Mam oto taką sytuację. Skonfigurowałem GREoIPSEC ale jeśli robię ping:
Kod: Zaznacz cały
ping 10.107.2.1 source 10.130.2.1
Proszę o pomoc. Poniżej config obu firewalli:
SRX01
Kod: Zaznacz cały
root@OFFICE-01# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3068029 UP 2fa3a7f2ebe595b0 036d877c03c883b3 Main 2.2.2.1
root@OFFICE-01# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha1 87a3c305 5206/ unlim - root 500 2.2.2.1
>131073 ESP:aes-cbc-256/sha1 e6b408d8 5206/ unlim - root 500 2.2.2.1
Kod: Zaznacz cały
root@OFFICE-01# show
## Last changed: 2018-02-20 15:06:29 UTC
version 12.1X46-D65.4;
system {
host-name OFFICE-01;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
gr-0/0/0 {
unit 0 {
tunnel {
source 172.18.100.1;
destination 172.18.100.2;
}
family inet {
mtu 1350;
address 192.168.100.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.130.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.130.0.1/24;
address 10.130.2.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 2.2.2.0/24 next-hop 1.1.1.2;
route 172.18.100.2/32 next-hop st0.0;
route 10.107.0.0/16 next-hop gr-0/0/0.0;
}
}
protocols {
stp;
}
security {
ike {
traceoptions {
file vpn.log;
flag all;
}
proposal IKE-PROP-01 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-iq-to-test-ospf {
mode main;
description IPSEC_to_TEST-OSPF;
proposals IKE-PROP-01;
pre-shared-key ascii-text "$9$j-qTFn6AuBE/C7VwsJZAp0B1hSyleKWzF"; ## SECRET-DATA
}
gateway gw_to_TEST-OSPF {
ike-policy ike-iq-to-test-ospf;
address 2.2.2.1;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal IPSEC-PROP-01 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 7200;
}
policy ipsec_to_TEST-OSPF {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC-PROP-01;
}
vpn to_TEST-OSPF {
bind-interface st0.0;
ike {
gateway gw_to_TEST-OSPF;
ipsec-policy ipsec_to_TEST-OSPF;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy pol01 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy GRE-PERMIT {
match {
source-address any;
destination-address any;
application [ junos-gre junos-ping ];
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
gr-0/0/0.0;
st0.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
}
lo0.0;
}
}
}
}
Kod: Zaznacz cały
root@OFFICE-02# show
## Last changed: 2018-02-20 22:34:54 UTC
version 12.1X46-D65.4;
system {
host-name OFFICE-02;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
gr-0/0/0 {
unit 0 {
tunnel {
source 172.18.100.2;
destination 172.18.100.1;
}
family inet {
mtu 1350;
address 192.168.100.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.107.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.107.0.1/24;
address 10.107.2.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 1.1.1.0/24 next-hop 2.2.2.2;
route 172.18.100.1/32 next-hop st0.0;
route 10.130.0.0/16 next-hop gr-0/0/0.0;
}
}
protocols {
stp;
}
security {
ike {
traceoptions {
file vpn.log;
flag all;
}
proposal IKE-PROP-01 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-iq-to-test-ospf {
mode main;
description IPSEC_to_TEST-OSPF;
proposals IKE-PROP-01;
pre-shared-key ascii-text "$9$j-qTFn6AuBE/C7VwsJZAp0B1hSyleKWzF"; ## SECRET-DATA
}
gateway gw_to_TEST-OSPF {
ike-policy ike-iq-to-test-ospf;
address 1.1.1.1;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal IPSEC-PROP-01 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 7200;
}
policy ipsec_to_TEST-OSPF {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC-PROP-01;
}
vpn to_TEST-OSPF {
bind-interface st0.0;
ike {
gateway gw_to_TEST-OSPF;
ipsec-policy ipsec_to_TEST-OSPF;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy pol01 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy GRE-PERMIT {
match {
source-address any;
destination-address any;
application [ junos-gre junos-ping ];
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
gr-0/0/0.0;
st0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
}
lo0.0;
}
}
}
}