Задать вопрос
@cyxer

Почему не работает ospf маршрутизация через GRE/IPSEC в Juniper?

Добрый день, настроил gre между 2 Juniper srx. Ipsec и gre работают и шифруется. OSPF Hello пакеты проходят. Есть маршруты в таблице. пингует адреса туннеля, но как только хочу пингануть локалку то появляются лосы. Помогите пожалуйста

6378f1d7d074a054016405.png

конфиг роутера на другом аналогично

## Last commit: 2022-11-19 14:46:22 UTC by root
version 20200319.130545_builder.r1095278;
system {
    root-authentication {
        encrypted-password "$6$zthUz2jD$loeVj1tqVxoBdEgNcUAMBqfagMfp0buHnB/kABodRJlgZeyXEPVR5c99ivJutG7qGH3CyBXZp6B.9SLOP5byo0"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface fxp0.0;
            }
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    ike {
        policy ike-1 {
            proposal-set compatible;
            pre-shared-key ascii-text "$9$rrdKLxwYgoZU-d"; ## SECRET-DATA
        }
        gateway gre-ike {
            ike-policy ike-1;
            address 160.191.81.201;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        policy ipsec-1 {
            proposal-set compatible;
        }
        vpn gre-vpn {
            bind-interface st0.0;
            ike {
                gateway gre-ike;
                ipsec-policy ipsec-1;
            }
            establish-tunnels immediately;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set rs1 {
                from zone trust;
                to zone untrust;
                rule r1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    ike;
                    all;
                }
                protocols {
                    ospf;
                    all;
                }
            }
            interfaces {
                st0.0;
                ge-0/0/0.0;
                gr-0/0/0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 177.242.52.193/30;
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            clear-dont-fragment-bit;
            tunnel {
                source 177.242.52.193;
                destination 160.191.81.201;
                allow-fragmentation;
                path-mtu-discovery;
            }
            family inet {
                mtu 1476;
                address 172.18.18.1/30;
            }
            copy-tos-to-outer-ip-header;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.1.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.10.2.6/30;
            }
        }
    }
    fxp0 {
        unit 0;
    }
    st0 {
        unit 0 {
            family inet {
                address 172.18.18.1/30;
            }
        }
    }
}
policy-options {
    policy-statement PO1 {
        term 1 {
            from {
                route-filter 0.0.0.0/0 exact;
            }
            then accept;
        }
    }
    policy-statement PO9 {
        term 1 {
            from protocol ospf;
            then accept;
        }
    }
}
protocols {
    ospf {
        area 0.0.0.3 {
            interface ge-0/0/1.0 {
                interface-type p2p;
            }
            interface ge-0/0/2.0 {
                interface-type p2p;
            }
            interface gr-0/0/0.0 {
                interface-type p2p;
            }
        }
        export PO1;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 177.242.52.194;
    }
    generate {
        defaults {
            preference 10;
        }
        route 0.0.0.0/0;
    }
}
  • Вопрос задан
  • 159 просмотров
Подписаться 2 Средний 1 комментарий
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы