先日の Fortigate 編 に続いて、今度は @kazubu 先生にご提供いただいた SRX で VPN のトラシューのメモを。
JUNOS はまだ全く慣れてないので、だいぶ雑ですがご容赦を…。
各種ドキュメント
- サイト間 VPN ゲートウェイ接続用の VPN デバイスと IPsec/IKE パラメーターについて
https://docs.microsoft.com/ja-jp/azure/vpn-gateway/vpn-gateway-about-vpn-devices - Juniper SRX と Microsoft Azure 仮想ネット ワークとのサイト間 VPN 接続の構成
https://www.juniper.net/jp/jp/local/pdf/implementation-guides/SRX-AzureVPN-v3.pdf - IPSEC VPN
https://www.juniper.net/assets/jp/jp/local/pdf/others/ipsec-vpn.pdf
構成手順
ほぼ日本語 PDF の手順通りでつながったので割愛。(一か所 typo があった気がするけど忘れた。)
Azure 側の手順は旧ポータルでの記載になってるので、仔細は MS のドキュメント参照。
VPN トンネルをクリア
//peer-address を未指定にするとすべての SA がクリアされる (他拠点との接続も切れる) ので注意 clear security ipsec security-associations aa.aa.aa.aa clear security ike security-associations aa.aa.aa.aa
パケット採取
後で確認。
VPN トンネルを確認
SA が確立されていることを確認します
> show security ipsec statistics ESP Statistics: //接続済みであればパケットがカウントされています Encrypted bytes: 1976 Decrypted bytes: 1924704 Encrypted packets: 13 Decrypted packets: 60147 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 > show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5870219 UP a2a4867ce688050e 162df6175e622dbc IKEv2 aa.aa.aa.aa > show security ike security-associations detail IKE peer aa.aa.aa.aa, Index 5870219, Gateway Name: azure-gw Role: Responder, State: UP Initiator cookie: a2a4867ce688050e, Responder cookie: 162df6175e622dbc Exchange type: IKEv2, Authentication method: Pre-shared-keys Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500 Lifetime: Expires in 8440 seconds Peer ike-id: aa.aa.aa.aa Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 771724 Output bytes : 771612 Input packets: 10141 Output packets: 10141 IPSec security associations: 14 created, 7 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: jj.jj.jj.jj:500, Remote: aa.aa.aa.aa:500 Local identity: jj.jj.jj.jj Remote identity: aa.aa.aa.aa Flags: IKE SA is created > show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-256/sha1 88bad682 3186/ unlim - root 500 aa.aa.aa.aa >131073 ESP:aes-cbc-256/sha1 eaaf6166 3186/ unlim - root 500 aa.aa.aa.aa > show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: azure-vpn Local Gateway: jj.jj.jj.jj, Remote Gateway: aa.aa.aa.aa Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 415, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 19 2018 07:50:57: IPSec SA rekey successfully completed (25 times) Fri Jan 19 2018 02:21:10: IKE SA rekey successfully completed (2 times) Thu Jan 18 2018 11:09:06: IPSec SA negotiation successfully completed (1 times) Thu Jan 18 2018 11:09:06: IKE SA negotiation successfully completed (1 times) Thu Jan 18 2018 11:08:37: IPSec SAs cleared as corresponding IKE SA deleted (1 times) Thu Jan 18 2018 10:27:52: IPSec SA rekey successfully completed (31 times) Thu Jan 18 2018 07:36:23: IKE SA rekey successfully completed (3 times) Wed Jan 17 2018 08:48:20: IPSec SA negotiation successfully completed (1 times) Wed Jan 17 2018 08:48:20: IKE SA negotiation successfully completed (1 times) Wed Jan 17 2018 08:48:17: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Wed Jan 17 2018 08:15:29: IPSec SA rekey successfully completed (72 times) Wed Jan 17 2018 01:53:22: IKE SA rekey successfully completed (7 times) Sun Jan 14 2018 20:41:14: IPSec SA negotiation successfully completed (1 times) Sun Jan 14 2018 20:41:14: IKE SA negotiation successfully completed (1 times) Sun Jan 14 2018 19:10:02: IKE SA rekey successfully completed (2 times) Sun Jan 14 2018 03:58:00: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: 72332189, AUX-SPI: 0 Hard lifetime: Expires in 2815 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2204 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: e7bae17a, AUX-SPI: 0 Hard lifetime: Expires in 2815 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2204 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
