IPsec ××× 调试文档-CSDN博客

<USG2100>dis cu
16:26:33 2010/12/30
#
sysname USG2100
#
l2tp enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
dialer-rule 1 acl 2000
#
vlan batch 1
#
firewall session link-state check
#
#
dns proxy enable
#
web-manager enable
#
l2fwdfast enable
#
acl number 2000
rule 5 permit source address-set intranet
#
acl number 3000
rule 5 permit ip source 10.134.0.0 0.0.0.255 destination 10.1.230.0 0.0.0.255
rule 10 permit ip source 10.134.1.0 0.0.0.255 destination 10.1.230.0 0.0.0.255
rule 15 permit ip source 10.1.230.0 0.0.0.255 destination 10.134.0.0 0.0.0.255
rule 20 permit ip source 10.1.230.0 0.0.0.255 destination 10.134.1.0 0.0.0.255
#
ike proposal 1
encryption-algorithm aes-cbc
dh group2
authentication-algorithm md5
sa duration 3600
sa reauth duration 3600
#
ike peer beijing
exchange-mode aggressive
pre-shared-key 58382000
ike-proposal 1
undo version 2
remote-address 219.141.230.212
#
ipsec proposal prop21121332815
esp encryption-algorithm aes
#
ipsec policy beijing 10 isakmp
security acl 3000
ike-peer beijing
proposal prop21121332815
local-address 124.234.239.182
sa duration traffic-based 1843200
sa duration time-based 3600
#
interface Dialer0
link-protocol ppp
ppp pap local-user n0431zzf30312345 password simple 123456
ip address ppp-negotiate
dialer user pppoe
dialer-group 1
dialer bundle 1
ipsec policy beijing
#
interface Vlanif1
ip address 10.134.0.1 255.255.255.0
dhcp select interface
dhcp server dns-list 10.1.230.1
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 10.134.1.1 255.255.255.0
remote address pool 1
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif1
add interface Virtual-Template1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Dialer0
#
firewall zone dmz
set priority 50
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
aaa
local-user root password simple root@123
local-user root service-type ppp
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type web terminal telnet
local-user admin level 3
ip pool 1 10.134.1.1 10.134.1.100
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 10.1.230.0 255.255.255.0 Dialer0
ip route-static 10.134.1.0 255.255.255.0 Virtual-Template1
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode none
modem both
user-interface vty 0 4
authentication-mode aaa
#
ip address-set intranet type object
address 0 10.134.0.0 mask 23
#
ip address-set internet type object
address 0 range 1.0.0.1 9.255.255.255
address 1 range 11.0.0.1 223.255.255.255
#
slb
#
cwmp
#
right-manager server-group
#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source address-set intranet
policy destination address-set internet
easy-ip Dialer0
#
return