GRE over IPSEC - srx - srx

JunOS / Juniper / Netscreen
Wiadomość
Autor
Awatar użytkownika
Bolo
wannabe
wannabe
Posty: 656
Rejestracja: 27 wrz 2006, 10:02

GRE over IPSEC - srx - srx

#1

#1 Post autor: Bolo »

Witam serdecznie,
Mam oto taką sytuację. Skonfigurowałem GREoIPSEC ale jeśli robię ping:

Kod: Zaznacz cały

ping 10.107.2.1 source 10.130.2.1
to niestety nie działa :(
Proszę o pomoc. Poniżej config obu firewalli:

SRX01

Kod: Zaznacz cały

root@OFFICE-01# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3068029 UP     2fa3a7f2ebe595b0  036d877c03c883b3  Main           2.2.2.1

root@OFFICE-01# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha1 87a3c305 5206/ unlim - root 500 2.2.2.1
  >131073 ESP:aes-cbc-256/sha1 e6b408d8 5206/ unlim - root 500 2.2.2.1

Kod: Zaznacz cały

root@OFFICE-01# show
## Last changed: 2018-02-20 15:06:29 UTC
version 12.1X46-D65.4;
system {
    host-name OFFICE-01;

    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.1/24;
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.18.100.1;
                destination 172.18.100.2;
            }
            family inet {
                mtu 1350;
                address 192.168.100.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.130.1.1/24;
            }
        }
    }
    
    lo0 {
        unit 0 {
            family inet {
                address 10.130.0.1/24;
                address 10.130.2.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 2.2.2.0/24 next-hop 1.1.1.2;
        route 172.18.100.2/32 next-hop st0.0;
        route 10.107.0.0/16 next-hop gr-0/0/0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        traceoptions {
            file vpn.log;
            flag all;
        }
        proposal IKE-PROP-01 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-iq-to-test-ospf {
            mode main;
            description IPSEC_to_TEST-OSPF;
            proposals IKE-PROP-01;
            pre-shared-key ascii-text "$9$j-qTFn6AuBE/C7VwsJZAp0B1hSyleKWzF"; ## SECRET-DATA
        }
        gateway gw_to_TEST-OSPF {
            ike-policy ike-iq-to-test-ospf;
            address 2.2.2.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal IPSEC-PROP-01 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 7200;
        }
        policy ipsec_to_TEST-OSPF {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC-PROP-01;
        }
        vpn to_TEST-OSPF {
            bind-interface st0.0;
            ike {
                gateway gw_to_TEST-OSPF;
                ipsec-policy ipsec_to_TEST-OSPF;
            }
            establish-tunnels immediately;
        }
    }
   
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy pol01 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy GRE-PERMIT {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-gre junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                gr-0/0/0.0;
                st0.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            ike;
                        }
                    }
                }
                lo0.0;
            }
        }
    }
}
I SRX 02

Kod: Zaznacz cały

root@OFFICE-02# show
## Last changed: 2018-02-20 22:34:54 UTC
version 12.1X46-D65.4;
system {
    host-name OFFICE-02;
    
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.1/24;
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.18.100.2;
                destination 172.18.100.1;
            }
            family inet {
                mtu 1350;
                address 192.168.100.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.107.1.1/24;
            }
        }
    }
    
    lo0 {
        unit 0 {
            family inet {
                address 10.107.0.1/24;
                address 10.107.2.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 1.1.1.0/24 next-hop 2.2.2.2;
        route 172.18.100.1/32 next-hop st0.0;
        route 10.130.0.0/16 next-hop gr-0/0/0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        traceoptions {
            file vpn.log;
            flag all;
        }
        proposal IKE-PROP-01 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-iq-to-test-ospf {
            mode main;
            description IPSEC_to_TEST-OSPF;
            proposals IKE-PROP-01;
            pre-shared-key ascii-text "$9$j-qTFn6AuBE/C7VwsJZAp0B1hSyleKWzF"; ## SECRET-DATA
        }
        gateway gw_to_TEST-OSPF {
            ike-policy ike-iq-to-test-ospf;
            address 1.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal IPSEC-PROP-01 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 7200;
        }
        policy ipsec_to_TEST-OSPF {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC-PROP-01;
        }
        vpn to_TEST-OSPF {
            bind-interface st0.0;
            ike {
                gateway gw_to_TEST-OSPF;
                ipsec-policy ipsec_to_TEST-OSPF;
            }
            establish-tunnels immediately;
        }
    }
   
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy pol01 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy GRE-PERMIT {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-gre junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                gr-0/0/0.0;
                st0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            ike;
                        }
                    }
                }
                lo0.0;
            }
        }
    }
}


bartekiq
fresh
fresh
Posty: 2
Rejestracja: 20 lut 2018, 18:38

Re: GRE over IPSEC - srx - srx

#2

#2 Post autor: bartekiq »

Na lo0.0 nie masz host-inbound-traffic system-services ping :)

Awatar użytkownika
Bolo
wannabe
wannabe
Posty: 656
Rejestracja: 27 wrz 2006, 10:02

Re: GRE over IPSEC - srx - srx

#3

#3 Post autor: Bolo »

i działa :)
ehh ;)

ODPOWIEDZ