デバッグログの有効化
monitor start kmd monitor stop kmd show log kmd //ログの実体は /var/log/kmd に出力される模様
PSK の不一致
[Jan 19 09:11:49]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF [Jan 19 09:11:49]ikev2_decode_packet: [101cc00/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr [Jan 19 09:11:49]ikev2_state_dispatch: [101cc00/1094c00] Responder side IKE_AUTH [Jan 19 09:11:49]ikev2_reply_cb_shared_key_auth_verify: [101cc00/1094c00] Error: Auth payload contents does not match [Jan 19 09:11:49]ikev2_state_error: [101cc00/1094c00] Negotiation failed because of error Authentication failed (24) [Jan 19 09:11:49]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Authentication failed [Jan 19 09:11:49]IPSec negotiation failed for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2. status: Authentication failed
正常時のログが以下。IKE_AUTH 付近にエラーがないから良いのかな…?
[Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF [Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr [Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH [Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully
Proposal Mismatch
//Azure から応答を受信 [Jan 20 03:18:03]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF [Jan 20 03:18:03]ikev2_packet_st_input_get_or_create_sa: [fff400/0] No IKE SA for packet; requesting permission to create one. [Jan 20 03:18:03]ikev2_decode_packet: [fff400/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid [Jan 20 03:18:03]ikev2_state_dispatch: [fff400/1094c00] Responder side IKE_SA_INIT //Azure 側から受け取った proposal [Jan 20 03:18:03]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF //SRX 側の proposal [Jan 20 03:18:03]Configured proposal is SA([0](id = 1) protocol = IKE (1), 3DES, HMAC-MD5-96, 1024 bit MODP, HMAC-MD5 PRF; ) //No proposal chosen で SRX と Azure の proposal が一致しないためエラーになっている [Jan 20 03:18:03]P1 SA payload match failed for sa-cfg azure-vpn. Aborting negotiation local:jj.jj.jj.jj remote:aa.aa.aa.aa IKEv2. [Jan 20 03:18:03]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen [Jan 20 03:18:03]ikev2_select_sa_reply: [fff400/1094c00] Error: SA select failed: 14 [Jan 20 03:18:03]ikev2_state_error: [fff400/1094c00] Negotiation failed because of error No proposal chosen (14) [Jan 20 03:18:03]IKE negotiation fail for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: No proposal chosen [Jan 20 03:18:03]IKE SA delete called for p1 sa 5870294 (ref cnt 1) local:jj.jj.jj.jj, remote:aa.aa.aa.aa, IKEv2 [Jan 20 03:18:03]iked_pm_p1_sa_destroy: p1 sa 5870294 (ref cnt 0), waiting_for_del 0x0
正常時のログは以下のような感じでした。
