IPsec vpn-总部深信服 SSL M7.5设备旁挂对接分布华三防火墙

大佬们，IPsec vpn-总部深信服 SSL M7.5设备旁挂核心对接分部出口华三防火墙（野蛮模式），对接不上。可以帮忙看看吗？

1. 华三侧配置
   
2. <yanglao>
   
3. <yanglao>
   
4. <yanglao>
   
5. <yanglao>
   
6. <yanglao>
   
7. <yanglao>dis cu
   
8. #
   
9. version 7.1.064, Ess 8394P05
   
10. #
    
11. sysname yanglao
    
12. #
    
13. clock protocol none
    
14. #
    
15. telnet server enable
    
16. #
    
17. irf mac-address persistent timer
    
18. irf auto-update enable
    
19. undo irf link-delay
    
20. irf member 1 priority 1
    
21. #
    
22. dialer-group 1 rule ip permit
    
23. dialer-group 3 rule ip permit
    
24. #
    
25. dns server 8.8.8.8
    
26. dns server 114.114.114.114
    
27. #
    
28. lldp global enable
    
29. #
    
30. password-recovery enable
    
31. #              
    
32. vlan 1
    
33. #
    
34. policy-based-route 1 permit node 0
    
35. if-match acl 3200
    
36. #
    
37. policy-based-route 1 permit node 5
    
38. if-match acl 3100
    
39. apply default-output-interface Dialer1
    
40. #
    
41. policy-based-route 1 permit node 10
    
42. if-match acl 3300
    
43. apply default-output-interface Dialer3
    
44. #
    
45. interface Dialer1
    
46. ppp chap password cipher $c$3$f5lGKV3pD7sM/fTgDl4iWy00Fy61xpZPoDzL
    
47. ppp chap user 075508273848@163.com
    
48. ppp ipcp dns admit-any
    
49. ppp ipcp dns request
    
50. ppp pap local-user 075508273848@163.com password cipher $c$3$esMeHJvVLXIxt+ET6dxptux19c9klCv4pr1I
    
51. dialer bundle enable
    
52. dialer-group 1
    
53. dialer timer idle 0
    
54. dialer timer autodial 5
    
55. dialer number 1 autodial
    
56. ip address ppp-negotiate
    
57. tcp mss 1024
    
58. nat outbound 3000
    
59. #
    
60. interface Dialer3
    
61. ppp chap password cipher $c$3$YXPROvJK5Xv6k0jOJgrycWJL3lwVplyF8NQn
    
62. ppp chap user 075507670267@163.com
    
63. ppp ipcp dns admit-any
    
64. ppp ipcp dns request
    
65. ppp pap local-user 075507670267@163.com password cipher $c$3$3+0FuM6/zEwPIDKWJugJQcTtaOSZaJ5JIIbM
    
