Juniper SRX IPSec隧道到Microsoft下降
Juniper SRX IPSec隧道到Microsoft下降
提问于 2015-07-09 13:56:02
我有点困惑,希望能在这里找到一些指导。
我已经从我的Juniper SRX240 (12.1X44-D45.2)为Microsoft配置了一个SRX240隧道。隧道运行良好,但是当隧道中没有流量运行时,第二阶段就会下降(不管来自哪一边的流量)。
我试过和DPD玩过,但是Azure不支持。我还将VPN监视器配置到隧道另一端的目的地,但这也不起作用。在我的“显示日志kmd”中,我看到P2在删除后没有选择任何建议。我应该补充一点,第一阶段永远不会下降。
这是可以的,但不幸的是,我不得不在隧道上静态地路由远程范围,而且由于隧道没有(也不能)有一个IP地址,我的下一跳是st0.2。当第2阶段下降时,静态路由和路由也会遵循下一个更具体的路由。所以在这个时候不可能自动恢复隧道。
如能就此事提供任何意见或协助,我将不胜感激。即使没有车辆在隧道上行驶,我也需要隧道通车。请看下面我的配置。
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2这就是kmd日志的样子。
[Jul 9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
[Jul 9 13:56:40]Construction NHTB payload for local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
[Jul 9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
[Jul 9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
[Jul 9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
[Jul 9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Jul 9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
[Jul 9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
[Jul 9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
[Jul 9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
[Jul 9 13:56:40] P2 ed info: flags 0x82, P2 error: Error ok
[Jul 9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
[Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
[Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
[Jul 9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
[Jul 9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
[Jul 9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist就像我说的,在没有交通,我也不知道还能做些什么之前,它非常好用。
提前感谢!
回答 1
Server Fault用户
发布于 2016-06-27 08:25:26
这个问题听起来像是我在Vyatta和Juniper之间的IPSec VPN隧道中遇到的一个问题。
在VPN协商的第一阶段,您是否尝试在您的juniper中配置IKE配置下的死对等检测?
在Juniper中,我知道默认情况下它是启用的,但例如,在Vyatta中,我必须手动配置,它看起来类似于这样:
ike-group <IKE-GROUP> {
dead-peer-detection {
action restart
interval 15
timeout 30
}
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes256
hash sha1
}
}如果对你有用,请告诉我。
扫罗
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/704630
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号