//SRX から Azure へ接続要求 (SA_INIT) を送付 [Jan 20 04:02:37]ikev2_udp_send_packet: [1023400/1094c00] <-------- Sending packet - length = 76 VR id 0 [Jan 20 04:02:37]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 76 on IF [Jan 20 04:02:37]ikev2_decode_packet: [1022c00/1094c00] Received packet: HDR [Jan 20 04:02:37]ikev2_state_dispatch: [1022c00/1094c00] Initiator side INFORMATIONAL [Jan 20 04:02:37]iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 5870425, ref cnt 2, status: Error ok [Jan 20 04:02:37]iked_pm_p1_sa_destroy: p1 sa 5870425 (ref cnt 0), waiting_for_del 0xd365a0 [Jan 20 04:02:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 620 on IF [Jan 20 04:03:02]ikev2_packet_st_input_get_or_create_sa: [1029800/0] No IKE SA for packet; requesting permission to create one. [Jan 20 04:03:02]ikev2_decode_packet: [1029800/1094c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), Vid, Vid, Vid, Vid [Jan 20 04:03:02]ikev2_state_dispatch: [1029800/1094c00] Responder side IKE_SA_INIT //Azure 側から受け取った proposal [Jan 20 04:03:02]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1](id = 2) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF //SRX 側の proposal [Jan 20 04:03:02]Configured proposal is SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, 1024 bit MODP, HMAC-SHA1 PRF; ) //proposal が一致 [Jan 20 04:03:02]ikev2_select_sa_reply: [1029800/1094c00] SA selected successfully [Jan 20 04:03:02]ikev2_state_init_responder_in_end: [1029800/0] Send reply IKE_SA_INIT packet [Jan 20 04:03:02]ikev2_udp_send_packet: [1031800/0] <-------- Sending packet - length = 346 VR id 0 [Jan 20 04:03:02]---------> Received from aa.aa.aa.aa:500 to jj.jj.jj.jj:0, VR 0, length 380 on IF [Jan 20 04:03:02]ikev2_decode_packet: [ffd000/1094c00] Received packet: HDR, IDi, AUTH, SA, TSi, TSr [Jan 20 04:03:02]ikev2_state_dispatch: [ffd000/1094c00] Responder side IKE_AUTH [Jan 20 04:03:02]ikev2_select_sa_reply: [1034400/1094c00] SA selected successfully [Jan 20 04:03:02]Construction NHTB payload for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 P1 SA index 5870426 sa-cfg azure-vpn [Jan 20 04:03:02]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg azure-vpn, p1_sa=5870426 [Jan 20 04:03:02]iked_pm_ipsec_sa_install: local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 for SA-CFG azure-vpn, rekey-ikev2:no [Jan 20 04:03:02]iked_pm_ipsec_sa_create: encr key len 32, auth key len: 20, salt len: 0 [Jan 20 04:03:02]Added (spi=0xe913e01d, protocol=ESP dst=jj.jj.jj.jj) entry to the peer hash table [Jan 20 04:03:02]Added (spi=0x9a0dbe24, protocol=ESP dst=aa.aa.aa.aa) entry to the peer hash table [Jan 20 04:03:02]iked_pm_ipsec_sa_install: NHTB add passed for sa-cfg azure-vpn [Jan 20 04:03:02]Hardlife timer started for inbound azure-vpn with 3600 seconds/0 kilobytes [Jan 20 04:03:02]Softlife timer started for inbound azure-vpn with 3025 seconds/0 kilobytes [Jan 20 04:03:02]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xe913e01d [Jan 20 04:03:02]Added dependency on SA config blob with tunnelid = 131073 [Jan 20 04:03:02]Successfully added ipsec SA PAIR [Jan 20 04:03:02]iked_pm_ike_sa_done: local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 [Jan 20 04:03:02]IKE negotiation done for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2 with status: Error ok [Jan 20 04:03:02]IPSec negotiation done successfully for SA-CFG azure-vpn for local:jj.jj.jj.jj, remote:aa.aa.aa.aa IKEv2
例のごとく、各社のデバイスのコンフィグ、トラシュー方法については、各機器ベンダーまで確認しましょう。
気まぐれで追記します。
その他
Azure VPN Gateway 側でもログが取れるようになってたので、以下も併せてどうぞ。
Azure との VPN 接続がうまくいかない場合のデバッグ方法
あと、Jazug Night で登壇した際に更に詳しい話をしたので、以下のスライド P.64 – 73 や YouTube の録画 (1:03:36 – 1:18:50) もご確認ください。
2 comments for “Azure VPN Gateway と SRX で VPN がつながらない場合のトラブルシューティング方法”