站点-2-站点Juniper SRX和Zywall

Question

我的数据中心有一个Juniper SRX 340，在我的办公室有一个Zywall 100。我想在他们之间建立一个站点对站点的VPN，但经过多次尝试，我仍然无法达到结果。

这是Juniper侧的配置：

traceoptions {
    file ike-trace;
}
respond-bad-spi 1;
proposal Ufficio_BG {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy ike_pol_UfficioBG {
    mode aggressive;
    proposals Ufficio_BG;
    pre-shared-key ascii-text "$9$mPz6B1hcrvuOWxN-wsP5T3Ct"; ## SECRET-DATA
}
gateway gw_UfficioBG {
    ike-policy ike_pol_UfficioBG;
    address 10.10.10.1;
    local-identity inet 20.20.20.1;
    external-interface reth0.0;
    version v1-only;
}

----------------------------------------------------------------------

proposal UfficioBG {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    lifetime-kilobytes 4294967294;
}
policy ipsec_pol_UfficioBG {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals UfficioBG;
}
vpn UfficioBG {
    bind-interface st0.2;
    ike {
        gateway gw_UfficioBG;
        ipsec-policy ipsec_pol_UfficioBG;
    }
    establish-tunnels immediately;
}                                       

这个在Zywall那边：

isakmp policy CED_Milano
 activate
 local-ip interface TIM_FC
 peer-ip 20.20.20.1 0.0.0.0
 authentication pre-share
 encrypted-keystring $4$7QS0D3Km$5ZHdWCJz2pBYw1yHb0RQCZHByYwcxfAnFj/C8zZmHeApLK4fOP4a8SWrwDRt0OnZzrF66GMvbNsEqA9slprImix1v0rfHyB0StxbWQzpoh0$
 local-id type ip 10.10.10.1
 peer-id type ip 20.20.20.1
 fall-back-check-interval 300
 lifetime 3600
 mode aggressive
 group2
 no dpd
 transform-set 3des-md5
 xauth type server default deactivate
 no natt
!
crypto map CED_MILANO
 adjust-mss auto
 activate
 ipsec-isakmp CED_Milano
 scenario site-to-site-static
 encapsulation tunnel
 transform-set esp-aes128-sha256
 set security-association lifetime seconds 3600
 set pfs group5
 local-policy LAN1_SUBNET
 remote-policy CED
 no conn-check activate
 policy-enforcement

Juniper日志告诉我：

Mar 12 08:51:14  fw01 kmd[72691]: IKE negotiation successfully completed. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0, Role: Initiator
Mar 12 08:51:14  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0
Mar 12 08:52:13  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.1, VR-ID: 0
Mar 12 08:53:13  fw01 kmd[72691]: IPSec negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: UfficioBG Gateway: gw_UfficioBG, Local: 20.20.20.1/500, Remote: 10.10.10.1/500, Local IKE-ID: 20.20.20.1, Remote IKE-ID: 10.10.10.19, VR-ID: 0

这一点，我不明白问题出在哪里；错误讨论提案，但我尝试了不同的组合，但没有结果。

有人有想法或建议吗？

谢天谢地，吉安卢卡

Answer 1

存在与您的问题相关的下一个kb KB24642：

这可以归因于以下几个方面：The st0 interface needs to be configured under a specific security zone.，即使st0接口没有编号，它也需要有以下配置：# set接口st0.0系列，确保使用st0.x接口号。如果您配置st1.0 (而不是st0.1或st0.2等等)，那么您将得到“无建议选择”错误，您的隧道也不会出现。