Поставили задачу организовать шифрованный канал между центральным офисом и двух вспомогательных:
1. Juniper SRX240H - центральный офис (вн.с.:10.аа.0.0/16, внеш.с.:91.221.а.а)
2. Cisco 1921 - офис 1 (вн.с.:192.168.11.0/24, внеш.с.:195.239.б.б)
3. Cisco 1921 - офис 2 (вн.с.:192.168.12.0/24, внеш.с.:91.164.в.в) - пока не добавлял в конфиг
Ниже приведу части конфигов, что касается VPN:
Juniper:
- Код: Выделить всё
interfaces
lo0 {
unit 0 {
family inet {
address 91.221.а.а/32;
}
}
}
st0 {
description VPN;
unit 0 {
family inet;
}
}
routing-options {
static {
...
route 10.0.0.0/8 discard;
route 172.16.0.0/12 discard;
route 192.168.0.0/16 discard;
route 192.168.11.0/24 next-hop st0.0;
...
}
security {
ike {
proposal ike-brtpc {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ike_brtpc {
mode main;
proposals ike-brtpc;
pre-shared-key ascii-text "$9$r2JeK8NdbgaUlK87NV4o"; ## SECRET-DATA
}
gateway gw_brtpc {
ike-policy ike_brtpc;
address 195.239.б.б;
dead-peer-detection always-send;
external-interface lo0.0;
}
}
ipsec {
proposal ipsec-brtpc {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
}
policy ipsec_brtpc {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-brtpc;
}
vpn brtpc {
bind-interface st0.0;
ike {
gateway gw_brtpc;
proxy-identity {
local 10.аа.0.0/16;
remote 192.168.11.0/24;
service any;
}
ipsec-policy ipsec_brtpc;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-syn-check-in-tunnel;
}
}
policies {
from-zone untrust to-zone trust {
policy bratsk_to_iortpc {
match {
source-address net-cfgr_192.168.11.0;
destination-address net-cfgr_10-138-0-0--16;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy iortpc_to_brtpc {
match {
source-address net-cfgr_10-138-0-0--16;
destination-address net-cfgr_192.168.11.0;
application any;
}
then {
permit;
}
}
policy distr {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy idp {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp;
}
}
}
}
}
from-zone trust to-zone trust {
policy permit_any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy permit_all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
policy-rematch;
}
zones {
security-zone trust {
tcp-rst;
address-book {
...
address net-cfgr_10-аа-0-0--16 10.аа.0.0/16;
}
screen trust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/13.0;
ge-0/0/14.14;
st0.0;
}
}
security-zone untrust {
address-book {
address net-cfgr_192.168.11.0 192.168.11.0/24;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
ike;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
lo0.0 {
}
}
}
}
cisco:
- Код: Выделить всё
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 3600
crypto isakmp key *кей* address 91.221.а.а
!
crypto ipsec transform-set VPN_TO_IORTPC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CMAP 1 ipsec-isakmp
set peer 91.221.а.а
set transform-set VPN_TO_IORTPC
match address VPN-TRAFFIC
!
!
interface GigabitEthernet0/0
description === Internet ===
ip address 195.239.б.б 255.255.255.252
ip access-group FIREWALL in - в данный момент разрешает все
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map CMAP
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.11.0 0.0.0.255 10.аа.0.0 0.0.255.255
!
access-list 101 permit ip 192.168.11.0 0.0.0.255 10.аа.0.0 0.0.255.255
!
Вроде бы все сделано по мануалам, вот выводы:
juniper:
- Код: Выделить всё
admin@gw> show security ike sa detail
IKE peer 195.239.б.б, Index 4651337, Gateway Name: gw_brtpc
Role: Initiator, State: DOWN
Initiator cookie: b2ab7e39bd9f541a, Responder cookie: 0000000000000000
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 91.221.а.а:500, Remote: 195.239.б.б:500
Peer ike-id: not available
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : (null)
Encryption : (null)
Pseudo random function: (null)
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 0
Output bytes : 568
Input packets: 0
Output packets: 2
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
admin@gw>
cisco:
- Код: Выделить всё
gw_brtpc#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 91.221.а.а port 500
IPSEC FLOW: permit ip 192.168.11.0/255.255.255.0 10.аа.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
gw_brtpc#
В дебаглоге junipera есть такое:
[Mar 1 11:57:10][91.221.а.а <-> 195.239.б.б] ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Mar 1 11:57:10][91.221.а.а <-> 195.239.б.б] ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Mar 1 11:57:10][91.221.а.а <-> 195.239.б.б] ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
- Код: Выделить всё
Mar 1 12:53:50 gw kmd[74539]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: brtpc Gateway: gw_brtpc, Local: 91.221.а.а/500, Remote: 195.239.б.б/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Как видно, что даже IKE не проходит, пробовал менять разные типы шифрования и кодировки алгоритма, ошибки те же, куда смотреть?
P.S.
Juniper:
- Код: Выделить всё
admin@gw> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
logical-system 0 1 0 permanent
Licenses installed: none
admin@gw>
cisco:
- Код: Выделить всё
gw_brtpc#show license
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: 7 weeks 6 days
Period Used: 4 days 0 hour
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
Index 3 Feature: datak9
Period left: 7 weeks 6 days
Period Used: 4 days 0 hour
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
Index 4 Feature: NtwkEssSuitek9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 5 Feature: ios-ips-update
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 6 Feature: hseck9
Index 7 Feature: mgmt-plug-and-play
Index 8 Feature: mgmt-lifecycle
Index 9 Feature: mgmt-assurance
Index 10 Feature: mgmt-onplus
Index 11 Feature: mgmt-compliance
gw_brtpc#
