华为ipsec怎么确认是配置成功的

梦幻天崖

华为ipsec怎么确认是配置成功的，ping通即可吗，还有这个ping 1.1.1.1 source 2.2.2.2不能用啊，这个正确命令是神马，求大神

ackca

我试过了，没问题，
还有不要用主动模式

ackca

有路由吗？如果IPSec确认没问题，那就是路由的问题

梦幻天崖

ackca 发表于 2017-9-9 22:27
有路由吗？如果IPSec确认没问题，那就是路由的问题

ping通问题已解决，请问ipsec怎么验证的

ackca

梦幻天崖 发表于 2017-9-10 13:51
ping通问题已解决，请问ipsec怎么验证的

通了基本上就差不多了，确认的话再看看display ike sa、display ipsec sa brief

梦幻天崖

ackca 发表于 2017-9-10 14:32
通了基本上就差不多了，确认的话再看看display ike sa、display ipsec sa brief

只能看到display ike sa的内容，display ipsec sa brief没有内容显示，这算成功吗

ackca

梦幻天崖 发表于 2017-9-10 14:56
只能看到display ike sa的内容，display ipsec sa brief没有内容显示，这算成功吗

当然不成功

梦幻天崖

ackca 发表于 2017-9-10 16:33
当然不成功

ipsec proposal 1
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm md5

ike proposal
authentication-algorithm md5
authentication-method pre-share
encryption-algorithm des-cbc

ike peer 1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#

remote-name jie
remote-address 12.1.1.1

ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1

interface Serial0/0/1
link-protocol ppp
ip address 12.1.1.2 255.255.255.0
ipsec policy mao
大哥请看下我的配置，这有什么错吗

ackca

梦幻天崖 发表于 2017-9-10 16:52
ipsec proposal 1
encapsulation-mode tunnel
transform esp

你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

梦幻天崖

ackca 发表于 2017-9-10 20:14
你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

R1
sysname r1
#
ike local-name mao
#
acl number 3000
rule 0 permit ip source 11.1.1.0 0.0.0.255 destination 13.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name jie
remote-address 12.1.1.2
#
ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
interface Serial0/0/1
link-protocol ppp
ipsec policy mao
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]dis       
[r1]dis ips       
[r1]dis ipsec sa
No Security Associations established.
[r1]
[r1]dis cu
#
sysname r1
#
ike local-name mao
#
acl number 3000
rule 0 permit ip source 11.1.1.0 0.0.0.255 destination 13.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name jie
remote-address 12.1.1.2
#
ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
interface Serial0/0/1
link-protocol ppp
ipsec policy mao
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

R2
sysname r2
#
ike local-name jie
#
acl number 3000
rule 0 permit ip source 13.1.1.0 0.0.0.255 destination 11.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name mao
remote-address 12.1.1.1
#
ipsec policy jie 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ipsec policy jie
#
interface Serial0/0/1
link-protocol ppp
ip address 12.1.1.2 255.255.255.0
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 13.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
请过目

梦幻天崖

ackca 发表于 2017-9-10 20:14
你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

R1
sysname r1
#
ike local-name mao
#
acl number 3000
rule 0 permit ip source 11.1.1.0 0.0.0.255 destination 13.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name jie
remote-address 12.1.1.2
#
ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
interface Serial0/0/1
link-protocol ppp
ipsec policy mao
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]
[r1]dis       
[r1]dis ips       
[r1]dis ipsec sa
No Security Associations established.
[r1]
[r1]dis cu
#
sysname r1
#
ike local-name mao
#
acl number 3000
rule 0 permit ip source 11.1.1.0 0.0.0.255 destination 13.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name jie
remote-address 12.1.1.2
#
ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
interface Serial0/0/1
link-protocol ppp
ipsec policy mao
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

R2
sysname r2
#
ike local-name jie
#
acl number 3000
rule 0 permit ip source 13.1.1.0 0.0.0.255 destination 11.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name mao
remote-address 12.1.1.1
#
ipsec policy jie 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ipsec policy jie
#
interface Serial0/0/1
link-protocol ppp
ip address 12.1.1.2 255.255.255.0
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 13.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
请过目

梦幻天崖

ackca 发表于 2017-9-10 20:14
你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

请过目
R1
sysname r1
#
ike local-name mao
#
acl number 3000
rule 0 permit ip source 11.1.1.0 0.0.0.255 destination 13.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name jie
remote-address 12.1.1.2
#
ipsec policy mao 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
interface Serial0/0/1
link-protocol ppp
ipsec policy mao
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 11.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return


R2sysname r2
#
ike local-name jie
#
acl number 3000
rule 0 permit ip source 13.1.1.0 0.0.0.255 destination 11.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha1
#
ike proposal 1
authentication-algorithm md5
#
ike peer 1 v1
exchange-mode aggressive
pre-shared-key cipher gg^dP=F.[>=H)H2[EInB~.2#
remote-name mao
remote-address 12.1.1.1
#
ipsec policy jie 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Serial0/0/0
link-protocol ppp
ipsec policy jie
#
interface Serial0/0/1
link-protocol ppp
ip address 12.1.1.2 255.255.255.0
#
interface Serial0/0/2
link-protocol ppp
#
interface Serial0/0/3
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 13.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
wlan
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

梦幻天崖

ackca 发表于 2017-9-10 20:14
你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

接口都已配上ipsec policy ，还是显示不出ipsec sa

梦幻天崖

ackca 发表于 2017-9-10 20:14
你发全了好吧，两个设备，感兴趣流量，路由，关键的地方都没有。。。。。

接口都已配上ipsec policy ，还是显示不出ipsec sa

梦幻天崖

梦幻天崖 发表于 2017-9-11 09:11
接口都已配上ipsec policy ，还是显示不出ipsec sa

大神，方便加一下你的QQ或者微信吗