Túnel IPSec Juniper SRX para o Microsoft Azure

1

Estou um pouco perplexo e esperava encontrar alguma orientação aqui.

Configurei um túnel IPSec para o Microsoft Azure a partir do meu Juniper SRX240 (12.1X44-D45.2). O túnel funciona bem, mas a fase 2 cai quando não há tráfego atravessando o túnel (não importa de que lado o tráfego se origina).

Eu tentei brincar com o DPD, mas o Azure não o suporta. Eu também configurei o monitor VPN para um destino na outra extremidade do túnel, mas isso também não funcionou. No meu "show log kmd" estou vendo P2 nenhuma proposta escolhida mensagens após a queda ocorrer. Devo acrescentar que a fase 1 nunca cai.

Isso seria ok, mas infelizmente eu tenho que direcionar estatisticamente os intervalos remotos através do túnel e como o túnel não tem (e não pode) ter um endereço IP, meu próximo salto é st0.2. Quando a fase 2 cai, o mesmo acontece com a rota estática e o roteamento segue a próxima rota mais específica. Então não há como trazer o túnel de volta automaticamente neste momento.

Eu apreciaria muito qualquer conselho ou assistência sobre o assunto. Eu preciso do túnel para ficar em pé mesmo quando não há tráfego sobre ele. Por favor, veja minha configuração abaixo.

set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL dh-group group2
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL authentication-algorithm sha1
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ike proposal IKE_PROPOSAL lifetime-seconds 28800
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL protocol esp
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
set groups GENERIC_GROUP security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
set groups GENERIC_GROUP security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
set groups CUSTOMER_GROUP interfaces st0 unit 2 family inet
set groups CUSTOMER_GROUP security ike policy IKE_POLICY mode main
set groups CUSTOMER_GROUP security ike policy IKE_POLICY proposals IKE_PROPOSAL
set groups CUSTOMER_GROUP security ike policy IKE_POLICY pre-shared-key ascii-text omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY ike-policy IKE_POLICY
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY address omitted
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY external-interface vlan.457
set groups CUSTOMER_GROUP security ike gateway IKE_GATEWAY version v2-only
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN bind-interface st0.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor optimized
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN vpn-monitor destination-ip 192.168.183.2
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike gateway IKE_GATEWAY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POLICY
set groups CUSTOMER_GROUP security ipsec vpn IPSEC_VPN establish-tunnels immediately
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match source-address AZURE_ZONE-RANGE
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match destination-address CUSTOMER-PRIVATES
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow match application any
set groups CUSTOMER_GROUP security policies from-zone AZURE_ZONE to-zone CUSTOMER_TRUST policy default-allow then permit
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ike
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ssh
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services snmp
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services telnet
set groups CUSTOMER_GROUP security zones security-zone INTERNET interfaces vlan.457 host-inbound-traffic system-services ping
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE address-book address AZURE_ZONE-RANGE 192.168.183.0/24
set groups CUSTOMER_GROUP security zones security-zone AZURE_ZONE interfaces st0.2 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE1 10.0.0.0/8
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE2 172.16.0.0/12
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address CUSTOMER-PRIVATE-RANGE3 192.168.0.0/16
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE1
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE2
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST address-book address-set CUSTOMER-PRIVATES address CUSTOMER-PRIVATE-RANGE3
set groups CUSTOMER_GROUP security zones security-zone CUSTOMER_TRUST interfaces vlan.456 host-inbound-traffic system-services all
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.183.0/24 next-hop st0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 192.168.0.0/16 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 10.0.0.0/8 next-hop 172.31.0.2
set groups CUSTOMER_GROUP routing-instances CUSTOMER_GROUP routing-options static route 172.16.0.0/12 next-hop 172.31.0.2

É assim que os logs do kmd se parecem.

[Jul  9 13:56:40]Added (spi=0xffa48b1d, protocol=0) entry to the spi table
[Jul  9 13:56:40]Construction NHTB payload for  local:1.1.1.1, remote:2.2.2.2 IKEv2 P1 SA index 1241218 sa-cfg IPSEC_VPN
[Jul  9 13:56:40]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg IPSEC_VPN
[Jul  9 13:56:40]ikev2_packet_allocate: Allocated packet db4000 from freelist
[Jul  9 13:56:40]Received authenticated notification payload No proposal chosen from local:1.1.1.1 remote:2.2.2.2 IKEv2 for P1 SA 1241218
[Jul  9 13:56:40]ikev2_decode_packet: [db4000/dfe400] Received packet: HDR, N(NO_PROPOSAL_CHOSEN)
[Jul  9 13:56:40]ikev2_state_child_initiator_in: [db4000/dfe400] Error: Mandatory payloads (SAr,Ni,TSi,TSr) missing
[Jul  9 13:56:40]ikev2_process_notify: [db4000/dfe400] Received error notify No proposal chosen (14)
[Jul  9 13:56:40]ikev2_state_error: [db4000/dfe400] Negotiation failed because of error No proposal chosen (14)
[Jul  9 13:56:40]IPSec negotiation failed for SA-CFG IPSEC_VPN for local:1.1.1.1, remote:2.2.2.2 IKEv2. status: No proposal chosen
[Jul  9 13:56:40]   P2 ed info: flags 0x82, P2 error: Error ok
[Jul  9 13:56:40]IPSec SA done callback with sa-cfg NULL in p2_ed. status: No proposal chosen
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4400 from freelist
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Setting ed pkt ctx from VR id 4 to VR id 4)
[Jul  9 13:56:42]ikev2_decode_packet: [db4400/dfe400] Received packet: HDR
[Jul  9 13:56:42]ikev2_packet_allocate: Allocated packet db4800 from freelist
[Jul  9 13:56:43]ikev2_packet_allocate: Allocated packet db4c00 from freelist

Como eu disse, funciona perfeitamente até que não haja tráfego e não tenho ideia do que mais tentar.

Obrigado antecipadamente!

    
por Rudidl 09.07.2015 / 15:56

1 resposta

0

Esse problema parece um problema que eu tive em um túnel IPSec VPN entre Vyatta e Juniper SRX.

Já tentou configurar no seu zimbro e no azure a detecção de peer inativo sob a configuração IKE na primeira fase da negociação VPN?

No Juniper eu sei que ele está habilitado por padrão, mas por exemplo no Vyatta eu tive que configurar manualmente e parece algo assim:

    ike-group <IKE-GROUP> {
        dead-peer-detection {
            action restart
            interval 15
            timeout 30
        }
        lifetime 3600
        proposal 1 {
            encryption aes256
            hash sha1
        }
        proposal 2 {
            encryption aes256
            hash sha1
        }
    }

Por favor, deixe-me saber se funciona para você.

Saul

    
por 27.06.2016 / 10:25