Próbuję zestawić tunel GRE over IPSec pomiędzy Juniper SRX a routerem Cisco i przepuścić ruch OSPF. Nijak mi nie wychodzi IPSec się zestawia ale sąsiedztwo OSPF staje w stanie INIT (config na podstawie znalezionych w necie tutoriali). Może ktoś robił coś takiego i mógłby zerknąć co jest nie tak?
Topologia:
SRX 172.17.20.12 <--> 172.17.20.9 ROUTER 172.17.20.17 <--> 172.17.20.18 Router Cisco
Konfig Juniper:
Kod: Zaznacz cały
gr-0/0/0 {
unit 0 {
tunnel {
source 5.5.5.1;
destination 5.5.5.2;
}
family inet {
mtu 1400;
address 2.2.2.1/24;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 172.17.20.12/29 {
vrrp-group 10 {
virtual-address 172.17.20.10;
priority 254;
preempt;
accept-data;
authentication-type md5;
authentication-key "$9$77-s2oJG.fz7-kPQ3tpKM87bs"; ## SECRET-DATA
}
}
}
}
}
lo0 {
unit 0 {
family inet {
address 5.5.5.1/24;
}
}
}
routing-options {
static {
route 172.17.20.16/29 next-hop 172.17.20.9;
route 5.5.5.2/32 next-hop st0.0;
}
router-id 5.5.5.1;
}
protocols {
ospf {
area 0.0.0.0 {
interface fe-0/0/7.0;
}
area 0.0.0.1 {
interface lo0.0;
interface gr-0/0/0.0;
}
}
}
security {
ike {
proposal IKE-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
policy IKE-POLICY {
mode main;
proposals IKE-PROPOSAL;
pre-shared-key ascii-text "$9$MUT8NdwYgDHmM8Gi.fn6cylMxN"; ## SECRET-DATA
}
gateway IKE_GW {
ike-policy IKE-POLICY;
address 172.17.20.18;
external-interface fe-0/0/1;
}
}
ipsec {
proposal IPSEC-PROPSAL {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POLICY {
proposals IPSEC-PROPSAL;
}
vpn VPN-1 {
bind-interface st0.0;
ike {
gateway IKE_GW;
proxy-identity {
local 5.5.5.1/32;
remote 5.5.5.2/32;
service junos-gre;
}
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}
}
security-zone TRUST {
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
gr-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
Kod: Zaznacz cały
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28800
crypto isakmp key haslo address 172.17.20.12
crypto ipsec transform-set CM1-TRANS esp-des esp-md5-hmac
!
crypto map CM1 1 ipsec-isakmp
set peer 172.17.20.12
set transform-set CM1-TRANS
match address CISCO-LO-TO-SRX-LO
interface Loopback0
ip address 5.5.5.2 255.255.255.0
interface Tunnel1
description GRE-TO-SRX
ip address 2.2.2.2 255.255.255.0
ip mtu 1400
ip ospf 1 area 1
tunnel source Loopback0
tunnel destination 5.5.5.1
interface FastEthernet0/0.23
descriptio WAN
encapsulation dot1Q 23
ip address 172.17.20.18 255.255.255.248
crypto map CM1
router ospf 1
router-id 5.5.5.2
ip access-list extended CISCO-LO-TO-SRX-LO
permit ip any any
permit gre any any
ip route 172.17.20.8 255.255.255.248 172.17.20.17
Pozdrawiam