URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 22922
[ Назад ]

Исходное сообщение
"IPSEC Juniper SRX Fedora"

Отправлено Vadimych , 26-Июл-11 10:36 
Доброго дня.

Пытаюсь настроить IPSEC туннель между Juniper SRX100 и fedora 14( В принципе задача, что бы клиенты находящиеся за srx100 получили доступ к внешнему серверу без трансляции, поэтому если кто то предложит другой, работающий вариант с имеющимся оборудованием буду благодарен). Первая фаза вроде бы проходит успешно, а вот вторая в большинстве случаев нет(я не понимаю почему он ищет правила для 0.0.0.0 когда должен искать для 1.1.1.1 и 2.2.2.2):


Jul 25 20:34:14 d142 racoon: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Jul 25 20:34:14 d142 racoon: INFO: begin Identity Protection mode.
Jul 25 20:34:14 d142 racoon: INFO: received Vendor ID: DPD
Jul 25 20:34:14 d142 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 25 20:34:14 d142 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 25 20:34:14 d142 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Jul 25 20:34:14 d142 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jul 25 20:34:14 d142 racoon: WARNING: SPI size isn't zero, but IKE proposal.
Jul 25 20:34:14 d142 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Jul 25 20:34:14 d142 racoon: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:262928f0a84d2631:8314389e896b4e86
Jul 25 20:34:14 d142 racoon: INFO: respond new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Jul 25 20:34:14 d142 racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
Jul 25 20:34:14 d142 racoon: ERROR: failed to get proposal for responder.
Jul 25 20:34:14 d142 racoon: ERROR: failed to pre-process packet.

Но иногда туннели устанавливаются:

Цитата:
Jul 25 20:15:20 d142 racoon: INFO: initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Jul 25 20:15:20 d142 racoon: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[500]->1.1.1.1[500] spi=115255088(0x6dea730)
Jul 25 20:15:20 d142 racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=2471328941(0x934d7cad)


Настройки srx100:


## Last commit: 2011-07-26 01:05:02 UTC by root
version 10.4R5.5;
system {
root-authentication {
encrypted-password "$1$160qqi9i$ocy4aRbJxpvUQeom31qDL0"; ## SECRET-DATA
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.50 high 192.168.1.254;
name-server {
8.8.8.8;
}
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range local-int {
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust white ];
}
native-vlan-id 3;
}
}
}
fe-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members white;
}
}
}
}
st0 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1 {
family inet {
dhcp;
}
}
}
}
routing-options {
static {
route 192.168.99.0/24 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$xqudYoDjqf5FDiPQz3purev8Ndbs2"; ## SECRET-DATA
}
gateway ike-gate {
ike-policy ike-policy1;
address 1.1.1.1;
external-interface vlan.1;
}
}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn ike-vpn {
bind-interface st0.0;
ike {
gateway ike-gate;
ipsec-policy vpn-policy1;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address local-net 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
ssh;
dhcp;
}
}
}
vlan.1 {
host-inbound-traffic {
system-services {
dhcp;
ssh;
ike;
}
}
}
}
}
security-zone vpn {
address-book {
address remote-net 192.168.99.0/24;
}
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-tr-vpn {
match {
source-address local-net;
destination-address remote-net;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-tr-vpn {
match {
source-address remote-net;
destination-address local-net;
application any;
}
then {
permit;
}
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
white {
vlan-id 10;
l3-interface vlan.1;
}
}


Fedora
Raccoon.conf


path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
log debug2;

remote 2.2.2.2
{
exchange_mode main;
my_identifier address 1.1.1.1;
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}


sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

Setkey.conf


flush;
spdflush;
spdadd 172.16.1.2/24 172.16.1.1/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 172.16.1.1/24 172.16.1.2/24 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;


Содержание

Сообщения в этом обсуждении
"IPSEC Juniper SRX Fedora"
Отправлено Vadimych , 27-Июл-11 15:15 
Изменил настройки srx на policy based. тунели стали подыматься, но теперь вижу вот такую картину(т.е. я вижу как пакеты идут по тунели, и вижу icmp ответ, но я не вижу icmp запроса).

