link-mode route
  115. #
  116. interface Ten-GigabitEthernet1/0/11
  117. port link-mode route
  118. #
  119. security-zone name Local
  120. #
  121. security-zone name Trust
  122. import interface GigabitEthernet1/0/7
  123. #              
  124. security-zone name DMZ
  125. #
  126. security-zone name Untrust
  127. import interface Dialer1
  128. import interface Dialer3
  129. import interface GigabitEthernet1/0/1
  130. import interface GigabitEthernet1/0/3
  131. #
  132. security-zone name Management
  133. import interface GigabitEthernet1/0/0
  134. #
  135. scheduler logfile size 16
  136. #
  137. line class aux
  138. user-role network-operator
  139. #
  140. line class console
  141. authentication-mode scheme
  142. user-role network-admin
  143. #
  144. line class vty
  145. user-role network-operator
  146. #              
  147. line aux 0
  148. authentication-mode none
  149. user-role network-admin
  150. #
  151. line con 0
  152. user-role network-admin
  153. #
  154. line vty 0 63
  155. authentication-mode scheme
  156. user-role network-admin
  157. #
  158. ip route-static 0.0.0.0 0 Dialer1
  159. ip route-static 0.0.0.0 0 Dialer3
  160. ip route-static 172.16.0.0 16 10.10.10.2
  161. #
  162. info-center loghost 106.3.96.73
  163. #
  164. customlog format attack-defense
  165. customlog format dpi url-filter
  166. customlog format dpi ips
  167. customlog format dpi anti-virus
  168. customlog format dpi reputation
  169. customlog host 106.3.96.73 export dpi ips anti-virus reputation
  170. #
  171. ssh server enable
  172. #
  173. acl advanced 3000
  174. rule 10 permit ip
  175. #
  176. acl advanced 3100
  177. description WAN1
  178. rule 0 permit ip source 192.168.253.0 0.0.0.255
  179. #
  180. acl advanced 3200
  181. rule 0 permit ip source 192.168.252.0 0.0.1.255 destination 192.168.0.0 0.0.255.255
  182. rule 5 permit ip source 192.168.252.0 0.0.1.255 destination 172.16.0.0 0.0.255.255
  183. #
  184. acl advanced 3300
  185. description WAN3
  186. rule 0 permit ip source 192.168.252.0 0.0.0.255
  187. #
  188. acl advanced 3500
  189. rule 1 permit ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
  190. rule 2 permit ip source 172.16.110.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
  191. #
  192. acl advanced 3501
  193. rule 1 deny ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
  194. rule 2 deny ip source 172.16.110.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
  195. rule 10 permit ip
  196. #
  197. acl advanced 3510
  198. #
  199. acl advanced name IPsec_66_IPv4_1
  200. rule 0 permit ip source 172.16.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
  201. #
  202. domain system
  203. #
  204. domain default enable system
  205. #
  206. role name level-0
  207. description Predefined level-0 role
  208. #
  209. role name level-1
  210. description Predefined level-1 role
  211. #
  212. role name level-2
  213. description Predefined level-2 role
  214. #
  215. role name level-3
  216. description Predefined level-3 role
  217. #
  218. role name level-4
  219. description Predefined level-4 role
  220. #
  221. role name level-5
  222. description Predefined level-5 role
  223. #
  224. role name level-6
  225. description Predefined level-6 role
  226. #
  227. role name level-7
  228. description Predefined level-7 role
  229. #
  230. role name level-8
  231. description Predefined level-8 role
  232. #
  233. role name level-9
  234. description Predefined level-9 role
  235. #
  236. role name level-10
  237. description Predefined level-10 role
  238. #              
  239. role name level-11
  240. description Predefined level-11 role
  241. #
  242. role name level-12
  243. description Predefined level-12 role
  244. #
  245. role name level-13
  246. description Predefined level-13 role
  247. #
  248. role name level-14
  249. description Predefined level-14 role
  250. #
  251. user-group system
  252. #
  253. local-user admin class manage
  254. password hash $h$6$PGC1EoWDRam/cqA1$kdbCs5c2P3ccDfn1IGnbsqtA/Vb3dqJ/OA2DcpDblawo7g3f3/m6MP6LqxEu22hGw/oEW/p3n0r2OeeK6WY0Rw==
  255. service-type ssh telnet terminal http https
  256. authorization-attribute user-role level-3
  257. authorization-attribute user-role level-15
  258. authorization-attribute user-role network-admin
  259. authorization-attribute user-role network-operator
  260. #
  261. local-user admins class manage
  262. password hash $h$6$D6Q3ur/sAyDpYyYS$CMn+fJvdgrbgwzgVvUf//oSd5mGHZjg2B9E4XsHFzTYgsXmxAU0ymUmA25nOo6gWGOk2TfF5NZfvNeOLpk+4SA==
  263. service-type ssh telnet http https
  264. authorization-attribute work-directory slot1#flash:
  265. authorization-attribute user-role network-admin
  266. #
  267. ssl renegotiation disable
  268. ssl version ssl3.0 disable
  269. ssl version tls1.0 disable
  270. undo ssl version tls1.1 disable
  271. #
  272. ipsec logging packet enable
  273. #
  274. ipsec transform-set yanglao
  275. esp encryption-algorithm 3des-cbc
  276. esp authentication-algorithm md5
  277. #
  278. ipsec policy yanglao 1 isakmp
  279. transform-set yanglao
  280. security acl 3500
  281. remote-address 113.98.196.77
  282. ike-profile 1
  283. #
  284. ike profile 1  
  285. keychain 1
  286. exchange-mode aggressive
  287. local-identity fqdn yanglao
  288. match remote identity fqdn zongbu
  289. match remote identity address 113.98.196.77 255.255.255.255
  290. proposal 1
  291. #
  292. ike proposal 1
  293. encryption-algorithm 3des-cbc
  294. dh group2
  295. authentication-algorithm md5
  296. #
  297. ike keychain 1
  298. pre-shared-key address 113.98.196.77 255.255.255.255 key cipher $c$3$3w3GiMxVJw0C6gJRSiJLrNXR9Pg0CMJlEZBxwBE=
  299. #
  300. ip https enable
  301. #
  302. blacklist global enable
  303. #
  304. ips signature auto-update
  305. update schedule daily start-time 02:00:00 tingle 120
  306. #
  307. app-profile 0_IPv4
  308. ips apply policy default mode protect
  309. #
  310. inspect logging parameter-profile av_logging_default_parameter
  311. #
  312. inspect logging parameter-profile ips_logging_default_parameter
  313. log language chinese
  314. #
  315. inspect logging parameter-profile url_logging_default_parameter
  316. #
  317. loadbalance isp file flash:/lbispinfo_v1.5.tp
  318. #
  319. security-policy ip
  320. rule 0 name 1
  321.   action pass
  322.   counting enable
  323.   profile 0_IPv4
  324. #
  325. dac log-collect service attack-defense blacklist enable
  326. dac log-collect service attack-defense flood enable
  327. dac log-collect service attack-defense scan enable
  328. dac log-collect service attack-defense signature enable
  329. dac log-collect service dpi traffic enable
  330. dac traffic-statistic user enable
  331. dac traffic-statistic application enable
  332. #
  333. ips logging parameter-profile ips_logging_default_parameter
  334. #
  335. anti-virus logging parameter-profile av_logging_default_parameter
  336. #
  337. return
  338. <yanglao>                           
  339. <yanglao>
  340. <yanglao>
  341. <yanglao>dis ike sa
  342. Flags:
  343. RD--READY RL--REPLACED FD-FADING RK-REKEY
  344. ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
  345. --------------------------------------------------------------------------------
  346. 13       1         113.98.196.77        RD       FQDN           zongbu        
  347. <yanglao>disp ipsec policy
  348. -------------------------------------------
  349. IPsec Policy: yanglao
  350. Interface: Virtual-Access0,
  351.            Dialer3
  352. -------------------------------------------

