USG防火墙ipsec穿越nat的示例分析,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。AR1:acl number 3001rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255rule 2 permit ip source 10.1.2.0 0.0.0.255rule 3 permit ip source 172.16.1.0 0.0.0.255interfaceGigabitEthernet0/0/0ip address 202.100.1.2 255.255.255.0nat outbound 3001#interfaceGigabitEthernet0/0/1ip address 172.16.1.2 255.255.255.0#ip route-static10.1.2.0 255.255.255.0 172.16.1.1################################################################FW1:acl number 3001rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255ike proposal 1#ike peer 1pre-shared-key %$%$Kvy%6e6}DWp&azElXM;@VMD;%$%$ike-proposal 1 nat traversal#ipsec proposal 1#ipsec policy-template temp 1security acl 3001ike-peer 1proposal 1#ipsec policy l2l 1 isakmp template temp#interface GigabitEthernet0/0/1ip address 10.1.1.1 255.255.255.0 #interface GigabitEthernet0/0/2ip address 202.100.1.1 255.255.255.0ipsec policy l2l#firewall zone trustset priority 85add interface GigabitEthernet0/0/1#firewall zone untrustset priority 5add interface GigabitEthernet0/0/2ip route-static 0.0.0.0 0.0.0.0 202.100.1.2#ip service-set natt type objectservice 1 protocol udp destination-port 4500#ip service-set ike type objectservice 0 protocol udp destination-port 500#policy interzone local untrust inboundpolicy 0action permitpolicy service service-set ikepolicy service service-set esppolicy service service-set nattpolicy service service-set icmp#policy interzone trust untrust inboundpolicy 0action permitpolicy source 10.1.2.0 mask 24policy destination 10.1.1.0 mask 24# policy interzone trust untrust outboundpolicy 0action permitpolicy source 10.1.1.0 mask 24###########################################FW2:acl number 3001rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ike proposal 1#ike peer 1pre-shared-key %$%$a6XbSSW~L%o`:;YS:d}~V|sj%$%$ike-proposal 1remote-address 202.100.1.1 nat traversal#ipsec proposal 1#ipsec policy l2l 1 isakmpsecurity acl 3001ike-peer 1proposal 1#interface GigabitEthernet0/0/1ip address 10.1.2.1 255.255.255.0# interface GigabitEthernet0/0/2ip address 172.16.1.1 255.255.255.0ipsec policy l2lfirewall zone trust set priority 85add interface GigabitEthernet0/0/1#firewall zone untrustset priority 5add interface GigabitEthernet0/0/2#ip route-static 0.0.0.0 0.0.0.0 172.16.1.2ip service-set natt type objectservice 1 protocol udp destination-port 4500#ip service-set ike type objectservice 0 protocol udp destination-port 500#policy interzone local untrust inboundpolicy 0action permitpolicy service service-set ikepolicy service service-set esppolicy service service-set nattpolicy service service-set icmp#policy interzone trust untrust inboundpolicy 0action permitpolicy source 10.1.1.0 mask 24policy destination 10.1.2.0 mask 24#policy interzone trust untrust outboundpolicy 0action permit policy source 10.1.2.0 mask 24################################################################[FW1]dis ike sa15:49:392014/08/01current ike sa number: 2—————————————————————————–conn-id peer flag phase ***—————————————————————————–40001 202.100.1.2:10244 RD v2:2public2 202.100.1.2:10244 RD v2:1public[FW1]dis ipsec sa brief15:49:432014/08/01current ipsec sa number: 2current ipsec tunnel number: 1——————————————————————————Src Address Dst Address SPI ProtocolAlgorithm——————————————————————————202.100.1.2 202.100.1.1 268723444ESP EES;A:HMAC-MD5-96;202.100.1.1 202.100.1.2 3352737410 ESP EES;A:HMAC-MD5-96;[FW1]display ipsec sa15:51:442014/08/01===============================Interface: GigabitEthernet0/0/2 path MTU: 1500===============================—————————–IPsec policy name: “l2l”sequence number: 1mode: template***: public—————————– connection id: 40001 rule number: 4294967295 encapsulation mode: tunnel holding time: 0d 0h 20m 26s tunnel local : 202.100.1.1 tunnel remote: 202.100.1.2 flow source: 10.1.1.0-10.1.1.255 0-65535 0 flow destination: 10.1.2.0-10.1.2.255 0-65535 0 [inbound ESP SAs] spi: 268723444 (0x100464f4) ***: publicsaid: 0cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436260/2374 max received sequence-number: 9 udp encapsulation used for nat traversal: Y [outbound ESP SAs] spi: 3352737410 (0xc7d6b682) ***: publicsaid: 1cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436260/2374 max sent sequence-number: 10 udp encapsulation used for nat traversal: Y################################################[FW1]display ipsec statistics15:53:572014/08/01the security packet statistics: input/output security packets: 76/9 input/output security bytes: 540/540 input/output dropped security packets: 67/0 the encrypt packet statistics send sae:9, recv sae:9, send err:0 local cpu:9, other cpu:0, recv other cpu:0 intact packet:9, first slice:0, after slice:0 the decrypt packet statistics send sae:9, recv sae:9, send err:0 local cpu:9, other cpu:0, recv other cpu:0 reassfirst slice:0, after slice:0, len err:0 dropped security免费云主机域名 packet detail: no enough memory: 0, too long: 0 can’t find SA: 67, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 exceed byte limit: 0, exceed packet limit: 0 change cpu enc: 0, dec change cpu: 0 change datachan: 0, fib search: 0 rcv enc(dec) form sae said err: 0, 0 port number error: 0 send port: 0, output l3: 0, l2tp input: 0negotiate about packet statistics: IP packetok:0, err:0, drop:0 IP rcv other cpu to ike:0, drop:0 IKE packet inbound ok:3, err:0 IKE packet outboundok:3, err:0 SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0 ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4看完上述内容,你们掌握USG防火墙ipsec穿越nat的示例分析的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注云编程开发博客行业资讯频道,感谢各位的阅读!
Javascript和CSS文件我相信很多人对其都不陌生了,网站大量的特性都会用到Javascript和CSS文件,如果网站做大了,这些文件也会越来越多,这些文件一多了,就要影响到网站打开得速度,怎么解决这个问题呢?减少Javascript和CSS文件的大…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。