H3C VPN问题

来源：互联网发布：淘宝的二手市场在哪里编辑：程序博客网时间：2024/05/14 12:31

简述：

总部通过一台AR46-40作VPN接入服务器与8个分点进行连接，其中总部是光纤接入具有固定的IP地址，分部是ADSL接入无固定IP。而用不论总部还是分部，内网的所有用户具要可以同时上网，又要可以同时使用VPN网。
问题：
1、分部可以PING通总部的AR46-40的内网接口地址，但是PING不到内网任何客户机的IP地址(内网计算机设置正确)；
2、现在只要总部内网用户使用互联网，分部这边就PING不到AR46-40的内网接口地址了，反之当AR46-40重启后分部先PING入可以看到建立VPN通道，但此时总部用户又不可以使用互联网了。
请各位朋友帮忙看下我的配置，如有不正确的地方请您指正，我在此先谢过了。

原配置：

sysname center
#
FTP server enable
#
l2tp domain suffix-separator @
#
ike local-name center
#
radius scheme system
#
domain system
#
local-user admin
password cipher 3(:F<#W#[PCQ=^Q`MAF4<<"TX$_S#6.NM(0=0)*5WWQ=^Q`MAF4<<"TX$_S#6.
N
service-type telnet terminal
level 3
service-type ftp
#
ike peer 1
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name jx
nat traversal
#
ike peer 2
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name md
nat traversal
#
ike peer 3
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name ms
nat traversal
#
ike peer 4
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name sj
nat traversal
#
ike peer 5
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name gm
nat traversal
#
ike peer 6
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name hq
nat traversal
#
ike peer 7
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name ns
nat traversal
#
ike peer 8
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name xx
nat traversal
#
ipsec proposal 1
#
ipsec policy-template temp 1
ike-peer 1
proposal 1
#
ipsec policy-template temp 2
ike-peer 2
proposal 1
#
ipsec policy-template temp 3
ike-peer 3
proposal 1
#
ipsec policy-template temp 4
ike-peer 4
proposal 1
#
ipsec policy-template temp 5
ike-peer 5
proposal 1
#
ipsec policy-template temp 6
ike-peer 6
proposal 1
#
ipsec policy-template temp 7
ike-peer 7
proposal 1
#
ipsec policy-template temp 8
ike-peer 8
proposal 1
#

ipsec policy center 1 isakmp template temp
#
interface Aux0
async mode flow
#
interface Ethernet0/0/0
ip address x.x.x.x 255.255.255.128
nat outbound 3001
ipsec policy center
#
interface Ethernet0/0/1
ip address 10.53.1.1 255.255.255.0
#
interface NULL0
#
acl number 3001
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.2.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.3.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.4.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.5.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.6.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.7.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.8.0 0.0.0.255
rule deny ip source 10.53.1.0 0.0.0.255 destination 10.53.9.0 0.0.0.255
rule permit ip source 10.53.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60

[branch1]dis cu
#
sysname Quidway
#
FTP server enable
#
l2tp domain suffix-separator @
#
ike local-name jx
#
dns server dns
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<<"TX$_S#6.NM(0=0)*5WWQ=^Q`MAF4<<"TX$_S#6.N
service-type telnet terminal
level 3
service-type ftp
#
ike peer 1
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name center
remote-address x.x.x.x
nat traversal
#
ipsec proposal 1
#
ipsec policy jx 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
interface Aux0
async mode flow
#
interface Dialer0
link-protocol ppp
ppp chap user username
ppp chap password cipher password
mtu 1450
tcp mss 1024
ip address ppp-negotiate
dialer user username
dialer-group 1
dialer bundle 1
ipsec policy jx
nat outbound 3001
#
interface Ethernet0/0
pppoe-client dial-bundle-number 1
ip address dhcp-alloc
#
interface Ethernet0/1
ip address 10.53.2.1 255.255.255.0
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address ppp-negotiate
#
interface NULL0
#
acl number 3000
rule 0 permit ip source 10.53.2.0 0.0.0.255 destination 10.53.1.0 0.0.0.255
rule 1 deny ip
#
acl number 3001
rule 0 deny ip source 10.53.2.0 0.0.0.255 destination 10.53.1.0 0.0.0.255
rule 1 permit ip source 10.53.2.0 0.0.0.255
rule 2 deny ip
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return

修改后配置：

[center]dis cu
#
sysname center
#
#
FTP server enable
#
l2tp domain suffix-separator @
#
ike local-name center
#
radius scheme system
#
domain system
#
local-user admin
password simple xxxxxxxxxxxxxxxx
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
#
ike peer 1
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name jx
nat traversal
#
ike peer 2
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name md
nat traversal
#
ike peer 3
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name ms
nat traversal
#
ike peer 4
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name sj
nat traversal
#
ike peer 5
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name gm
nat traversal
#
ike peer 6
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name hq
nat traversal
#
ike peer 7
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name ns
nat traversal
#
ike peer 8
exchange-mode aggressive
pre-shared-key huawei
id-type name
remote-name my
nat traversal
#
ipsec proposal 1
#
ipsec policy-template temp 1
security acl 3001
ike-peer 1
proposal 1
#
ipsec policy-template temp 2
security acl 3002
ike-peer 2
proposal 1
#
ipsec policy-template temp 3
security acl 3003
ike-peer 3
proposal 1
#
ipsec policy-template temp 4
security acl 3004
ike-peer 4
proposal 1
#
ipsec policy-template temp 5
security acl 3005
ike-peer 5
proposal 1
#
ipsec policy-template temp 6
security acl 3006
ike-peer 6
proposal 1
#
ipsec policy-template temp 7
security acl 3007
ike-peer 7
proposal 1
#
ipsec policy-template temp 8
security acl 3008
ike-peer 8
proposal 1
#
ipsec policy center 1 isakmp template temp
#
interface Aux0
async mode flow
#
interface Ethernet0/0/0
ip address x.x.x.x x.x.x.x
nat outbound 3000
ipsec policy center
#
interface Ethernet0/0/1
ip address 10.53.1.1 255.255.255.0
#
interface NULL0
#
acl number 3000
rule 0 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.2.0 0.0.0.255
rule 1 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.3.0 0.0.0.255
rule 2 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.4.0 0.0.0.255
rule 3 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.5.0 0.0.0.255
rule 4 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.6.0 0.0.0.255
rule 5 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.7.0 0.0.0.255
rule 6 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.8.0 0.0.0.255
rule 7 deny ip source 10.53.1.0 0.0.0.255 destination 10.53.9.0 0.0.0.255
rule 8 permit ip source 10.53.0.0 0.0.255.255
rule 9 deny ip
acl number 3001
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.2.0 0.0.0.255
rule 1 deny ip
acl number 3002
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.3.0 0.0.0.255
rule 1 deny ip
acl number 3003
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.4.0 0.0.0.255
rule 1 deny ip
acl number 3004
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.5.0 0.0.0.255
rule 1 deny ip
acl number 3005
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.6.0 0.0.0.255
rule 1 deny ip
acl number 3006
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.7.0 0.0.0.255
rule 1 deny ip
acl number 3007
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.8.0 0.0.0.255
rule 1 deny ip
acl number 3008
rule 0 permit ip source 10.53.1.0 0.0.0.255 destination 10.53.9.0 0.0.0.255
rule 1 deny ip
#
dhcp server forbidden-ip 10.53.1.1 10.53.1.150
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[center]