  354.   -----------------------------
  355.   Sequence number: 1
  356.   Alias: yanglao-1
  357.   Mode: ISAKMP
  358.   -----------------------------
  359.   Traffic Flow Confidentiality: Disabled
  360.   Security data flow: 3500
  361.   Selector mode: standard
  362.   Local address:
  363.   Remote address: 113.98.196.77
  364.   Remote address switchback mode: Disabled
  365.   Transform set:  yanglao
  366.   IKE profile: 1
  367.   IKEv2 profile:
  368.   smart-link policy:
  369.   SA trigger mode: Traffic-based
  370.   SA duration(time based): 3600 seconds
  371.   SA duration(traffic based): 1843200 kilobytes
  372.   SA soft-duration buffer(time based): --
  373.   SA soft-duration buffer(traffic based): --
  374.   SA idle time: --
  375.   SA df-bit:
  376.   Responder only: Disabled
  377. <yanglao>   
  378. <yanglao>
  379. <yanglao>
  380. <yanglao>disp acl
  381.                   ^
  382. % Incomplete command found at '^' position.
  383. <yanglao>
  384. <yanglao>
  385. <yanglao>disp acl all
  386. Advanced IPv4 ACL 3000, 1 rule,
  387. ACL's step is 5
  388. rule 10 permit ip (1771900185 times matched)