66. dialer bundle enable
    
67. dialer-group 3
    
68. dialer timer idle 0
    
69. dialer timer autodial 5
    
70. dialer number 3 autodial
    
71. ip address ppp-negotiate
    
72. tcp mss 1024
    
73. nat outbound 3501
    
74. ipsec apply policy yanglao
    
75. #
    
76. interface NULL0
    
77. #              
    
78. interface GigabitEthernet1/0/0
    
79. port link-mode route
    
80. ip address 192.168.0.1 255.255.255.0
    
81. #
    
82. interface GigabitEthernet1/0/1
    
83. port link-mode route
    
84. pppoe-client dial-bundle-number 1
    
85. #
    
86. interface GigabitEthernet1/0/2
    
87. port link-mode route
    
88. #
    
89. interface GigabitEthernet1/0/3
    
90. port link-mode route
    
91. pppoe-client dial-bundle-number 3
    
92. #
    
93. interface GigabitEthernet1/0/4
    
94. port link-mode route
    
95. #
    
96. interface GigabitEthernet1/0/5
    
97. port link-mode route
    
98. #
    
99. interface GigabitEthernet1/0/6
    
100. port link-mode route
     
101. #
     
102. interface GigabitEthernet1/0/7
     
103. port link-mode route
     
104. ip address 10.10.10.1 255.255.255.0
     
105. ip policy-based-route 1
     
106. #
     
107. interface GigabitEthernet1/0/8
     
108. port link-mode route
     
109. #
     
110. interface GigabitEthernet1/0/9
     
111. port link-mode route
     
112. #
     
113. interface Ten-GigabitEthernet1/0/10
     
114. port link-mode route
     
115. #
     
116. interface Ten-GigabitEthernet1/0/11
     
117. port link-mode route
     
118. #
     
119. security-zone name Local
     
120. #
     
121. security-zone name Trust
     
122. import interface GigabitEthernet1/0/7
     
123. #              
     
124. security-zone name DMZ
     
125. #
     
126. security-zone name Untrust
     
127. import interface Dialer1
     
128. import interface Dialer3
     
129. import interface GigabitEthernet1/0/1
     
130. import interface GigabitEthernet1/0/3
     
131. #
     
132. security-zone name Management
     
133. import interface GigabitEthernet1/0/0
     
134. #
     
135. scheduler logfile size 16
     
136. #
     
137. line class aux
     
138. user-role network-operator
     
139. #
     
140. line class console
     
141. authentication-mode scheme
     
142. user-role network-admin
     
143. #
     
144. line class vty
     
145. user-role network-operator
     
146. #              
     
147. line aux 0
     
148. authentication-mode none
     
149. user-role network-admin
     
150. #
     
151. line con 0
     
152. user-role network-admin
     
153. #
     
154. line vty 0 63
     
155. authentication-mode scheme
     
156. user-role network-admin
     
157. #
     
158. ip route-static 0.0.0.0 0 Dialer1
     
159. ip route-static 0.0.0.0 0 Dialer3
     
160. ip route-static 172.16.0.0 16 10.10.10.2
     
161. #
     
162. info-center loghost 106.3.96.73
     
163. #
     
164. customlog format attack-defense
     
165. customlog format dpi url-filter
     
166. customlog format dpi ips
     
167. customlog format dpi anti-virus
     
168. customlog format dpi reputation
     
169. customlog host 106.3.96.73 export dpi ips anti-virus reputation
     
170. #
     
171. ssh server enable
     
172. #
     
173. acl advanced 3000
     
174. rule 10 permit ip
     
175. #
     
176. acl advanced 3100
     
177. description WAN1
     
178. rule 0 permit ip source 192.168.253.0 0.0.0.255
     
179. #
     
180. acl advanced 3200
     
181. rule 0 permit ip source 192.168.252.0 0.0.1.255 destination 192.168.0.0 0.0.255.255
     
182. rule 5 permit ip source 192.168.252.0 0.0.1.255 destination 172.16.0.0 0.0.255.255
     
183. #
     
184. acl advanced 3300
     
185. description WAN3
     
186. rule 0 permit ip source 192.168.252.0 0.0.0.255
     
187. #
     
188. acl advanced 3500
     
189. rule 1 permit ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
     
190. rule 2 permit ip source 172.16.110.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
     
191. #
     
192. acl advanced 3501
     
193. rule 1 deny ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
     
194. rule 2 deny ip source 172.16.110.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
     
195. rule 10 permit ip
     
196. #
     
197. acl advanced 3510
     
198. #
     
199. acl advanced name IPsec_66_IPv4_1
     
200. rule 0 permit ip source 172.16.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
     
201. #
     
202. domain system
     
203. #
     
204. domain default enable system
     
205. #
     
206. role name level-0
     
207. description Predefined level-0 role
     
208. #
     
209. role name level-1
     
210. description Predefined level-1 role
     
211. #
     
212. role name level-2
     
213. description Predefined level-2 role
     
214. #
     
215. role name level-3
     
216. description Predefined level-3 role
     
217. #
     
218. role name level-4
     
219. description Predefined level-4 role
     
220. #
     
221. role name level-5
     
222. description Predefined level-5 role
     
223. #
     
224. role name level-6
     
225. description Predefined level-6 role
     
226. #
     
227. role name level-7
     
228. description Predefined level-7 role
     
229. #
     
230. role name level-8
     
231. description Predefined level-8 role
     
232. #
     
233. role name level-9
     
234. description Predefined level-9 role
     
235. #
     
236. role name level-10
     
237. description Predefined level-10 role
     
238. #              
     
239. role name level-11
     
240. description Predefined level-11 role
     
241. #
     
242. role name level-12
     
243. description Predefined level-12 role
     
244. #
     
245. role name level-13
     
246. description Predefined level-13 role
     
247. #
     
248. role name level-14
     
249. description Predefined level-14 role
     
250. #
     
251. user-group system
     
252. #
     
253. local-user admin class manage
     
254. password hash $h$6$PGC1EoWDRam/cqA1$kdbCs5c2P3ccDfn1IGnbsqtA/Vb3dqJ/OA2DcpDblawo7g3f3/m6MP6LqxEu22hGw/oEW/p3n0r2OeeK6WY0Rw==
     