13:56:15.734788 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0xf940ed0a,seq=0x6), length 116
13:56:15.746447 IP 2.2.2.2 > 1.1.1.1: ESP(spi=0x0ee3a0c8,seq=0x6), length 116
13:56:15.746447 IP 192.168.2.55 > 192.168.99.11: ICMP echo reply, id 19396, seq 1, length 64
13:56:16.734317 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0xf940ed0a,seq=0x7), length 116
13:56:16.738489 IP 2.2.2.2 > 1.1.1.1: ESP(spi=0x0ee3a0c8,seq=0x7), length 116
13:56:16.738489 IP 192.168.2.55 > 192.168.99.11: ICMP echo reply, id 19396, seq 2, length 64
13:56:17.734317 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0xf940ed0a,seq=0x8), length 116
13:56:17.738459 IP 2.2.2.2 > 1.1.1.1: ESP(spi=0x0ee3a0c8,seq=0x8), length 116
13:56:17.738459 IP 192.168.2.55 > 192.168.99.11: ICMP echo reply, id 19396, seq 3, length 64

setkey.conf
flush;
spdflush;
spdadd 192.168.99.0/24 192.168.1.0/24 any -P out ipsec
        esp/tunnel/1.1.1.1-217.10.42.121/require;
spdadd 192.168.1.0/24 192.168.99.0/24 any -P in ipsec
        esp/tunnel/217.10.42.121-1.1.1.1/require;

setkey -D

1.1.1.1 2.2.2.2
        esp mode=tunnel spi=4181781770(0xf940ed0a) reqid=0(0x00000000)
        E: 3des-cbc  7b9b0e6e a3bba5a0 2f0e52fd 91717f52 7f032adc d238f2b5
        A: hmac-sha1  21bb31f4 48899140 278e5fbc 78d2fe89 132bf71b
        seq=0x00000000 replay=4 flags=0x00000000 state=dying
        created: Jul 27 13:08:47 2011   current: Jul 27 14:01:50 2011
        diff: 3183(s)   hard: 3600(s)   soft: 2880(s)
        last: Jul 27 13:40:25 2011      hard: 0(s)      soft: 0(s)
        current: 672(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 8    hard: 0 soft: 0
        sadb_seq=5 pid=19440 refcnt=0
2.2.2.2 1.1.1.1
        esp mode=tunnel spi=249798856(0x0ee3a0c8) reqid=0(0x00000000)
        E: 3des-cbc  177dd4cf ae881962 f1179963 2ca65a07 3931788c 85d9c63b
        A: hmac-sha1  d96b321a 28883a68 28a94099 5caacbee a0d06ff1
        seq=0x00000000 replay=4 flags=0x00000000 state=dying
        created: Jul 27 13:08:47 2011   current: Jul 27 14:01:50 2011
        diff: 3183(s)   hard: 3600(s)   soft: 2880(s)
        last: Jul 27 13:40:25 2011      hard: 0(s)      soft: 0(s)
        current: 672(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 8    hard: 0 soft: 0
        sadb_seq=6 pid=19440 refcnt=0

ifconfig
[root@d142 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:25:90:04:71:D4
          inet addr:1.1.1.1  Bcast:188.93.209.255  Mask:255.255.254.0
          inet6 addr: fe80::225:90ff:fe04:71d4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6277950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:241614 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3132455022 (2.9 GiB)  TX bytes:32370004 (30.8 MiB)
          Interrupt:16 Memory:fb5e0000-fb600000

eth0:1    Link encap:Ethernet  HWaddr 00:25:90:04:71:D4
          inet addr:188.93.209.6  Bcast:188.93.209.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Memory:fb5e0000-fb600000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:309701 errors:0 dropped:0 overruns:0 frame:0
          TX packets:309701 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:64353374 (61.3 MiB)  TX bytes:64353374 (61.3 MiB)

tap0      Link encap:Ethernet  HWaddr B2:88:14:2C:0C:B0
          inet addr:192.168.99.11  Bcast:192.168.99.255  Mask:255.255.255.0
          inet6 addr: fe80::b088:14ff:fe2c:cb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1231929 (1.1 MiB)  TX bytes:700 (700.0 b)