Skip to content

Juniper SRX и Libreswan (и ещё StrongSwan)

Тема ipsec в этом блоге поднимается часто, особенно в последнее время. Это и неудивительно — мне по работе частенько приходится объединять разные роутеры и виртуалки через IPSec (например, Mikrotik и libreswan, Mikrotik и Juniper, или Juniper и Cisco).

А теперь мы попробуем ещё одну связку — Juniper SRX и linux-виртуалку. В качестве ipsec-демона будем использовать Libreswan и Strongswan (кому что больше нравится).

Итак, поехали!

Для начала сконфигурирем наш SRX. Я использую последний доступный софт из ветки 15.1X49: JUNOS 15.1X49-D120.3. Связано это с тем, что связка IKEv2+Traffic selectors не работает на более младшем софте, а без IKEv2 у меня не получилось запустить туннель из-за NAT. Предполагаается, что у SRX есть белый статический адрес.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
set security ike policy IKE-NIXMAN mode main
set security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400
set security ike policy IKE-NIXMAN pre-shared-key ascii-text "$9$vW38-wgoZk.569RclKx7.Pf5Q369tuBR/CX-b2JZfTzF9pEcyKWXRE87"
set security ike gateway GW-NIXMAN ike-policy IKE-NIXMAN
set security ike gateway GW-NIXMAN address 1.2.3.4
set security ike gateway GW-NIXMAN external-interface ge-0/0/0.0
set security ike gateway GW-NIXMAN version v2-only
set security ipsec vpn VPN-NIXMAN bind-interface st0.1
set security ipsec vpn VPN-NIXMAN ike gateway GW-NIXMAN
set security ipsec vpn VPN-NIXMAN ike ipsec-policy MD5-AES128-3600-2-policy
set security ipsec vpn VPN-NIXMAN traffic-selector TS-01 local-ip 10.0.0.0/8
set security ipsec vpn VPN-NIXMAN traffic-selector TS-01 remote-ip 172.16.43.254/32
set security ipsec vpn VPN-NIXMAN establish-tunnels immediately

set security ike proposal MD5-AES128-2-86400 description ike-phase1-proposal1
set security ike proposal MD5-AES128-2-86400 authentication-method pre-shared-keys
set security ike proposal MD5-AES128-2-86400 dh-group group2
set security ike proposal MD5-AES128-2-86400 authentication-algorithm md5
set security ike proposal MD5-AES128-2-86400 encryption-algorithm aes-128-cbc
set security ike proposal MD5-AES128-2-86400 lifetime-seconds 86400
set security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400

set security ipsec proposal MD5-AES128-3600 description ipsec-phase2-proposal
set security ipsec proposal MD5-AES128-3600 protocol esp
set security ipsec proposal MD5-AES128-3600 authentication-algorithm hmac-md5-96
set security ipsec proposal MD5-AES128-3600 encryption-algorithm aes-128-cbc
set security ipsec proposal MD5-AES128-3600 lifetime-seconds 3600
set security ipsec policy MD5-AES128-3600-2-policy description ipsec-phase2-policy
set security ipsec policy MD5-AES128-3600-2-policy perfect-forward-secrecy keys group2
set security ipsec policy MD5-AES128-3600-2-policy proposals MD5-AES128-3600

Здесь 1.2.3.4 — адрес удалённого пира
10.0.0.0/8 — сеть на нашей стороне
172.16.43.254/32 — сеть на удалённой стороне
Шифрование можно выбрать и посильнее, но тут надо учитывать

Конфигурация удалённого пира (в случае libreswan) будет следующая (/etc/ipsec.d/nixman.conf):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
conn srx
     authby=secret
     auto=start
     type=tunnel
     esp=aes128-md5;modp1024
     ike=aes128-md5;modp1024
     ikelifetime=86400s
     keylife=3600s
     rekey=no
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     fragmentation=yes
     ikev2=insist
     narrowing=yes
     leftid=1.2.3.4
     left=172.16.43.254
     leftsourceip=172.16.43.254
     right=4.3.2.1
     leftsubnet=172.16.43.254/32
     rightsubnet=10.0.0.0/8

Наша виртуалка располагается за NAT, и имеет адрес 172.16.43.254 (что мы и указываем).
Если бы у нас была виртуалка с честным белым адресом, конфиг выглядел бы чуть-чуть иначе :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
conn srx
     authby=secret
     auto=start
     type=tunnel
     esp=aes128-md5;modp1024
     ike=aes128-md5;modp1024
     ikelifetime=86400s
     keylife=3600s
     rekey=no
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     fragmentation=yes
     ikev2=insist
     narrowing=yes
     left=1.2.3.4
     right=4.3.2.1
     leftsubnet=172.16.43.254/32
     rightsubnet=10.0.0.0/8

В принципе, при этом даже не обязательно использовать ikev2 (я его включил просто по той причине, что с v1 не работал NAT-T).