255. service-type ssh telnet terminal http https
     
256. authorization-attribute user-role level-3
     
257. authorization-attribute user-role level-15
     
258. authorization-attribute user-role network-admin
     
259. authorization-attribute user-role network-operator
     
260. #
     
261. local-user admins class manage
     
262. password hash $h$6$D6Q3ur/sAyDpYyYS$CMn+fJvdgrbgwzgVvUf//oSd5mGHZjg2B9E4XsHFzTYgsXmxAU0ymUmA25nOo6gWGOk2TfF5NZfvNeOLpk+4SA==
     
263. service-type ssh telnet http https
     
264. authorization-attribute work-directory slot1#flash:
     
265. authorization-attribute user-role network-admin
     
266. #
     
267. ssl renegotiation disable
     
268. ssl version ssl3.0 disable
     
269. ssl version tls1.0 disable
     
270. undo ssl version tls1.1 disable
     
271. #
     
272. ipsec logging packet enable
     
273. #
     
274. ipsec transform-set yanglao
     
275. esp encryption-algorithm 3des-cbc
     
276. esp authentication-algorithm md5
     
277. #
     
278. ipsec policy yanglao 1 isakmp
     
279. transform-set yanglao
     
280. security acl 3500
     
281. remote-address 113.98.196.77
     
282. ike-profile 1
     
283. #
     
284. ike profile 1  
     
285. keychain 1
     
286. exchange-mode aggressive
     
287. local-identity fqdn yanglao
     
288. match remote identity fqdn zongbu
     
289. match remote identity address 113.98.196.77 255.255.255.255
     
290. proposal 1
     
291. #
     
292. ike proposal 1
     
293. encryption-algorithm 3des-cbc
     
294. dh group2
     
295. authentication-algorithm md5
     
296. #
     
297. ike keychain 1
     
298. pre-shared-key address 113.98.196.77 255.255.255.255 key cipher $c$3$3w3GiMxVJw0C6gJRSiJLrNXR9Pg0CMJlEZBxwBE=
     
299. #
     
300. ip https enable
     
301. #
     
302. blacklist global enable
     
303. #
     
304. ips signature auto-update
     
305. update schedule daily start-time 02:00:00 tingle 120
     
306. #
     
307. app-profile 0_IPv4
     
308. ips apply policy default mode protect
     
309. #
     
310. inspect logging parameter-profile av_logging_default_parameter
     
311. #
     
312. inspect logging parameter-profile ips_logging_default_parameter
     
313. log language chinese
     
314. #
     
315. inspect logging parameter-profile url_logging_default_parameter
     
316. #
     
317. loadbalance isp file flash:/lbispinfo_v1.5.tp
     
318. #
     
319. security-policy ip
     
320. rule 0 name 1
     
321.   action pass
     
322.   counting enable
     
323.   profile 0_IPv4
     
324. #
     
325. dac log-collect service attack-defense blacklist enable
     
326. dac log-collect service attack-defense flood enable
     
327. dac log-collect service attack-defense scan enable
     
328. dac log-collect service attack-defense signature enable
     
329. dac log-collect service dpi traffic enable
     
330. dac traffic-statistic user enable
     
331. dac traffic-statistic application enable
     
332. #
     
333. ips logging parameter-profile ips_logging_default_parameter
     
334. #
     
335. anti-virus logging parameter-profile av_logging_default_parameter
     
336. #
     
337. return
     
338. <yanglao>                           
     
339. <yanglao>
     
340. <yanglao>
     
341. <yanglao>dis ike sa
     
342. Flags:
     
343. RD--READY RL--REPLACED FD-FADING RK-REKEY
     
344. ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
     
345. --------------------------------------------------------------------------------
     
346. 13       1         113.98.196.77        RD       FQDN           zongbu        
     
347. <yanglao>disp ipsec policy
     
348. -------------------------------------------
     
349. IPsec Policy: yanglao
     
350. Interface: Virtual-Access0,
     
351.            Dialer3
     
352. -------------------------------------------
     
353. 
     
354.   -----------------------------
     
355.   Sequence number: 1
     
356.   Alias: yanglao-1
     
357.   Mode: ISAKMP
     
358.   -----------------------------
     
359.   Traffic Flow Confidentiality: Disabled
     
360.   Security data flow: 3500
     
361.   Selector mode: standard
     
362.   Local address:
     
363.   Remote address: 113.98.196.77
     
364.   Remote address switchback mode: Disabled
     
365.   Transform set:  yanglao
     
366.   IKE profile: 1
     
367.   IKEv2 profile:
     
368.   smart-link policy:
     
369.   SA trigger mode: Traffic-based
     
370.   SA duration(time based): 3600 seconds
     
371.   SA duration(traffic based): 1843200 kilobytes
     
372.   SA soft-duration buffer(time based): --
     
373.   SA soft-duration buffer(traffic based): --
     
374.   SA idle time: --
     
375.   SA df-bit:
     
376.   Responder only: Disabled
     
377. <yanglao>   
     
378. <yanglao>
     
379. <yanglao>
     
380. <yanglao>disp acl
     
381.                   ^
     
382. % Incomplete command found at '^' position.
     
383. <yanglao>
     
384. <yanglao>
     
385. <yanglao>disp acl all
     
386. Advanced IPv4 ACL 3000, 1 rule,
     
387. ACL's step is 5
     
388. rule 10 permit ip (1771900185 times matched)
     
389. 
     
390. Advanced IPv4 ACL 3100, 1 rule,
     
391. WAN1
     
392. ACL's step is 5
     
393. rule 0 permit ip source 192.168.253.0 0.0.0.255 (374677136 times matched)
     
394. 
     
395. Advanced IPv4 ACL 3200, 2 rules,
     
396. ACL's step is 5
     
397. rule 0 permit ip source 192.168.252.0 0.0.1.255 destination 192.168.0.0 0.0.255.255 (3599255 times matched)
     
398. rule 5 permit ip source 192.168.252.0 0.0.1.255 destination 172.16.0.0 0.0.255.255 (24751 times matched)
     
399. 
     
400. Advanced IPv4 ACL 3300, 1 rule,
     
401. WAN3
     
402. ACL's step is 5
     
403. rule 0 permit ip source 192.168.252.0 0.0.0.255 (1379575019 times matched)
     
404. 
     
405. Advanced IPv4 ACL 3500, 2 rules,
     
406. ACL's step is 5
     
407. rule 1 permit ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
     
408. rule 2 permit ip source 172.16.110.0 0.0.0.254 destination 192.168.0.0 0.0.255.255 (149 times matched)
     
409.                
     
410. Advanced IPv4 ACL 3501, 3 rules,
     
411. ACL's step is 5
     
412. rule 1 deny ip source 172.16.100.0 0.0.0.254 destination 192.168.0.0 0.0.255.255
     
413. rule 2 deny ip source 172.16.110.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 (172 times matched)
     
414. rule 10 permit ip (140168 times matched)
     
415. 
     
416. Advanced IPv4 ACL 3510, 0 rule,
     
417. ACL's step is 5
     
418. 
     
419. Advanced IPv4 ACL named IPsec_66_IPv4_1, 1 rule,
     
420. ACL's step is 5
     
421. rule 0 permit ip source 172.16.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
     
422. 
     
