‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[问题求助] 两台netscreen VPN不能连通故障

zhyymy
新手上路
Rank: 1
 精华: 0
 积分: 36
 帖子: 3
 威望: 13 点
 金钱: 8 币
 贡献: 5 点
 经验:  01级 已经发了3篇文章咯加油加油
 阅读权限: 10
 注册: 2007-11-29
状态: 性别:保密-当前离线
发短消息 加为好友
1# 发表于 2007-11-29 23:58  只看该作者

两台netscreen VPN不能连通故障

两台netscreen做VPN。一台netscreen-1000,另一台netscreen-25.原先VPN运行良好,可以通过互联网访问内部办公网.后来替换了netscreen-25备份配置文件后VPN无法连通,但PC可以访问互联网(要加DNS才行),netscreen-25配置如下,请帮助解决!
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password "sdfdasdfs"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.66.1.1/26
set interface ethernet1 nat
set interface ethernet3 ip 222.2.2.2/30
set interface ethernet3 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage web
set hostname ns25
set address "Trust" "10.66.152.131/64" 10.66.152.131/64
set address "Trust" "10.66.153.131/64" 10.66.153.131/64
set address "Trust" "SLK" 10.66.153.128 255.255.255.192
set address "Untrust" "10.0.0.0/255" 10.0.0.0/255
set address "Untrust" "10.66.0.0" 10.66.0.0 255.255.0.0
set address "Untrust" "10.67.0.0" 10.67.0.0 255.255.0.0
set address "Untrust" "10.68.0.0" 10.68.0.0 255.255.0.0
set ike gateway "SLK" address 212.3.2.118 Main outgoing-interface "ethernet3" preshare "qwerdfQEasdfQWeasdfsgawe21SAD==" sec-level standard
set ike gateway "SLK" cert peer-ca all
set ike respond-bad-spi 1
set vpn "SLK" gateway "SLK" no-replay tunnel idletime 0 sec-level standard
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set group address "Untrust" "BUS"
set group address "Untrust" "BUS" add "10.66.0.0"
set group address "Untrust" "BUS" add "10.67.0.0"
set group address "Untrust" "BUS" add "10.68.0.0"
set policy id 2 from "Trust" to "Untrust"  "SLK" "BUS" "ANY" tunnel vpn "SLK" id 1 pair-policy 3 log
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 3 from "Untrust" to "Trust"  "BUS" "SLK" "ANY" tunnel vpn "SLK" id 1 pair-policy 2 log
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface ethernet3 gateway 222.2.2.1
exit


[ 本帖最后由 zhyymy 于 2007-11-29 23:59 编辑 ]

TOP

zhyymy
新手上路
Rank: 1
 精华: 0
 积分: 36
 帖子: 3
 威望: 13 点
 金钱: 8 币
 贡献: 5 点
 经验:  01级 已经发了3篇文章咯加油加油
 阅读权限: 10
 注册: 2007-11-29
状态: 性别:保密-当前离线
发短消息 加为好友
2# 发表于 2007-11-30 14:17  只看该作者
欢迎高手指导

TOP

音乐天团
注册会员
Rank: 2
 精华: 0
 积分: 144
 帖子: 14
 威望: 50 点
 金钱: 37 币
 贡献: 18 点
 经验:  02级 已经发了14篇文章咯哎哟哎哟
 阅读权限: 20
 注册: 2007-12-1
状态: 性别:保密-当前离线
发短消息 加为好友
3# 发表于 2007-12-1 20:55  只看该作者
DDDDDDDDDDDDDDDDDDDDDDDDDDDD

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题