zasymulowałem w GNSie router Junipera z JunOSem 8.5R1.14 i teraz próbuję postawić tunel IPsec site-to-site pomiędzy juniperem a cisco R2. Topologia wygląda tak:
Juniper=====Cisco1 R1=====Cisco R2
Próbowałem debugować wygląda na to że router Cisco podejmuje próby porozumienia się z Juniperem jednak Junek w ogóle nie odpowiada. Gdy próbuję nawiązać SA od strony Junipera to na Cisco pojawia się komunikat że otrzymany pakiet nie jest pakietem IPsec -> wnioskuję że coś nie tak z konfiguracją na juniperze.
Czy mógłby ktoś spojrzeć fachowym okiem i zasugerować jakieś zmiany?
Dzięki
Oto moje konfiguracje:
Kod: Zaznacz cały
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
no ip domain lookup
!
crypto isakmp policy 100
authentication pre-share
group 2
lifetime 3600
crypto isakmp key maciek address 192.168.0.1
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp
set peer 192.168.0.1
set transform-set myset
match address 100
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
duplex half
crypto map mymap
!
interface Ethernet1/1
ip address 10.10.0.1 255.255.255.0
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip host 10.10.0.2 host 10.0.0.2
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end
Kod: Zaznacz cały
root> show configuration
## Last commit: 2011-08-25 18:58:31 UTC by root
version 8.5R1.14;
system {
root-authentication {
encrypted-password "$1$.0puo64b$HtHtE1PTBM2w5L8wKCfdE."; ## SECRET-DATA
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
sp-0/3/0 {
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
em0 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
em1 {
unit 0 {
family inet {
mtu 1300;
address 10.0.0.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.2;
route 10.10.0.2/32 next-hop sp-0/3/0.1;
}
}
services {
service-set ss1 {
next-hop-service {
inside-service-interface sp-0/3/0.1;
outside-service-interface sp-0/3/0.2;
}
ipsec-vpn-options {
local-gateway 192.168.0.1;
}
ipsec-vpn-rule-sets ruleset1;
}
ipsec-vpn {
rule dyn {
term 1 {
from {
source-address {
10.0.0.2/32;
}
destination-address {
10.10.0.2/32;
}
}
then {
remote-gateway 192.168.1.1;
dynamic {
ike-policy ike-pol;
ipsec-policy ipsec-pol;
}
clear-dont-fragment-bit;
}
}
match-direction input;
}
rule-set ruleset1 {
rule dyn;
}
ipsec {
proposal ipsec-pro {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ipsec-pol {
proposals ipsec-pro;
}
}
ike {
proposal ike-pro {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
lifetime-seconds 3600;
}
policy ike-pol {
mode main;
proposals ike-pro;
pre-shared-key ascii-text "$9$9MgzA0IEhrvMXtuRSeMN-"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}