Hi!
I just configure a site-to-site vpn. Both Phase 1 and Phase 2 are UP, but I can not access any servers.
Does anyone have any tips to help me?
TKS!
Source network: 192.168.4.0/23
Remote network: 10.2.18.0/23
VPN_name: VPN_Finep_Site_to_Site
VPN route-based
root@srx340> show security ike security-associations
^[[AIndex State Initiator cookie Responder cookie Mode Remote Address
5104053 UP f73f644ad894a834 1bd361ed45a68500 Main 200.155.97.50
root@srx340> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 8aeba4fb 1402/ unlim - root 500 200.155.97.50
>131073 ESP:aes-cbc-128/sha1 d3238517 1402/ unlim - root 500 200.155.97.50
root@srx340> show route
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:37:18
> to 177.19.201.113 via ge-0/0/0.0
[Static/7] 01:37:17
> to 201.48.222.193 via ge-0/0/1.0
10.2.18.0/23 *[Static/5] 00:37:05
> via st0.0
root@srx340> ping 10.2.18.1
PING 10.2.18.1 (10.2.18.1): 56 data bytes
###############################################################################
security {
log {
mode event;
}
ike {
proposal VPN_Finep_Conf {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
proposal VPN_Ultra_Conf {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy ike_pol_VPN_Finep_Site_to_Site {
mode main;
proposals VPN_Finep_Conf;
pre-shared-key ascii-text "$9$ttaEOhyrlvX7VbsPQzF9CKMW8Ndbs2UikvM8X";
}
policy ike_pol_VPN_Ultra_Site_to_Site {
mode main;
proposals VPN_Ultra_Conf;
pre-shared-key ascii-text "$9$YHg4JUDHmPTJZn/tpB1IRh";
}
gateway gw_VPN_Finep_Site_to_Site {
ike-policy ike_pol_VPN_Finep_Site_to_Site;
address 200.155.97.50;
external-interface ge-0/0/0.0;
version v1-only;
}
gateway gw_VPN_Ultra_Site_to_Site {
ike-policy ike_pol_VPN_Ultra_Site_to_Site;
address 177.67.61.243;
external-interface ge-0/0/0.0;
version v1-only;
}
}
ipsec {
proposal VPN_Finep_Conf_Fase_2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
proposal VPN_Ultra_Conf_Fase_2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsec_pol_VPN_Finep_Site_to_Site {
perfect-forward-secrecy {
keys group2;
}
proposals VPN_Finep_Conf_Fase_2;
}
policy ipsec_pol_VPN_Ultra_Site_to_Site {
perfect-forward-secrecy {
keys group2;
}
proposals VPN_Ultra_Conf_Fase_2;
}
vpn VPN_Finep_Site_to_Site {
bind-interface st0.0;
ike {
gateway gw_VPN_Finep_Site_to_Site;
proxy-identity {
local 192.168.4.0/23;
remote 10.2.18.0/23;
service any;
}
ipsec-policy ipsec_pol_VPN_Finep_Site_to_Site;
}
establish-tunnels immediately;
}
vpn VPN_Ultra_Site_to_Site {
bind-interface st0.1;
ike {
gateway gw_VPN_Ultra_Site_to_Site;
ipsec-policy ipsec_pol_VPN_Ultra_Site_to_Site;
}
establish-tunnels immediately;
}
}
nat {
source {
pool 2 {
address {
192.168.58.40/30;
}
}
rule-set SNAT {
from zone [ Internal Rede_Visitante ];
to zone Internet;
rule 1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set 2 {
from zone Internal;
to zone Internet;
rule 2 {
match {
source-address 0.0.0.0/0;
destination-address [ 172.20.62.0/23 172.20.120.51/32 172.20.120.62/32 172.20.120.73/32 ];
}
then {
source-nat {
pool {
2;
}
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy policy_out_VPN_Finep_Site_to_Site {
match {
source-address addr_192_168_4_0_23;
destination-address addr_10_2_18_0_23;
application any;
source-identity any;
}
then {
permit;
}
}
policy Acesso_Internet_Full {
match {
source-address [ PC_Daniel_Batista PC_Ricardo_Rodrigues PC_Vitor_Abdalla WLRPROXY PC_Daniel_Urbano PC_Bruno_Petroveski NOT_Bruno_Petroveski ];
destination-address any;
application any;
}
then {
permit;
}
}
policy Internal-to-Internet_Services {
match {
source-address any;
destination-address [ VPN_Metro VPN_Finep VPN_APEX VPN_Hemobras ];
application any;
source-identity any;
}
then {
permit;
}
}
policy Internal-to-Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone Rede_Visitante to-zone Internet {
policy Acesso_Visitante {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy policy_in_VPN_Finep_Site_to_Site {
match {
source-address addr_10_2_18_0_23;
destination-address addr_192_168_4_0_23;
application any;
source-identity any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy policy_out_VPN_Ultra_Site_to_Site {
match {
source-address addr_192_168_4_0_23;
destination-address [ addr_172_20_120_73_32 addr_172_20_120_62_32 addr_172_20_120_51_32 ];
application any;
}
then {
permit;
}
}
policy policy_in_VPN_Ultra_Site_to_Site {
match {
source-address [ addr_172_20_120_73_32 addr_172_20_120_62_32 addr_172_20_120_51_32 ];
destination-address addr_192_168_4_0_23;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
description "Rede Interna da Walar";
address-book {
address PC_Daniel_Batista 192.168.4.184/32;
address PC_Ricardo_Rodrigues 192.168.5.107/32;
address PC_Vitor_Abdalla 192.168.4.228/32;
address PC_Bruno_Petroveski 192.168.4.109/32;
address WLRPROXY 192.168.5.8/32;
address PC_Daniel_Urbano 192.168.4.158/32;
address addr_192_168_58_40_30 192.168.58.40/30;
address NOT_Bruno_Petroveski 192.168.5.198/32;
address addr_192_168_4_0_23 192.168.4.0/23;
address addr_172_20_120_73_32 172.20.120.73/32;
address addr_172_20_120_62_32 172.20.120.62/32;
address addr_172_20_120_51_32 172.20.120.51/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.1;
}
}
security-zone Internet {
description Internet;
address-book {
address VPN_Metro 200.144.30.90/32;
address VPN_Finep 200.155.97.50/32;
address VPN_APEX 200.0.35.212/32;
address VPN_Hemobras 177.52.19.227/32;
address addr_10_2_18_0_23 10.2.18.0/23;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone Rede_Visitante {
description "Rede para visitante - Internet";
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 177.19.201.116/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 201.48.222.197/28;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.5.2/23;
}
}
}
ge-0/0/3 {
unit 0 {
description "Rede Wifi Visitantes";
family inet {
address 192.168.2.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
forwarding-options {
packet-capture {
disable;
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 177.19.201.113;
qualified-next-hop 201.48.222.193 {
preference 7;
}
preference 5;
}
route 10.2.18.0/23 next-hop st0.0;
route 172.20.120.73/32 next-hop st0.1;
route 172.20.120.62/32 next-hop st0.1;
route 172.20.120.51/32 next-hop st0.1;
}
}