cisco路由器端juniper srx之间基于路由的ipsec

网络工程 思科 网络安全 杜松-srx 隧道
2021-07-23 15:57:10

网络专家!请帮助理解为什么没有通过 ipsec vpn(这里是基于路由的)从源地址到目标地址的 ping。

我有这样的架构:

在此处输入图片说明

IPSec 的 Phase1 和 Phase2 已启动。

思科1811:

Router#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 1.1.1.2 port 500 
 IKEv1 SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active 
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
    Active SAs: 2, origin: crypto map

SRX210:

[edit]
root# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
507742  UP     e4ce17853e784b75  686afe9bad0c6831  Main           1.1.1.1  

[edit]
root# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 f7797ad5 3409/  4608000 -  root 500   1.1.1.1         
  >131073 ESP:3des/sha1 f4f78f65 3409/  4608000 -  root 500   1.1.1.1

但是从 cisco loopback 10.10.10.1 到 srx fe-0/0/4 dest 20.20.20.1 没有连接。ping 失败。在我看来,所有路由和安全区域、策略都配置正确。

但 ping 失败。(从隧道 0 到 st0.1 的 Ping 也失败了)。

输出 cisco1811:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 20
!
!
dot11 syslog
ip source-route
!         
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811W-AG-A/K9 sn FHK0930507W
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile VPN_P2
 set transform-set TS 
!
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.2
 tunnel protection ipsec profile VPN_P2
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1
 ip vrf forwarding vrf1
 ip address 5.5.5.1 255.255.255.0
 duplex auto
 speed auto

interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!

!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 20.20.20.0 255.255.255.0 Tunnel0

输出 srx210:

version 12.1X44-D35.5;
system {
    root-authentication {
        encrypted-password "$1$APbBS19g$N1umrpu1sUcdWCb7RUyLa1"; ## SECRET-DATA
    }
    services {
        ssh;
    }
    syslog {
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
}
interfaces {                                  
    fe-0/0/4 {
        unit 0 {
            family inet {
                address 20.20.20.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                mtu 1400;
                address 172.16.0.2/30;
            }
        }
    }
}
routing-options {
    static {                            
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.10.10.0/24 next-hop st0.1;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$.fF/u0IleWTzSevMN-.Pfz9AIEc"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 1.1.1.1;
            external-interface fe-0/0/5;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set standard;      
        }
        vpn My_VPN {
            bind-interface st0.1;
            ike {
                gateway ike_gate;
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Untrust {
            address-book {              
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/5.0;
                st0.1;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }                       
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/4.0;
            }
        }
    }
}
2个回答

我做了一些改变。在 srx 后面添加了路由器。设置 bgp。现在效果很好。(路由、安全 ike、ipsec、策略)。在这里,我在 cisco 路由器上使用加密映射而不是 VTI。(VTI 也尝试过。效果很好。)

在此处输入图片说明

思科1811:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 172.16.0.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSECPROFILE
 set transform-set TS 
!
!
crypto map PI-IPSEC 1 ipsec-isakmp 
 description **TEST-IPSEC**
 set peer 172.16.0.2
 set security-association lifetime seconds 28800
 set transform-set TS 
 match address TEST-IPSEC
!
!
!
ip tcp synwait-time 5
!
policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback5
 ip address 5.5.5.1 255.255.255.255
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback33
 description **for IPSEC-PI**
 ip address 33.33.33.33 255.255.255.255
 ip nat outside
 ip virtual-reassembly
 ip policy route-map REROUTE
 crypto map PI-IPSEC
!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 172.16.0.2 remote-as 200
 !
 address-family ipv4
  redistribute connected
  neighbor 172.16.0.2 activate
  no auto-summary
  no synchronization
 exit-address-family
!
ip local policy route-map REROUTE
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip route 20.20.20.0 255.255.255.0 Loopback33
!
!
no ip http server
no ip http secure-server
!
ip access-list extended TEST-IPSEC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
!
!
!
route-map REROUTE permit 6
 description **for IPSEC-PI**
 match ip address REROUTE
 set default interface Loopback33
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

srx:

system {
    root-authentication {
        encrypted-password "$1$XTjfjhv5$vXlOzT/W4kK6nj4fHfxvY/"; ## SECRET-DATA
    }
    login {
        user vlazarev {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$KN2wmboA$co8aH/Q1nZfBQ1oO81HLv0"; ## SECRET-DATA
            }
        }
    }
    services {
        telnet;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 131.131.131.100/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop st0.0;
    }
    autonomous-system 200;
}
protocols {
    bgp {
        group eBGP {
            type external;
            neighbor 172.16.0.1 {
                export send-direct;
                peer-as 100;
            }
            neighbor 192.168.0.1 {
                export [ send-direct send-static ];
                peer-as 300;
            }
        }
    }
}
policy-options {
    policy-statement send-direct {
        term term1 {
            from protocol direct;
            then accept;
        }
    }
    policy-statement send-static {
        from protocol static;
        then accept;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$wP2JD.mT9Cu4anCtpREwY2ajHTz3"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 33.33.33.33;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set compatible;
        }
        vpn IPSEC_VPN {
            bind-interface st0.0;       
            ike {
                gateway ike_gate;
                proxy-identity {
                    local 20.20.20.0/24;
                    remote 10.10.10.0/24;
                    service any;
                }
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address MOSCOW;
                    destination-address KRASNODAR;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address KRASNODAR;
                    destination-address MOSCOW;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ACCESS {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {                
                ge-0/0/2.0;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone Untrust {
            address-book {
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
    }
}

我相信 st0.0 必须是 Trusted lan 的一部分,而不是 Untrusted,因为您想将流量注入该隧道。你混淆了命名,因为创建了一个 st0.0 但使用了不存在的 st0.1。

不在这里:

 interfaces {
   ge-0/0/0.0;
        st0.0;

但在这儿 :

 interfaces {
   ge-0/0/1.0;
            }

您不能将数据发送到 st0.1,因为它不存在

routing-options {
    static {                            
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.10.10.0/24 next-hop st0.1;
其它你可能感兴趣的问题
上一篇欺骗 127.0.0.0/8 可能吗? 下一篇将路由指向不直接连接的下一跳