423. <yanglao>      
     
424. <yanglao>
     
425. <yanglao>
     
426. <yanglao>
     
427. <yanglao>
     
428. <yanglao>dis cu conf ike-profile
     
429. #
     
430. ike profile 1
     
431. keychain 1
     
432. exchange-mode aggressive
     
433. local-identity fqdn yanglao
     
434. match remote identity fqdn zongbu
     
435. match remote identity address 113.98.196.77 255.255.255.255
     
436. proposal 1
     
437. #
     
438. return
     
439. <yanglao>
     
440. <yanglao>            
     
441. <yanglao>
     
442. <yanglao>dis cu conf ike-keychain
     
443. #
     
444. ike keychain 1
     
445. pre-shared-key address 113.98.196.77 255.255.255.255 key cipher $c$3$3w3GiMxVJw0C6gJRSiJLrNXR9Pg0CMJlEZBxwBE=
     
446. #
     
447. return
     
448. <yanglao>
     
449. <yanglao>
     
450. <yanglao>
     
451. <yanglao>
     
452. <yanglao>
     
453. <yanglao>display  ike proposal
     
454. Priority Authentication Authentication Encryption  Diffie-Hellman Duration
     
455.               method       algorithm    algorithm       group      (seconds)
     
456. ----------------------------------------------------------------------------
     
457. 1        PRE-SHARED-KEY     MD5        3DES-CBC    Group 2        86400   
     
458. default  PRE-SHARED-KEY     SHA1       DES-CBC     Group 1        86400   
     
459. <yanglao>
     
460. <yanglao>
     
461. <yanglao>
     
462. <yanglao>
     
463. <yanglao>  display  ipsec  transform-set
     
464. IPsec transform set: yanglao
     
465.   State: complete
     
466.   Encapsulation mode: tunnel
     
467.   ESN: Disabled
     
468.   PFS:
     
469.   Transform: ESP
     
470.   ESP protocol:
     
471.     Integrity: MD5
     
472.     Encryption: 3DES-CBC
     
473. 
     
474. <yanglao>
     
475. <yanglao>
     
476. <yanglao>
     
477. <yanglao>
     
478. <yanglao>disp ike sa
     
479. Flags:
     
480. RD--READY RL--REPLACED FD-FADING RK-REKEY
     
481. ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
     
482. --------------------------------------------------------------------------------
     
483. 13       1         113.98.196.77        RD       FQDN           zongbu        
     
484. <yanglao>disp ike sa  ve
     
485. <yanglao>disp ike sa  verbose
     
486.    -----------------------------------------------
     
487.    Connection ID: 13
     
488.    Outside VPN:
     
489.    Inside VPN:
     
490.    Profile: 1
     
491.    Transmitting entity: Initiator
     
492.    Initiator cookie: ea454cb18fc5725e
     
493.    Responder cookie: 1525d959f8439335
     
494.    Output interface name:
     
495.    -----------------------------------------------
     
496.    Local IP/port: 100.64.20.190/4500
     
497.    Local ID type: FQDN
     
498.    Local ID: yanglao
     
499. 
     
500.    Remote IP/port: 113.98.196.77/4500
     
501.    Remote ID type: FQDN
     
502.    Remote ID: zongbu
     
503. 
     
504.    Authentication-method: PRE-SHARED-KEY
     
505.    Authentication-algorithm: MD5
     
506.    Encryption-algorithm: 3DES-CBC
     
507. 
     
508.    Life duration(sec): 86400
     
509.    Remaining key duration(sec): 86011
     
510.    Exchange-mode: Aggressive
     
511.    Diffie-Hellman group: Group 2
     
512.    NAT traversal: Detected
     
513. 
     
514.    Extend authentication: Disabled
     
515.    Assigned IP address:
     
516.    Vendor ID index:0xffffffff
     
517.    Vendor ID sequence number:0x0
     
518. <yanglao>     
     
519. <yanglao>
     
520. <yanglao>disp ipsec sa
     
521. <yanglao>
     
522. <yanglao>
     
523. <yanglao>
     
524. <yanglao>
     
525. <yanglao>sa f
     
526. Validating file. Please wait...
     
527. Saved the current configuration to mainboard device successfully.
     
528. <yanglao>
     
529. <yanglao>
     

复制代码

帮忙看看吗？

等大佬解答学习1111

这不把防火墙的故障日志发出来嘛，看下是第几阶段协商不成功，针对性排查，看了下交换机配置，那个存活时间好像不一致Life duration(sec): 86400，防火墙是3600

技术知识本乏味，互动交流应有味，文理综合为了让大家收获更多知识与欢乐

技术知识本乏味，互动交流应有味，文理综合为了让大家收获更多知识与欢乐

技术知识本乏味，互动交流应有味，文理综合为了让大家收获更多知识与欢乐