Spinam VPN S-t-S między SRX a Check Point. Mam dostęp tylko do SRX, po stronie CP wszytko skonfigurowane. Ze strony srx widze, że kanał się zestawił, jednak sam ipsec jak wyświetlam w logach to nie mam żadnego ruchu:
Kod: Zaznacz cały
> show security ipsec statistics index xx
node0:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
node1:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Kod: Zaznacz cały
> show security ipsec security-associations
node0:
--------------------------------------------------------------------------
Total active tunnels: 3
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<x ESP:aes-256/sha1 4190e353 73055/unlim - root 500 5.5.5.5
>x ESP:aes-256/sha1 1c31cddb 73055/unlim - root 500 5.5.5.5
Z uwagi na to wpisałem w konfigu nata coś takiego:
Kod: Zaznacz cały
nat {
source {
pool bubu {
address {
adres jakim mam wychodzic/32;
}
}
address-persistent;
rule-set trust-to-untrust {
from zone lala;
to zone untrust;
rule nat_bubu {
match {
source-address (ip jakim mam wychodzic0/16
destination-address [ip w lan u sasiada]
}
then {
source-nat {
pool {
bubu;
}
}
}
}