我们在合作伙伴的 Cisco ASA(未知版本)和我的瞻博网络 SRX 340 之间构建了一个 VPN。
隧道似乎正常上行:
root@fw01> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
871021 UP 122b1bc303e78c95 59463a0410c30855 Main 10.20.30.40
{primary:node0}
root@fw01> show security ipsec security-associations
node0:
--------------------------------------------------------------------------
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108877 ESP:3des/md5 31c1eaf2 3402/ 4608000 - root 500 10.20.30.40
>67108877 ESP:3des/md5 9acb5daf 3402/ 4608000 - root 500 10.20.30.40
<67108878 ESP:3des/md5 5e4c4071 3462/ 4608000 - root 500 10.20.30.40
>67108878 ESP:3des/md5 2efdc6d8 3462/ 4608000 - root 500 10.20.30.40
{primary:node0}
但是没有办法通过隧道发送流量(它的一侧有 2 个子网 /24,我的有 1 /24)。我做了很多尝试,但没有严重的结果。
我的配置如下:
ike {
proposal LO-MI_prop {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy LO-MI_Ike {
mode main;
proposals LO-MI_prop;
pre-shared-key ascii-text "$9$sN4GDQznu0IHqnCu0cSaZGU.P369BRhM8Nb"; ## SECRET-DATA
}
gateway LO-MI_gw {
ike-policy LO-MI_Ike;
address 10.20.30.40;
external-interface reth0.0;
}
}
ipsec {
proposal LO-MI-IPsec_prop {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy LO-MI-IPsec_policy {
proposals LO-MI-IPsec_prop;
}
vpn LO-MI_VPN {
bind-interface st0.4;
ike {
gateway LO-MI_gw;
ipsec-policy LO-MI-IPsec_policy;
}
traffic-selector term1 {
local-ip 192.168.0.0/24;
remote-ip 192.168.10.0/24;
}
traffic-selector term2 {
local-ip 192.168.0.0/24;
remote-ip 192.168.11.0/24;
}
establish-tunnels immediately;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 40.30.20.1;
route 192.168.10.0/24 next-hop st0.4;
route 192.168.11.0/24 next-hop st0.4;
}
auto-export {
disable;
}
}
policies {
from-zone Untrust to-zone Trust {
policy VPN-PARTNER_IN {
match {
source-address VPN-PARTNER;
destination-address addr_192_168_0_0_24;
application any;
}
then {
permit;
}
}
}
from-zone Trust to-zone Untrust {
policy VPN-PARTNER_OUT {
match {
source-address addr_192_168_0_0_24;
destination-address VPN-PARTNER;
application any;
}
then {
permit;
}
}
}
}
security-zone Untrust {
interfaces {
reth0.0;
st0.4;
}
}
谁能给我一个建议?
在此先感谢大家
更新:
这是 ASA 的配置
crypto map out_map1 1 match address VPN_PARTNER_VB
crypto map out_map1 1 set peer 40.30.20.11
crypto map out_map1 1 set ikev1 transform-set ESP-3DES-MD5
crypto map out_map1 interface out
tunnel-group 40.30.20.11 type ipsec-l2l
tunnel-group 40.30.20.11 ipsec-attributes
ikev1 pre-shared-key *****
...
...
...
access-list VPN_VERTICALBOOKING extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list VPN_VERTICALBOOKING extended permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
...
...
...
access-list mgmt_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list dmz_access_in extended permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list out_access_in extended permit ip 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 <--- this is my network
...
...
...
object-group network DM_INLINE_NETWORK_4
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0