※おそらく繋がるだけで、(不要な設定もあるから)設定が間違えてる?バージョン依存そうです。
★なぜかVPNが不安定★
・phase2のライフタイム以外の時間でもDown / UPが発生
・Down状態が継続
・エンド to エンド間でPing断(間隔:100ms , timeout:50ms)が多発
■接続構成
●tunnel用IFの設定
set interfaces ge-0/0/0 unit 0 family inet address 198.168.0.254/24
set interfaces st0 unit 0 family inet
set security zones security-zone untrust interfaces st0.0
●IKEフェーズ1 - プロポーザルの設定
set security ike proposal p1-ike-proposal authentication-method pre-shared-keys
set security ike proposal p1-ike-proposal authentication-algorithm sha1
set security ike proposal p1-ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal p1-ike-proposal lifetime-seconds 28800
●IKEフェーズ1 - IKEポリシーの設定
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals p1-ike-proposal
set security ike policy ike-policy pre-shared-key ascii-text 1234567890
●IKEフェーズ1 - IKEゲートウェイの設定
set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 10.0.0.254
set security ike gateway ike-gateway nat-keepalive 5
set security ike gateway ike-gateway external-interface ge-0/0/0.0
●IKEフェーズ2 - プロポーザルの設定
set security ipsec proposal p2-ipsec-proposal protocol esp
set security ipsec proposal p2-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal p2-ipsec-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal p2-ipsec-proposal lifetime-seconds 3600
●IKEフェーズ2 - IPSecポリシーの設定
set security ipsec policy ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy proposals p2-ipsec-proposal
set security ipsec vpn ipsec-vpn bind-interface st0.0
set security ipsec vpn ipsec-vpn ike gateway ike-gateway
set security ipsec vpn ipsec-vpn ike proxy-identity local 192.168.10.0/24
set security ipsec vpn ipsec-vpn ike proxy-identity remote 192.168.100.0/24
set security ipsec vpn ipsec-vpn ike ipsec-policy ipsec-policy
■VPN設定(RTX1210)
ip lan1 address 192.168.100.1/24
ip lan1 secure filter in 11
ip lan1 secure filter out 10
ip lan3 address 10.0.0.254/24
ip lan3 secure filter in 11
ip lan3 secure filter out 10
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive log 1 off
ipsec ike local id 1 192.168.100.0/24
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 *
ipsec ike remote address 1 10.0.0.2
ipsec ike remote id 1 192.168.10.0/24
ip tunnel secure filter in 10 11
ip tunnel tcp mss limit auto
tunnel enable 1
ip filter 10 pass-log * * * * *
ip filter 11 pass-log * * * * *
ipsec auto refresh on
■接続状況確認
●SRXでの確認
root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7359950 UP 1ce6ea04fa777ca3 c9106613a67ef381 Main 10.0.0.254
root>
root> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 36363123 2837/ unlim U root 500 10.0.0.254
>131073 ESP:aes-cbc-128/sha1 92c89b70 2837/ unlim U root 500 10.0.0.254
root>
●YAMAHA RTX1210での確認
> show ipsec sa
Total: isakmp:1 send:1 recv:1
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
3 1 - isakmp - 16177 10.0.0.2
4 1 3 tun[0001]esp send 2904 10.0.0.2
5 1 3 tun[0001]esp recv 2904 10.0.0.2
>
> show ipsec sa gateway 1 detail
SA[3] 寿命: 16165秒
自分側の識別子: 10.0.0.254
相手側の識別子: 10.0.0.2
プロトコル: IKE
アルゴリズム: AES-CBC, SHA-1, MODP 1024bit
NATトラバーサル: なし
SPI: 1c e6 ea 04 fa 77 7c a3 c9 10 66 13 a6 7e f3 81
鍵 : 60 d8 9a 71 fc 8a 30 31
----------------------------------------------------
SA[4] 寿命: 2892秒
自分側の識別子: 10.0.0.254
相手側の識別子: 10.0.0.2
送受信方向: 送信
プロトコル: ESP (モード: tunnel)
アルゴリズム: AES-CBC (認証: HMAC-SHA)
SPI: 36 36 31 23
鍵 : 9a 8b 20 91 b5 43 a5 c7 b1 b6 2d ad b9 2c f7 fe
----------------------------------------------------
SA[5] 寿命: 2892秒
自分側の識別子: 10.0.0.254
相手側の識別子: 10.0.0.2
送受信方向: 受信
プロトコル: ESP (モード: tunnel)
アルゴリズム: AES-CBC (認証: HMAC-SHA)
SPI: 92 c8 9b 70
鍵 : 28 95 27 d9 78 df 4a 1a a6 9f 3e 6e 4b a5 5e 06
----------------------------------------------------
>
- 作者: Brad Woodberg,Rob Cameron,Christofer Hoff
- 出版社/メーカー: Oreilly & Associates Inc
- 発売日: 2013/06/24
- メディア: ペーパーバック
- この商品を含むブログを見る