Juniper VSRX与CentOS 7 StrongSwan配置IPsec VPN（juniper networks）

Juniper VSRX与CentOS 7 StrongSwan配置IPsec VPN（juniper networks）

测试拓扑:PC--172.16. 43.254---------------------------------172.16.43.1--CentOS 7 -10.0.29.101-------------------------10.0.29.15---VSRX---10.0.0.1

测试配置：VSRX:root@srx-05# show security ike | display setset security ike proposal MD5-AES128-2-86400 description ike-phase1-proposal1set security ike proposal MD5-AES128-2-86400 authentication-method pre-shared-keysset security ike proposal MD5-AES128-2-86400 dh-group group2set security ike proposal MD5-AES128-2-86400 authentication-algorithm md5set security ike proposal MD5-AES128-2-86400 encryption-algorithm aes-128-cbcset security ike proposal MD5-AES128-2-86400 lifetime-seconds 86400set security ike policy IKE-NIXMAN mode mainset security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400set security ike policy IKE-NIXMAN pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn/p01RhrKM"set security ike gateway GW-NIXMAN ike-policy IKE-NIXMANset security ike gateway GW-NIXMAN address 10.0.29.101set security ike gateway GW-NIXMAN external-interface ge-0/0/0.0set security ike gateway GW-NIXMAN version v2-only[edit]root@srx-05# show security ipsec | display setset security ipsec proposal MD5-AES128-3600 description ipsec-phase2-proposalset security ipsec proposal MD5-AES128-3600 protocol espset security ipsec proposal MD5-AES128-3600 authentication-algorithm hmac-md5-96set security ipsec proposal MD5-AES128-3600 encryption-algorithm aes-128-cbcset security ipsec proposal MD5-AES128-3600 lifetime-seconds 3600set security ipsec policy MD5-AES128-3600-2-policy description ipsec-phase2-policyset security ipsec policy MD5-AES128-3600-2-policy perfect-forward-secrecy keys group2set security ipsec policy MD5-AES128-3600-2-policy proposals MD5-AES128-3600set security ipsec vpn ×××-NIXMAN bind-interface st0.0set security ipsec vpn ×××-NIXMAN ike gateway GW-NIXMANset security ipsec vpn ×××-NIXMAN ike proxy-identity local 10.0.0.0/8set security ipsec vpn ×××-NIXMAN ike proxy-identity remote 172.16.43.254/32set security ipsec vpn ×××-NIXMAN ike ipsec-policy MD5-AES128-3600-2-policyset security ipsec vpn ×××-NIXMAN establish-tunnels immediately

[edit]root@srx-05# show routing-options | display setset routing-options static route 172.16.43.254/32 next-hop st0.0[edit]root@srx-05# show security policies | display setset security policies from-zone trust to-zone test policy 1 match source-address anyset security policies from-zone trust to-zone test policy 1 match destination-address anyset security policies from-zone trust to-zone test policy 1 match application anyset security policies from-zone trust to-zone test policy 1 then permitset security policies from-zone test to-zone trust policy 2 match source-address anyset security policies from-zone test to-zone trust policy 2 match destination-address anyset security policies from-zone test to-zone trust policy 2 match application anyset security policies from-zone test to-zone trust policy 2 then permitset interfaces ge-0/0/0 unit 0 family inet address 10.0.29.15/24set interfaces lo0 unit 0 family inet address 10.0.0.1/24set interfaces st0 unit 0 family inetroot@srx-05# show security zones | display setset security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services allset security zones security-zone trust interfaces st0.0 host-inbound-traffic system-services allset security zones security-zone test interfaces lo0.0 host-inbound-traffic system-services all

CentOS 7 配置：[root@localhost ~]# cd /etc/strongswan/[root@localhost strongswan]# cat ipsec.confconn srxauthby=secretauto=starttype=tunnelesp=aes128-md5;modp1024ike=aes128-md5;modp1024

ikelifetime=86400skeylife=3600srekey=nodpddelay=30dpdtimeout=120dpdaction=clearfragmentation=yeskeyexchange=ikev2left=10.0.29.101right=10.0.29.15leftsubnet=172.16.43.254/32rightsubnet=10.0.0.0/8