  390. Advanced IPv4 ACL 3100, 1 rule,
  391. WAN1
  392. ACL's step is 5
  393. rule 0 permit ip source 192.168.253.0 0.0.0.255 (374677136 times matched)

  395. Advanced IPv4 ACL 3200, 2 rules,
  396. ACL's step is 5
  397. rule 0 permit ip source 192.168.252.0 0.0.1.255 destination 192.168.0.0 0.0.255.255 (3599255 times matched)
  398. rule 5 permit ip source 192.168.252.0 0.0.1.255 destination 172.16.0.0 0.0.255.255 (24751 times matched)

  400. Advanced IPv4 ACL 3300, 1 rule,
  401. WAN3
  402. ACL's step is 5
  403. rule 0 permit ip source 192.168.252.0 0.0.0.255 (1379575019 times matched)

  405. Advanced IPv4 ACL 3500, 2 rules,
  406. ACL's step is 5
  407. rule 1 permit ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
  408. rule 2 permit ip source 172.16.110.0 0.0.0.254 destination 192.168.0.0 0.0.255.255 (149 times matched)
  409.                
  410. Advanced IPv4 ACL 3501, 3 rules,
  411. ACL's step is 5
  412. rule 1 deny ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
  413. rule 2 deny ip source 172.16.110.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 (172 times matched)
  414. rule 10 permit ip (140168 times matched)

  416. Advanced IPv4 ACL 3510, 0 rule,
  417. ACL's step is 5

  419. Advanced IPv4 ACL named IPsec_66_IPv4_1, 1 rule,
  420. ACL's step is 5
  421. rule 0 permit ip source 172.16.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255

  423. <yanglao>      
  424. <yanglao>
  425. <yanglao>
  426. <yanglao>
  427. <yanglao>
  428. <yanglao>dis cu conf ike-profile
  429. #
  430. ike profile 1
  431. keychain 1
  432. exchange-mode aggressive
  433. local-identity fqdn yanglao
  434. match remote identity fqdn zongbu
  435. match remote identity address 113.98.196.77 255.255.255.255
  436. proposal 1
  437. #
  438. return
  439. <yanglao>
  440. <yanglao>            
  441. <yanglao>
  442. <yanglao>dis cu conf ike-keychain
  443. #
  444. ike keychain 1
  445. pre-shared-key address 113.98.196.77 255.255.255.255 key cipher $c$3$3w3GiMxVJw0C6gJRSiJLrNXR9Pg0CMJlEZBxwBE=
  446. #
  447. return
  448. <yanglao>
  449. <yanglao>
  450. <yanglao>
  451. <yanglao>
  452. <yanglao>
  453. <yanglao>display  ike proposal
  454. Priority Authentication Authentication Encryption  Diffie-Hellman Duration
  455.               method       algorithm    algorithm       group      (seconds)
  456. ----------------------------------------------------------------------------
  457. 1        PRE-SHARED-KEY     MD5        3DES-CBC    Group 2        86400   
  458. default  PRE-SHARED-KEY     SHA1       DES-CBC     Group 1        86400   
  459. <yanglao>
  460. <yanglao>
  461. <yanglao>
  462. <yanglao>
  463. <yanglao>  display  ipsec  transform-set
  464. IPsec transform set: yanglao
  465.   State: complete
  466.   Encapsulation mode: tunnel
  467.   ESN: Disabled
  468.   PFS:
  469.   Transform: ESP
  470.   ESP protocol:
  471.     Integrity: MD5
  472.     Encryption: 3DES-CBC

  474. <yanglao>
  475. <yanglao>
  476. <yanglao>
  477. <yanglao>
  478. <yanglao>disp ike sa
  479. Flags:
  480. RD--READY RL--REPLACED FD-FADING RK-REKEY
  481. ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
  482. --------------------------------------------------------------------------------
  483. 13       1         113.98.196.77        RD       FQDN           zongbu        
  484. <yanglao>disp ike sa  ve
  485. <yanglao>disp ike sa  verbose
  486.    -----------------------------------------------
  487.    Connection ID: 13
  488.    Outside VPN:
  489.    Inside VPN:
  490.    Profile: 1
  491.    Transmitting entity: Initiator
  492.    Initiator cookie: ea454cb18fc5725e
  493.    Responder cookie: 1525d959f8439335
  494.    Output interface name:
  495.    -----------------------------------------------
  496.    Local IP/port: 100.64.20.190/4500
  497.    Local ID type: FQDN
  498.    Local ID: yanglao

