Site-2-Site 瞻博网络 SRX 和 Zywall

网络工程 瞻博网络 杜松-srx
2021-07-27 13:31:01

我的数据中心有一台瞻博网络 SRX 340,我办公室有一台 Zywall USG 100。我想在它们之间建立一个站点到站点的 VPN,但经过多次尝试后,我仍然无法达到结果。

这是瞻博网络端的配置:

traceoptions {
    file ike-trace;
}
respond-bad-spi 1;
proposal Ufficio_BG {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy ike_pol_UfficioBG {
    mode aggressive;
    proposals Ufficio_BG;
    pre-shared-key ascii-text "$9$mPz6B1hcrvuOWxN-wsP5T3Ct"; ## SECRET-DATA
}
gateway gw_UfficioBG {
    ike-policy ike_pol_UfficioBG;
    address 10.10.10.1;
    local-identity inet 20.20.20.1;
    external-interface reth0.0;
    version v1-only;
}

----------------------------------------------------------------------

proposal UfficioBG {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    lifetime-kilobytes 4294967294;
}
policy ipsec_pol_UfficioBG {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals UfficioBG;
}
vpn UfficioBG {
    bind-interface st0.2;
    ike {
        gateway gw_UfficioBG;
        ipsec-policy ipsec_pol_UfficioBG;
    }
    establish-tunnels immediately;
}

而这个在 Zywall 一侧:

isakmp policy CED_Milano
 activate
 local-ip interface TIM_FC
 peer-ip 20.20.20.1 0.0.0.0
 authentication pre-share
 encrypted-keystring $4$7QS0D3Km$5ZHdWCJz2pBYw1yHb0RQCZHByYwcxfAnFj/C8zZmHeApLK4fOP4a8SWrwDRt0OnZzrF66GMvbNsEqA9slprImix1v0rfHyB0StxbWQzpoh0$
 local-id type ip 10.10.10.1
 peer-id type ip 20.20.20.1
 fall-back-check-interval 300
 lifetime 3600
 mode aggressive
 group2
 no dpd
 transform-set 3des-md5
 xauth type server default deactivate
 no natt
!
crypto map CED_MILANO
 adjust-mss auto
 activate
 ipsec-isakmp CED_Milano
 scenario site-to-site-static
 encapsulation tunnel
 transform-set esp-aes128-sha256
 set security-association lifetime seconds 3600
 set pfs group5
 local-policy LAN1_SUBNET
 remote-policy CED
 no conn-check activate
 policy-enforcement

瞻博网络日志告诉我:

Mar 12 08:51:14  fw01 kmd[72691]: IKE negotiation successfully completed. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0, Role: Initiator
Mar 12 08:51:14  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0
Mar 12 08:52:13  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0
Mar 12 08:53:13  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.19, VR-ID: 0

而且,在这一点上,我不明白问题出在哪里;错误涉及提案,但我尝试了不同的组合但没有结果。

任何人都有想法或建议?

提前感谢所有人, Gianluca

1个回答

存在与您的问题相关的下一个 kb KB24642

这可能归因于以下几点:

The st0 interface needs to be configured under a specific security zone.

Even if the st0 interface is unnumbered, it needs to have the following configuration:

    # set interfaces st0.0 family inet

Make sure st0.x interface numbers are used. If you configure st1.0 (instead of st0.1 or st0.2 and so on) then you will get the "no proposal choosen" error and your tunnel will not come up.
其它你可能感兴趣的问题
上一篇部分 IP 地址的 IPv6 Wireshark 过滤器 下一篇如果 IP MTU 小于 MSS,会发生什么情况?