我有点困惑,希望在这里找到一些指导。
我已经从 Juniper SRX240 (12.1X44-D45.2) 配置了一条通往 Microsoft Azure 的 IPSec 隧道。隧道运行正常,但当隧道中没有流量时(无论流量来自哪一侧),第 2 阶段就会中断。
我尝试过使用 DPD,但 Azure 不支持它。我还将 VPN 监视器配置为隧道另一端的目的地,但这也不起作用。在我的“show log kmd”中,我看到 P2 在发生丢弃后没有选择提议的消息。我应该补充一点,第 1 阶段永远不会丢弃。
这没问题,但不幸的是,我必须通过隧道静态路由远程范围,并且由于隧道没有(也不能)有 IP 地址,所以我的下一跳是 st0.2。当第 2 阶段中断时,静态路由也会中断,路由将遵循下一个更具体的路由。因此,目前无法自动恢复隧道。
我将非常感激任何有关此事的建议或帮助。我需要隧道即使在没有交通经过时也能保持畅通。请参阅下面的配置。
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2
这就是 kmd 日志的样子。
[Jul 9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
[Jul 9 13:56:40]Construction NHTB payload for local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
[Jul 9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
[Jul 9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
[Jul 9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
[Jul 9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Jul 9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
[Jul 9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
[Jul 9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
[Jul 9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
[Jul 9 13:56:40] P2 ed info: flags 0x82, P2 error: Error ok
[Jul 9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
[Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
[Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
[Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
[Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
[Jul 9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist
就像我说的,它运行得很好,直到没有流量,我不知道还能尝试什么。
提前致谢!
答案1
该问题听起来像是我在 Vyatta 和 Juniper SRX 之间的 IPSec VPN 隧道中遇到的问题。
您是否尝试过在 Juniper 和 Azure 中配置 VPN 协商第一阶段的 IKE 配置下的失效对等检测?
在 Juniper 中我知道它是默认启用的,但例如在 Vyatta 中我必须手动配置,它看起来像这样:
ike-group <IKE-GROUP> {
dead-peer-detection {
action restart
interval 15
timeout 30
}
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes256
hash sha1
}
}
如果它对您有用,请告诉我。
扫罗