我正在尝试在运行 strongSwan 的 Debian Jessie 系统和 SRX 之间设置 IPsec VPN 隧道。最终目标是使用 Debian 主机作为 SRX 后面主机的反向代理,我认为这需要拆分隧道。
Debian 主机是debian.example.com/1.2.3.4.
SRX 在srx.example.com并且有一个动态分配的 IP,我在5.6.7.8下面替换了它。
双方似乎都认为 SA 已启动,但我无法192.168.1.0/24从 Debian 主机 ping 子网中的任何内容。
SRX:
root@srx# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3981725 UP b1cbd62070dd2779 f49d3bd11b69a018 IKEv2 1.2.3.4
德比安:
# ipsec status srx.example.com
Security Associations (1 up, 0 connecting):
srx.example.com[1]: ESTABLISHED 32 minutes ago, 1.2.3.4[debian.example.com]...5.6.7.8[srx.example.com]
srx.example.com{1}: INSTALLED, TUNNEL, ESP SPIs: ca2f0887_i 516e8cf8_o
srx.example.com{1}: 192.168.2.0/24 === 192.168.1.0/24
# ip -s xfrm policy list src 192.168.2.0/24
src 192.168.2.0/24 dst 192.168.1.0/24 uid 0
dir out action allow index 2593 priority 2883 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-08-16 18:14:21 use -
tmpl src 1.2.3.4 dst 5.6.7.8
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
SRX 配置:
interfaces {
interface-range interfaces-trust {
member fe-0/0/0;
member fe-0/0/1;
member fe-0/0/2;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 100 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
ike {
proposal ike-vpn-proposal {
authentication-method pre-shared-keys;
dh-group group24;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy ike-vpn-policy {
mode aggressive;
proposals ike-vpn-proposal;
pre-shared-key ascii-text "$9$KJiWxdaJDkqf7-qfQzAtNdb"; ## SECRET-DATA
}
gateway vpn-local-gw {
ike-policy ike-vpn-policy;
address 1.2.3.4;
local-identity hostname srx.example.com;
remote-identity hostname debian.example.com;
external-interface fe-0/0/7.0;
version v2-only;
}
}
ipsec {
proposal ipsec-vpn-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
}
policy ipsec-vpn-policy {
perfect-forward-secrecy {
keys group24;
}
proposals ipsec-vpn-proposal;
}
vpn vpn {
bind-interface st0.0;
ike {
gateway vpn-local-gw;
proxy-identity {
local 192.168.1.0/24;
remote 192.168.2.0/24;
}
ipsec-policy ipsec-vpn-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.100;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
ike;
}
}
}
}
}
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 100;
l3-interface vlan.100;
}
}
Debian strongSwan 配置:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# Add connections here.
conn srx.example.com
auto=start
keyexchange=ikev2
authby=secret
ike=aes128-sha256-modp2048s256
ikelifetime=3h
esp=aes128-sha256
leftid=@debian.example.com
rightid=@srx.example.com
left=1.2.3.4
right=srx.example.com
leftsubnet=192.168.2.0/24
rightsubnet=192.168.1.0/24
include /var/lib/strongswan/ipsec.conf.inc
更新:
我想我可能错过了让事情顺利进行的路线。
SRX:
root@srx> show security flow session destination-prefix 192.168.1.0
Total sessions: 0
root@dravis> show route table inet.0 brief
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Access-internal/12] 22:20:39
> to 5.6.7.1 via fe-0/0/7.0
5.6.7.0/24 *[Direct/0] 10w3d 12:43:15
> via fe-0/0/7.0
5.6.7.8/32 *[Local/0] 10w3d 12:43:15
Local via fe-0/0/7.0
192.168.1.0/24 *[Direct/0] 4w6d 13:21:42
> via vlan.100
192.168.1.1/32 *[Local/0] 10w3d 12:43:40
Local via vlan.100
德比安:
$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0