测试拓扑:
PC--172.16. 43.254---------------------------------172.16.43.1--CentOS 7 -10.0.29.101-------------------------10.0.29.15---VSRX---10.0.0.1
测试配置:
VSRX:
root@srx-05# show security ike | display set
set security ike proposal MD5-AES128-2-86400 description ike-phase1-proposal1
set security ike proposal MD5-AES128-2-86400 authentication-method pre-shared-keys
set security ike proposal MD5-AES128-2-86400 dh-group group2
set security ike proposal MD5-AES128-2-86400 authentication-algorithm md5
set security ike proposal MD5-AES128-2-86400 encryption-algorithm aes-128-cbc
set security ike proposal MD5-AES128-2-86400 lifetime-seconds 86400
set security ike policy IKE-NIXMAN mode main
set security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400
set security ike policy IKE-NIXMAN pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn/p01RhrKM"
set security ike gateway GW-NIXMAN ike-policy IKE-NIXMAN
set security ike gateway GW-NIXMAN address 10.0.29.101
set security ike gateway GW-NIXMAN external-interface ge-0/0/0.0
set security ike gateway GW-NIXMAN version v2-only
[edit]
root@srx-05# show security ipsec | display set
set security ipsec proposal MD5-AES128-3600 description ipsec-phase2-proposal
set security ipsec proposal MD5-AES128-3600 protocol esp
set security ipsec proposal MD5-AES128-3600 authentication-algorithm hmac-md5-96
set security ipsec proposal MD5-AES128-3600 encryption-algorithm aes-128-cbc
set security ipsec proposal MD5-AES128-3600 lifetime-seconds 3600
set security ipsec policy MD5-AES128-3600-2-policy description ipsec-phase2-policy
set security ipsec policy MD5-AES128-3600-2-policy perfect-forward-secrecy keys group2
set security ipsec policy MD5-AES128-3600-2-policy proposals MD5-AES128-3600
set security ipsec *** ×××-NIXMAN bind-interface st0.0
set security ipsec *** ×××-NIXMAN ike gateway GW-NIXMAN
set security ipsec *** ×××-NIXMAN ike proxy-identity local 10.0.0.0/8
set security ipsec *** ×××-NIXMAN ike proxy-identity remote 172.16.43.254/32
set security ipsec *** ×××-NIXMAN ike ipsec-policy MD5-AES128-3600-2-policy
set security ipsec *** ×××-NIXMAN establish-tunnels immediately
[edit]
root@srx-05# show routing-options | display set
set routing-options static route 172.16.43.254/32 next-hop st0.0
[edit]
root@srx-05# show security policies | display set
set security policies from-zone trust to-zone test policy 1 match source-address any
set security policies from-zone trust to-zone test policy 1 match destination-address any
set security policies from-zone trust to-zone test policy 1 match application any
set security policies from-zone trust to-zone test policy 1 then permit
set security policies from-zone test to-zone trust policy 2 match source-address any
set security policies from-zone test to-zone trust policy 2 match destination-address any
set security policies from-zone test to-zone trust policy 2 match application any
set security policies from-zone test to-zone trust policy 2 then permit
set interfaces ge-0/0/0 unit 0 family inet address 10.0.29.15/24
set interfaces lo0 unit 0 family inet address 10.0.0.1/24
set interfaces st0 unit 0 family inet
root@srx-05# show security zones | display set
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone test interfaces lo0.0 host-inbound-traffic system-services all
CentOS 7 配置:
[root@localhost ~]# cd /etc/strongswan/
[root@localhost strongswan]# cat ipsec.conf
conn srx
authby=secret
auto=start
type=tunnel
esp=aes128-md5;modp1024
ike=aes128-md5;modp1024
ikelifetime=86400s
keylife=3600s
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
fragmentation=yes
keyexchange=ikev2
left=10.0.29.101
right=10.0.29.15
leftsubnet=172.16.43.254/32
rightsubnet=10.0.0.0/8
[root@localhost strongswan]# cat ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
10.0.29.101 10.0.29.15 : PSK "juniper123"
配置好Strongswan后,重启Strongswan服务
[root@localhost ~]# strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.5.3 IPsec [starter]…
测试验证:
1. 查看×××协商状态
[edit]
root@srx-05# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
8269385 UP ba65a90c63730f0c 0c278b1caba74ab1 IKEv2 10.0.29.101
8269386 UP 5de681ab32151814 09384775dc1a8155 IKEv2 10.0.29.101
[edit]
root@srx-05# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-128/md5 881138d 3186/ unlim - root 500 10.0.29.101
>131074 ESP:aes-cbc-128/md5 c29186db 3186/ unlim - root 500 10.0.29.101
[root@localhost ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.el7.x86_64, x86_64):
uptime: 7 minutes, since Jan 10 16:52:47 2018
malloc: sbrk 1622016, mmap 0, used 519424, free 1102592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf
gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls
eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
192.168.31.129
10.0.29.101
172.16.43.1
Connections:
srx: 10.0.29.101...10.0.29.15 IKEv2, dpddelay=30s
srx: local: [10.0.29.101] uses pre-shared key authentication
srx: remote: [10.0.29.15] uses pre-shared key authentication
srx: child: 172.16.43.254/32 === 10.0.0.0/8 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
srx[2]: ESTABLISHED 7 minutes ago, 10.0.29.101[10.0.29.101]...10.0.29.15[10.0.29.15]
srx[2]: IKEv2 SPIs: ba65a90c63730f0c_i 0c278b1caba74ab1_r*, rekeying disabled
srx[2]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
srx[1]: ESTABLISHED 7 minutes ago, 10.0.29.101[10.0.29.101]...10.0.29.15[10.0.29.15]
srx[1]: IKEv2 SPIs: 5de681ab32151814_i* 09384775dc1a8155_r, rekeying disabled
srx[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
srx{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c29186db_i 0881138d_o
srx{2}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying disabled
srx{2}: 172.16.43.254/32 === 10.0.0.0/8
[edit]
root@srx-05# run show security flow session protocol esp
Session ID: 2776, Policy name: N/A, Timeout: N/A, Valid
In: 10.0.29.101/2177 --> 10.0.29.15/5005;esp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Session ID: 2777, Policy name: N/A, Timeout: N/A, Valid
In: 10.0.29.101/0 --> 10.0.29.15/0;esp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 2
2. 开启CentOS 7网卡路由之间接口转发
参考以下链路
http://blog.csdn.net/hejun1218/article/details/73385678
3. 测试互通性
[edit]
root@srx-05# run show security flow session protocol icmp
Session ID: 3739, Policy name: 1/4, Timeout: 2, Valid
In: 172.16.43.254/261 --> 10.0.0.1/1;icmp, If: st0.0, Pkts: 1, Bytes: 60
Out: 10.0.0.1/1 --> 172.16.43.254/261;icmp, If: .local..0, Pkts: 1, Bytes: 60
[edit]
root@srx-05# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 38264
Decrypted bytes: 7848
Encrypted packets: 265
Decrypted packets: 112
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0