我正在配置 Juniper SRX 300 系列以建立到 Azure 的 IPSEC 隧道。
Azure Vnet 范围是 192.168.10.0/23
本地范围是 10.49.236.0/24。
配置:(敏感部分的相关位替换为$PART)
security {
ike {
proposal ike-proposal-azure {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-policy-azure {
mode main;
proposals ike-proposal-azure;
pre-shared-key ascii-text "$PSK";
}
gateway ike-gate-azure {
ike-policy ike-policy-azure;
address $AZUREGWPUBLICIP
external-interface ge-0/0/0.0;
version v2-only;
}
}
ipsec {
vpn-monitor-options {
interval 10;
threshold 10;
}
proposal ipsec-proposal-azure {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 27000;
}
policy ipsec-policy-azure {
proposals ipsec-proposal-azure;
}
vpn ipsec-vpn-azure {
bind-interface st0.0;
vpn-monitor {
optimized;
}
ike {
gateway ike-gate-azure;
ipsec-policy ipsec-policy-azure;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
all-tcp {
mss 1350;
}
ipsec-vpn {
mss 1350;
}
}
}
还有安全规则/策略允许进出 vpn 的流量和指向 st0.0 的 192,168.10.0/23 路由。问题:
PS C:\windows\system32> ping -l 1500 192.168.10.20
Pinging 192.168.10.20 with 1500 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.20:
Packets: Sent = 4 Received = 0, Lost = 4 (100% loss),
Control-C
PS C:\windows\system32> ping -l 1400 192.168.10.20
Pinging 192.168.10.20 with 1400 bytes of data:
Reply from 192.168.10.20: bytes=1400 time=8ms TTL=127
Reply from 192.168.10.20: bytes=1400 time=7ms TTL=127
Ping statistics for 192.168.10.20:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 8ms, Average = 7ms
到 Azure 主机的 SMB 流量也受到影响。在 azure 主机上运行 wireshark 时,我看到一堆碎片和碎片重组时间超过。 https://i.imgur.com/3c2c6uE.png
