Всем доброго дня!
пытаюсь поднять ipsec vpn между srx210 и srx100h.
srx100 находится за устройством NAT, у которого время от времени (резерв) меняются внешние адреса, по этой причине полиси на srx210 "аггресивная" c "динамическим" хостом. А адрес внешнего интерфейса srx100 - 2.2.2.2. На пограничном устройстве NAT - проброшен ike до 2.2.2.2
пробовал и policy-based и route-based vpn - проблема одна и та же - в логах пишет No proposal chosenпроверил:
1. pre-shared ключи на обеих сторонах
2. наличие st0 интерфейса в политике ipsec
3. наличие st0 интерфеса в соотвествующей зоне!
конфиг прилагаю. большое спасибо всем
srx210:
interfaces
{
st 0
unit 10 {
family inet;
}
}
policy ike-pol-sip {
pomode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$JcDkmzFNd"; ## SECRET-DATA
}
ike gateway SIP {
ike-policy ike-pol-sip;
dynamic hostname sipsrx.ykt;
external-interface fe-0/0/7.0;
version v1-only;
}
ipsec ipsec-pol-sip {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
ipsec vpn vpn-sip {
bind-interface st0.10;
ike {
gateway SIP;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy ipsec-pol-sip;
}
establish-tunnels immediately;
}
zone security-zone vpn {
address-book {
address sip-lan 192.168.16.0/24;
}
interfaces {
st0.10 {
host-inbound-traffic {
system-services {
ike;
}
protocols {
all;
}
}
policy from-zone vpn to-zone trust {
policy clients-to-sita {
match {
source-address [ irkutsk-lan sip-lan ];
destination-address SITA;
application any;
}
then {
permit;
}
}
}
policy from-zone trust to-zone vpn {
policy trust-to-sip {
match {
source-address SITA;
destination-address sip-lan;
application any;
}
then {
permit;
}
}
}
srx100:
ike {
traceoptions {
flag ike;
flag all;
}
policy ike-pol-vnk {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$EBiyKWN-w2C"; ## SECRET-DATA
}
gateway office {
ike-policy ike-pol-vnk;
address 1.1.1.1;
external-interface fe-0/0/7.0;
version v1-only;
}
}
ipsec {
traceoptions {
flag all;
}
policy ipsec-pol-vnk {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn office-vpn {
bind-interface st0.0;
ike {
gateway office;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy ipsec-pol-vnk;
}
establish-tunnels immediately;
policies from-zone vpn to-zone Internal {
policy vpn-to-trust {
match {
source-address SITA;
destination-address lan;
application any;
}
then {
permit;
}
from-zone Internal to-zone vpn {
policy sip-to-vpn {
match {
source-address lan;
destination-address SITA;
application any;
}
then {
permit;
}
zones security-zone vpn {
address-book {
address SITA 5.5.5.0/24;
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ike;
}
protocols {
all;
}
KMD log
[Aug 24 19:02:06]iked_pm_ike_spd_notify_request: Sending Initial contact
[Aug 24 19:02:06]ssh_ike_connect: Start, remote_name = 1.1.1.1:500, xchg = 4, flags = 00040000
[Aug 24 19:02:06]ike_sa_allocate: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
[Aug 24 19:02:06]ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 1
[Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!
[Aug 24 19:02:06]ssh_ike_connect: SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1
[Aug 24 19:02:06]ike_st_o_sa_proposal: Start
[Aug 24 19:02:06]ike_st_o_ke: Start
[Aug 24 19:02:06]ike_st_o_nonce: Start
[Aug 24 19:02:06]ike_policy_reply_isakmp_nonce_data_len: Start
[Aug 24 19:02:06]ike_st_o_id: Start
[Aug 24 19:02:06]ike_policy_reply_isakmp_vendor_ids: Start
[Aug 24 19:02:06]ike_st_o_private: Start
[Aug 24 19:02:06]ike_policy_reply_private_payload_out: Start
[Aug 24 19:02:06]ike_encode_packet: Start, SA = { 0x5ccab5ea 2076bcd0 - 00000000 00000000 } / 00000000, nego = -1
[Aug 24 19:02:06]ike_send_packet: Start, send SA = { 5ccab5ea 2076bcd0 - 00000000 00000000}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
[Aug 24 19:02:06]ikev2_packet_allocate: Allocated packet dad400 from freelist
[Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
[Aug 24 19:02:06]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Aug 24 19:02:06]ike_get_sa: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 } / 44cc48b0, remote = 1.1.1.1:500
[Aug 24 19:02:06]ike_sa_find: Not found SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_sa_find_half: Found half SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 }
[Aug 24 19:02:06]ike_sa_upgrade: Start, SA = { 5ccab5ea 2076bcd0 - 00000000 00000000 } -> { ... - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_alloc_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}
[Aug 24 19:02:06]ike_decode_packet: Start
[Aug 24 19:02:06]ike_decode_packet: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757} / 44cc48b0, nego = 0
[Aug 24 19:02:06]ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 5ccab5ea 2076bcd0 ..., data[0..46] = 800c0001 00060022 ...
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notification data has attribute list
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Notify message version = 1
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Error text = Could not find acceptable proposal
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Offending message id = 0x00000000
[Aug 24 19:02:06]<none>:500 (Responder) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [0] / 0x44cc48b0 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
[Aug 24 19:02:06]ike_st_i_private: Start
[Aug 24 19:02:06]ike_send_notify: Connected, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
[Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = 0
[Aug 24 19:02:06]ike_free_negotiation_info: Start, nego = 0
[Aug 24 19:02:06]ike_free_negotiation: Start, nego = 0
[Aug 24 19:02:06]ike_remove_callback: Start, delete SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
[Aug 24 19:02:06]2.2.2.2:500 (Initiator) <-> 1.1.1.1:500 { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 [-1] / 0x00000000 } Aggr; Connection got error = 14, calling callback
[Aug 24 19:02:06]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Aug 24 19:02:06]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Aug 24 19:02:06]IKE negotiation fail for local:2.2.2.2, remote:1.1.1.1 IKEv1 with status: No proposal chosen
[Aug 24 19:02:06] IKEv1 Error : No proposal chosen
[Aug 24 19:02:06]IPSec Rekey for SPI 0x0 failed
[Aug 24 19:02:06]IPSec SA done callback called for sa-cfg vnukovo-vpn local:2.2.2.2, remote:1.1.1.1 IKEv1 with status No proposal chosen
[Aug 24 19:02:06]ike_delete_negotiation: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757}, nego = -1
[Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Aug 24 19:02:06]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Aug 24 19:02:06]ike_sa_delete: Start, SA = { 5ccab5ea 2076bcd0 - cc3097af 8eb3b757 }
[Aug 24 19:02:06]ike_free_negotiation_isakmp: Start, nego = -1
[Aug 24 19:02:06]ike_free_negotiation: Start, nego = -1
[Aug 24 19:02:06]IKE SA delete called for p1 sa 7930823 (ref cnt 1) local:2.2.2.2, remote:1.1.1.1, IKEv1
[Aug 24 19:02:06]iked_pm_p1_sa_destroy: p1 sa 7930823 (ref cnt 0), waiting_for_del 0x0
[Aug 24 19:02:06]ike_free_id_payload: Start, id type = 1
[Aug 24 19:02:06]ike_free_sa: Start
[Aug 24 19:02:06]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)