Назад | Перейти на главную страницу

Туннель IPSec Juniper SRX к Microsoft Azure Отбрасывание

Я немного озадачен и надеялся найти здесь руководство.

Я настроил туннель IPSec для Microsoft Azure от своего Juniper SRX240 (12.1X44-D45.2). Туннель работает нормально, но фаза 2 отключается, когда нет трафика, проходящего через туннель (не имеет значения, с какой стороны идет трафик).

Я пробовал поиграть с DPD, но Azure его не поддерживает. Я также настроил монитор VPN для пункта назначения на другом конце туннеля, но это тоже не сработало. В моем "журнале показа kmd" я вижу сообщения P2 без предложения, выбранные после того, как происходит отбрасывание. Я должен добавить, что фаза 1 никогда не падает.

Это было бы нормально, но, к сожалению, мне нужно статически маршрутизировать удаленные диапазоны через туннель, и поскольку туннель не имеет (и не может) иметь IP-адрес, мой следующий переход - st0.2. Когда фаза 2 прерывается, статический маршрут и маршрутизация следует по следующему более конкретному маршруту. Таким образом, в настоящее время нет возможности восстановить туннель автоматически.

Буду очень признателен за любой совет или помощь по этому поводу. Мне нужно, чтобы туннель работал, даже если по нему нет движения. Пожалуйста, посмотрите мою конфигурацию ниже.

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2

Вот как выглядят логи kmd.

[Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok
[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist

Как я уже сказал, он работает отлично, пока нет трафика, и я не знаю, что еще попробовать.

Заранее спасибо!

Эта проблема звучит как проблема, с которой я столкнулся в туннеле IPSec VPN между Vyatta и Juniper SRX.

Вы пытались настроить в своем можжевельнике и в лазурном режиме обнаружение мертвого узла в конфигурации IKE на первом этапе согласования VPN?

В Juniper я знаю, что он включен по умолчанию, но, например, в Vyatta мне пришлось настраивать вручную, и это выглядит примерно так:

    ike-group <IKE-GROUP> {
        dead-peer-detection {
            action restart
            interval 15
            timeout 30
        }
        lifetime 3600
        proposal 1 {
            encryption aes256
            hash sha1
        }
        proposal 2 {
            encryption aes256
            hash sha1
        }
    }

Пожалуйста, дайте мне знать, работает ли это для вас.

Саул