[root@localhost strongswan]# cat ipsec.secrets# ipsec.secrets - strongSwan IPsec secrets file10.0.29.101 10.0.29.15 : PSK "juniper123"配置好Strongswan后，重启Strongswan服务[root@localhost ~]# strongswan restartStopping strongSwan IPsec...Starting strongSwan 5.5.3 IPsec [starter]…

测试验证:1. 查看×××协商状态[edit]root@srx-05# run show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address8269385 UP ba65a90c63730f0c 0c278b1caba74ab1 IKEv2 10.0.29.1018269386 UP 5de681ab32151814 09384775dc1a8155 IKEv2 10.0.29.101[edit]root@srx-05# run show security ipsec security-associationsTotal active tunnels: 1ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131074 ESP:aes-cbc-128/md5 881138d 3186/ unlim - root 500 10.0.29.101>131074 ESP:aes-cbc-128/md5 c29186db 3186/ unlim - root 500 10.0.29.101

[root@localhost ~]# strongswan statusallStatus of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.el7.x86_64, x86_64):uptime: 7 minutes, since Jan 10 16:52:47 2018malloc: sbrk 1622016, mmap 0, used 519424, free 1102592worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prfgmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttlseap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unityListening IP addresses:192.168.31.12910.0.29.101172.16.43.1Connections:srx: 10.0.29.101...10.0.29.15 IKEv2, dpddelay=30ssrx: local: [10.0.29.101] uses pre-shared key authenticationsrx: remote: [10.0.29.15] uses pre-shared key authenticationsrx: child: 172.16.43.254/32 === 10.0.0.0/8 TUNNEL, dpdaction=clearSecurity Associations (2 up, 0 connecting):srx[2]: ESTABLISHED 7 minutes ago, 10.0.29.101[10.0.29.101]...10.0.29.15[10.0.29.15]srx[2]: IKEv2 SPIs: ba65a90c63730f0c_i 0c278b1caba74ab1_r*, rekeying disabledsrx[2]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024srx[1]: ESTABLISHED 7 minutes ago, 10.0.29.101[10.0.29.101]...10.0.29.15[10.0.29.15]srx[1]: IKEv2 SPIs: 5de681ab32151814_i* 09384775dc1a8155_r, rekeying disabledsrx[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024srx{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c29186db_i 0881138d_osrx{2}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying disabledsrx{2}: 172.16.43.254/32 === 10.0.0.0/8[edit]root@srx-05# run show security flow session protocol espSession ID: 2776, Policy name: N/A, Timeout: N/A, ValidIn: 10.0.29.101/2177 --> 10.0.29.15/5005;esp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0Session ID: 2777, Policy name: N/A, Timeout: N/A, ValidIn: 10.0.29.101/0 --> 10.0.29.15/0;esp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0Total sessions: 2

2. 开启CentOS 7网卡路由之间接口转发参考以下链路测试互通性

[edit]root@srx-05# run show security flow session protocol icmpSession ID: 3739, Policy name: 1/4, Timeout: 2, ValidIn: 172.16.43.254/261 --> 10.0.0.1/1;icmp, If: st0.0, Pkts: 1, Bytes: 60Out: 10.0.0.1/1 --> 172.16.43.254/261;icmp, If: .local..0, Pkts: 1, Bytes: 60[edit]root@srx-05# run show security ipsec statisticsESP Statistics:Encrypted bytes: 38264Decrypted bytes: 7848Encrypted packets: 265Decrypted packets: 112AH Statistics:Input bytes: 0Output bytes: 0Input packets: 0Output packets: 0Errors:AH authentication failures: 0, Replay errors: 0ESP authentication failures: 0, ESP decryption failures: 0Bad headers: 0, Bad trailers: 0

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。