Comment connecter un site à un autre depuis un VPN IPsec sous Linux via une passerelle Juniper Junos SRX (séries 210, 240)?


1

Cela fait presque plus d'une semaine, mais il me semble n'avoir aucune réponse à cela et je ne sais pas vraiment comment résoudre ce problème:

J'utilise Fedora / CentOS Linux et une passerelle Juniper SRX210 est configurée en tant que VPN IPsec de site à site. Lorsque j'essaie de connecter ma machine Linux au Juniper, Juniper affiche toujours 0 tunnel.

L'objectif est de connecter le site 4 (Fedora / CentOS) au site 1:

diagramme

Veuillez trouver ci-dessous ma configuration pour les deux extrémités:

1. Configuration Juniper préparée par cet outil: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "__YouHackersStayAwayFromMyPassword__"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.2
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit

2. Planification de la configuration Fedora / CentOS:

    1) cat /etc/sysconfig/network-scripts/ifcfg-vpn
ONBOOT=yes
IKE_METHOD=PSK
DSTGW=10.2.2.1
SRCGW=10.2.3.1
DSTNET=10.2.2.0/24
SRCNET=10.2.3.1/24
DST=98.0.0.1
TYPE=IPSEC

    2) cat /etc/sysconfig/network-scripts/keys-vpn
    KEY_ESP=
    KEY_AH=
    IKE_PSK=__YouHackersStayAwayFromMyPassword__


    3) cat /etc/racoon/racoon.conf
    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    path script "/etc/racoon/scripts";

    sainfo anonymous
    {
        #pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
    }

    include "/etc/racoon/98.0.0.1.conf";

    4) [root@example ~]# vim /etc/sysctl.conf 
    [root@example ~]# sysctl -p /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
    /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
    /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory

    [root@example ~]# ifup vpn
    RTNETLINK answers: No such process
    [root@example ~]# 

Essai:

[root@example ~]# ip route
98.0.0.0/24 dev em1  proto kernel  scope link  src 98.0.0.2  metric 1 
81.164.40.0/21 dev wlan0  proto kernel  scope link  src 81.164.44.90  metric 2 
default via 98.0.0.1 dev em1  proto static 

[root@example ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:19:b9:85:96:c5 brd ff:ff:ff:ff:ff:ff
    inet 98.0.0.2/24 brd 98.0.0.255 scope global em1
    inet6 fe80::219:b9ff:fe85:96c5/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:19:7e:a7:f8:76 brd ff:ff:ff:ff:ff:ff
    inet 81.164.44.90/21 brd 81.164.47.255 scope global wlan0
    inet6 fe80::219:7eff:fea7:f876/64 scope link 
       valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff


[root@example ~]# ping 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_req=1 ttl=63 time=0.531 ms
64 bytes from 10.2.2.2: icmp_req=2 ttl=63 time=0.482 ms
^C
--- 10.2.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.482/0.506/0.531/0.033 ms
[root@example ~]# ping 98.0.0.1
PING 98.0.0.1 (98.0.0.1) 56(84) bytes of data.
64 bytes from 98.0.0.1: icmp_req=1 ttl=64 time=0.518 ms
^C
--- 98.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.518/0.518/0.518/0.000 ms


[root@example ~]# traceroute 98.0.0.1
traceroute to 98.0.0.1 (98.0.0.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
You have mail in /var/spool/mail/root

Quelqu'un a-t-il une idée?


Pouvez-vous me dire si le service xinetd est exécuté sur votre Linux?
Ghost
En utilisant notre site, vous reconnaissez avoir lu et compris notre politique liée aux cookies et notre politique de confidentialité.
Licensed under cc by-sa 3.0 with attribution required.