在两边都使用策略VPN的情况下不通,DEBUG结果如下
****** 05955.0: <Trust/ethernet1> packet received [60]******
ipid = 4765(129d), @d7816110
packet passed sanity check.
ethernet1:1.1.1.93/7425->2.2.2.1/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 1.1.1.93->2.2.2.1) in vr trust-vr for vsd-0/flag-0/ifp-null
no route to (1.1.1.93->2.2.2.1) in vr trust-vr/0
packet dropped, no route
****** 05960.0: <Trust/ethernet1> packet received [60]******
ipid = 4766(129e), @d7816910
packet passed sanity check.
ethernet1:1.1.1.93/7681->2.2.2.1/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 1.1.1.93->2.2.2.1) in vr trust-vr for vsd-0/flag-0/ifp-null
no route to (1.1.1.93->2.2.2.1) in vr trust-vr/0
packet dropped, no route
以上信息说明,这种情况下防火墙查找路由,还没有到查找策略的步骤.
在两边都使用tunnel方式,VPN通,DEBUG结果如下
****** 11040.0: <Trust/ethernet1> packet received [60]******
ipid = 21354(536a), @d7812910
packet passed sanity check.
ethernet1:1.1.1.93/61956->2.2.2.1/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 1.1.1.93->2.2.2.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 16.route 2.2.2.1->2.2.2.1, to tunnel.1
routed (x_dst_ip 2.2.2.1) from ethernet1 (ethernet1 in 0) to tunnel.1
? policy search from zone 2-> zone 1
policy_flow_search? policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 2.2.2.1, port 22615, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
No src xlate NHTB entry search no found: vpn none tif tunnel.1 nexthop 2.2.2.1
choose interface tunnel.1 as outgoing phy if
no loop on ifp tunnel.1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1>, out <tunnel.1>
existing vector list 5-66597e0.
Session (id:128058) created for first pak 5
flow_first_install_session======>
cache mac in the session
make_nsp_ready_no_resolve()
search route to (tunnel.1, 2.2.2.1->1.1.1.93) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1
[ Dest] 14.route 1.1.1.93->1.1.1.93, to ethernet1
route to 1.1.1.93
flow got session.
flow session id 128058
skipping pre-frag
going into tunnel 40000005.
flow_encrypt: pipeline.
chip info: DMA. Tunnel id 00000005
(vn2)? doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(557d210) into flush queue.
remove packet(557d210) out from flush queue.
**** jump to packet:30.0.0.1->30.0.0.254
out encryption tunnel 40000005 gw:30.0.0.254
no more encapping needed
send out through normal path.
flow_ip_send: 55f7:30.0.0.1->30.0.0.254,50 => ethernet3.3(112) flag 0x0, vlan 30
mac 001bc05dbc06 in session
packet send out to 001bc05dbc06 through ethernet3.3
**** pak processing end.
结论:使用untrust子接口作为vpn的接口的防火墙需要使用tunnel方式,对端可以为策略VPN.
配置见附件:
文件:
netscreen.zip
大小:
2KB
下载:
下载
转载请注明:Kermit的网站 » Juniper防火墙 untrust子接口上做VPN