  500.    Remote IP/port: 113.98.196.77/4500
  501.    Remote ID type: FQDN
  502.    Remote ID: zongbu

  504.    Authentication-method: PRE-SHARED-KEY
  505.    Authentication-algorithm: MD5
  506.    Encryption-algorithm: 3DES-CBC

  508.    Life duration(sec): 86400
  509.    Remaining key duration(sec): 86011
  510.    Exchange-mode: Aggressive
  511.    Diffie-Hellman group: Group 2
  512.    NAT traversal: Detected

  514.    Extend authentication: Disabled
  515.    Assigned IP address:
  516.    Vendor ID index:0xffffffff
  517.    Vendor ID sequence number:0x0
  518. <yanglao>     
  519. <yanglao>
  520. <yanglao>disp ipsec sa
  521. <yanglao>
  522. <yanglao>
  523. <yanglao>
  524. <yanglao>
  525. <yanglao>sa f
  526. Validating file. Please wait...
  527. Saved the current configuration to mainboard device successfully.
  528. <yanglao>
  529. <yanglao>
复制代码

帮忙看看吗?

22.jpg (509.75 KB, 下载次数: 64)

深信服配置1

深信服配置1

23.jpg (619.45 KB, 下载次数: 62)

深信服配置2

深信服配置2

24.jpg (651.45 KB, 下载次数: 59)

深信服配置3

深信服配置3

解决该疑问,预计可以帮助到 16627 人!

回帖即可获得
2S豆
,被楼主采纳即奖励20S豆+10分钟内回帖奖励10S豆 [已过期] ,了解更多S豆奖励信息

完善手机号和公司名称,让服务更省心更便捷!立即完善
新手310521 发表于 2024-6-19 12:12
  
等大佬解答学习1111
sangfor0 发表于 2024-6-20 09:38
  
这不把防火墙的故障日志发出来嘛,看下是第几阶段协商不成功,针对性排查,看了下交换机配置,那个存活时间好像不一致Life duration(sec): 86400,防火墙是3600
屁屁我很忙 发表于 2024-6-21 10:03
  
技术知识本乏味,互动交流应有味,文理综合为了让大家收获更多知识与欢乐
新手370587 发表于 2024-6-25 10:44
  
技术知识本乏味,互动交流应有味,文理综合为了让大家收获更多知识与欢乐
花开荼靡_ 发表于 2024-6-29 09:35
  
技术知识本乏味,互动交流应有味,文理综合为了让大家收获更多知识与欢乐
发表新帖 收藏 回复本帖
分享

等我来答:

换一批

发表新帖
热门标签
全部标签>
安全效果
每日一问
西北区每日一问
技术盲盒
【 社区to talk】
技术笔记
干货满满
产品连连看
新版本体验
技术咨询
标准化排查
信服课堂视频
每周精选
功能体验
自助服务平台操作指引
排障那些事
GIF动图学习
技术晨报
安装部署配置
运维工具
解决方案
2023技术争霸赛专题
秒懂零信任
故障笔记
技术圆桌
云计算知识
用户认证
技术顾问
资源访问
存储
技术争霸赛
「智能机器人」
以战代练
社区新周刊
畅聊IT
答题自测
专家问答
在线直播
MVP
网络基础知识
升级
安全攻防
上网策略
测试报告
日志审计
问题分析处理
流量管理
每日一记
原创分享
sangfor周刊
VPN 对接
项目案例
SANGFOR资讯
专家分享
信服故事
SDP百科
功能咨询
终端接入
授权
设备维护
地址转换
虚拟机
迁移
加速技术
排障笔记本
产品预警公告
玩转零信任
信服圈儿
S豆商城资讯
追光者计划
深信服技术支持平台
社区帮助指南
答题榜单公布
纪元平台
通用技术
卧龙计划
华北区拉练
天逸直播
山东区技术晨报
文档捉虫活动
齐鲁TV
华北区交付直播
2024年技术争霸赛
北京区每日一练
场景专题
高手请过招
升级&主动服务
高频问题集锦
POC测试案例
全能先锋系列
云化安全能力
转盘
任务
商城
勋章
成长计划

本版版主

新手274938
3
0
3

发帖

粉丝

关注

天一蓝去看海
27
77
84

发帖

粉丝

关注

2018元旦 2017万圣节勋章

本版热帖

本版达人

新手24268...

本周建议达人

阿凯

本周分享达人

新手39341...

本周提问达人