Файл /etc/ipsec.secrets:

1
1.2.3.4 4.3.2.1 : PSK "VeRy$tR0nGp@s$w0rD"

А вот так будет выглядеть конфиг для StrongSwan (/etc/ipsec.d/nixman.conf):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
config setup

conn %default
    keyexchange = ikev2
    authby = psk
    keyingtries = %forever
        ike = aes128-md5-modp1024!
    ikelifetime = 24h
        esp = aes128-md5-modp1024!
    keylife = 1h
    right = 4.3.2.1
    dpdaction = restart
    closeaction = restart
    rightsubnet = 10.0.0.0/8
    auto = start

conn ts-01
    leftsubnet = 172.16.43.254/32

/etc/ipsec.d/nixman.secret:

1
2
1.2.3.4 : PSK "VeRy$tR0nGp@s$w0rD"
4.3.2.1 : PSK "VeRy$tR0nGp@s$w0rD"

При успешном подключении должно быть так:

1
2
3
4
5
6
7
8
9
admin@srx340-02> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address  
7937209 UP     8fb291a33b5bcbb4  742ad541fcbb8f2c  IKEv2          1.2.3.4

admin@srx340-02> show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  
  <67108867 ESP:aes-cbc-128/md5 cd9e67ad 3169/ unlim - root 4500 1.2.3.4    
  >67108867 ESP:aes-cbc-128/md5 e57ed5c1 3169/ unlim - root 4500 1.2.3.4

и вот так (пример для libreswan):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
root@server:~# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.43.254@4500
000 interface eth0/eth0 172.16.43.254@500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.16, pluto_vendorid=OE-Libreswan-3.16
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=<unsupported>
000 myid = (none)
000 debug none
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000  
000 ESP algorithms supported:
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,201,64} trans={0,201,6144} attrs={0,201,4096}
000  
000 Connection list:
000  
000 "srx": 172.16.43.254/32===172.16.43.254<172.16.43.254>[1.2.3.4]...4.3.2.1<4.3.2.1>===10.0.0.0/8; prospective erouted; eroute owner: #0
000 "srx":     oriented; my_ip=unset; their_ip=unset
000 "srx":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "srx":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "srx":   labeled_ipsec:no;
000 "srx":   policy_label:unset;
000 "srx":   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "srx":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "srx":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "srx":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "srx":   conn_prio: 32,8; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "srx":   dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "srx":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "srx":   IKE algorithms wanted: AES_CBC(7)_128-MD5(1)_000-MODP1024(2)
000 "srx":   IKE algorithms found:  AES_CBC(7)_128-MD5(1)_128-MODP1024(2)
000 "srx":   ESP algorithms wanted: AES(12)_128-MD5(1)_000; pfsgroup=MODP1024(2)
000 "srx":   ESP algorithms loaded: AES(12)_128-MD5(1)_000
000 "srx"[1]: 172.16.43.254<172.16.43.254>[1.2.3.4]...4.3.2.1<4.3.2.1>===10.0.0.0/8; erouted; eroute owner: #398
000 "srx"[1]:     oriented; my_ip=unset; their_ip=unset
000 "srx"[1]:   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "srx"[1]:   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "srx"[1]:   labeled_ipsec:no;
000 "srx"[1]:   policy_label:unset;
000 "srx"[1]:   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "srx"[1]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "srx"[1]:   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "srx"[1]:   policy: PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "srx"[1]:   conn_prio: 32,8; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "srx"[1]:   dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "srx"[1]:   newest ISAKMP SA: #397; newest IPsec SA: #398;
000 "srx"[1]:   IKE algorithms wanted: AES_CBC(7)_128-MD5(1)_000-MODP1024(2)
000 "srx"[1]:   IKE algorithms found:  AES_CBC(7)_128-MD5(1)_128-MODP1024(2)
000 "srx"[1]:   IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_MD5_96-PRF_HMAC_MD5-MODP1024
000 "srx"[1]:   ESP algorithms wanted: AES(12)_128-MD5(1)_000; pfsgroup=MODP1024(2)
000 "srx"[1]:   ESP algorithms loaded: AES(12)_128-MD5(1)_000
000 "srx"[1]:   ESP algorithm newest: AES_128-HMAC_MD5; pfsgroup=MODP1024
000 "v6neighbor-hole-in": ::/0===::1<::1>:58/34560...%any:58/34816===::/0; prospective erouted; eroute owner: #0
000 "v6neighbor-hole-in":     oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-in":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "v6neighbor-hole-in":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "v6neighbor-hole-in":   labeled_ipsec:no;
000 "v6neighbor-hole-in":   policy_label:unset;
000 "v6neighbor-hole-in":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-in":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "v6neighbor-hole-in":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "v6neighbor-hole-in":   policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-in":   conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset; mark: unset;
000 "v6neighbor-hole-in":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "v6neighbor-hole-out": ::/0===::1<::1>:58/34816...%any:58/34560===::/0; prospective erouted; eroute owner: #0
000 "v6neighbor-hole-out":     oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-out":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "v6neighbor-hole-out":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "v6neighbor-hole-out":   labeled_ipsec:no;
000 "v6neighbor-hole-out":   policy_label:unset;
000 "v6neighbor-hole-out":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-out":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "v6neighbor-hole-out":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "v6neighbor-hole-out":   policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-out":   conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset; mark: unset;
000 "v6neighbor-hole-out":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000  
000 Total IPsec connections: loaded 4, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #398: "srx"[1] 4.3.2.1:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 2818s; newest IPSEC; eroute owner; isakmp#397; idle; import:respond to stranger
000 #398: "srx"[1] 4.3.2.1 esp.cd9e67ad@4.3.2.1 esp.e57ed5c1@172.16.43.254 tun.0@4.3.2.1 tun.0@172.16.43.254 ref=0 refhim=4294901761 Traffic: ESPin=33KB ESPout=304KB! ESPmax=0B
000 #397: "srx"[1] 4.3.2.1:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 85618s; newest ISAKMP; isakmp#0; idle; import:respond to stranger
000 #397: "srx"[1] 4.3.2.1 ref=0 refhim=0 Traffic:
000  
000 Bare Shunt list:
000

наконец, проверяем, что пинги ходят в обе стороны (не забудьте про маршруты) и защищённые сети доступны с обеих сторон.

Вот, собственно, всё =)

Be First to Comment

Добавить комментарий

%d такие блоггеры, как: