已经过去一个多星期了,但我似乎没有答案,也不知道如何解决这个问题:
我使用的是 Fedora/CentOS Linux,并有一个 Juniper SRX210 网关配置为站点到站点 IPsec VPN。当我尝试将我的 Linux 机器连接到 Juniper 时,Juniper 总是显示 0 条隧道。
目标是让站点 4 (Fedora/CentOS) 连接到站点 1:
以下是我两端的配置:
1.通过此工具准备的Juniper配置: http://www.juniper.net/customers/support/configtools/vpnconfig.html
Generated Configuration (Route-based):
## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24
## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "__YouHackersStayAwayFromMyPassword__"
## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.2
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0
## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized
## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit
## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
2.Fedora/CentOS配置规划:
1) cat /etc/sysconfig/network-scripts/ifcfg-vpn
ONBOOT=yes
IKE_METHOD=PSK
DSTGW=10.2.2.1
SRCGW=10.2.3.1
DSTNET=10.2.2.0/24
SRCNET=10.2.3.1/24
DST=98.0.0.1
TYPE=IPSEC
2) cat /etc/sysconfig/network-scripts/keys-vpn
KEY_ESP=
KEY_AH=
IKE_PSK=__YouHackersStayAwayFromMyPassword__
3) cat /etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
sainfo anonymous
{
#pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/98.0.0.1.conf";
4) [root@example ~]# vim /etc/sysctl.conf
[root@example ~]# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
/proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
/proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
/proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory
[root@example ~]# ifup vpn
RTNETLINK answers: No such process
[root@example ~]#
测试:
[root@example ~]# ip route
98.0.0.0/24 dev em1 proto kernel scope link src 98.0.0.2 metric 1
81.164.40.0/21 dev wlan0 proto kernel scope link src 81.164.44.90 metric 2
default via 98.0.0.1 dev em1 proto static
[root@example ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:19:b9:85:96:c5 brd ff:ff:ff:ff:ff:ff
inet 98.0.0.2/24 brd 98.0.0.255 scope global em1
inet6 fe80::219:b9ff:fe85:96c5/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:19:7e:a7:f8:76 brd ff:ff:ff:ff:ff:ff
inet 81.164.44.90/21 brd 81.164.47.255 scope global wlan0
inet6 fe80::219:7eff:fea7:f876/64 scope link
valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
[root@example ~]# ping 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_req=1 ttl=63 time=0.531 ms
64 bytes from 10.2.2.2: icmp_req=2 ttl=63 time=0.482 ms
^C
--- 10.2.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.482/0.506/0.531/0.033 ms
[root@example ~]# ping 98.0.0.1
PING 98.0.0.1 (98.0.0.1) 56(84) bytes of data.
64 bytes from 98.0.0.1: icmp_req=1 ttl=64 time=0.518 ms
^C
--- 98.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.518/0.518/0.518/0.000 ms
[root@example ~]# traceroute 98.0.0.1
traceroute to 98.0.0.1 (98.0.0.1), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
You have mail in /var/spool/mail/root
有人有什么想法吗?