Как подключить сайт к сайту из Linux IPsec VPN через шлюз Juniper SRX (210, 240)?

Question

Прошло почти больше недели, но у меня, похоже, нет ответа на этот вопрос, и я не могу понять, как это решить:

Я использую Fedora/CentOS Linux и у меня настроен шлюз Juniper SRX210 как VPN-соединение IPsec между сайтами. Когда я пытаюсь подключить свой Linux-блок к Juniper, Juniper всегда показывает 0 туннелей вверх.

Цель состоит в том, чтобы сайт 4 (Fedora/CentOS) подключался к сайту 1:

Пожалуйста, найдите ниже мою конфигурацию для обоих концов:

1. Конфигурация можжевельника, подготовленная этим инструментом: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "__YouHackersStayAwayFromMyPassword__"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.2
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit

2. Планирование конфигурации Fedora/CentOS:

    1) cat /etc/sysconfig/network-scripts/ifcfg-vpn
ONBOOT=yes
IKE_METHOD=PSK
DSTGW=10.2.2.1
SRCGW=10.2.3.1
DSTNET=10.2.2.0/24
SRCNET=10.2.3.1/24
DST=98.0.0.1
TYPE=IPSEC

    2) cat /etc/sysconfig/network-scripts/keys-vpn
    KEY_ESP=
    KEY_AH=
    IKE_PSK=__YouHackersStayAwayFromMyPassword__


    3) cat /etc/racoon/racoon.conf
    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    path script "/etc/racoon/scripts";

    sainfo anonymous
    {
        #pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
    }

    include "/etc/racoon/98.0.0.1.conf";

    4) [root@example ~]# vim /etc/sysctl.conf 
    [root@example ~]# sysctl -p /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
    /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
    /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory

    [root@example ~]# ifup vpn
    RTNETLINK answers: No such process
    [root@example ~]# 

Тестирование:

[root@example ~]# ip route
98.0.0.0/24 dev em1  proto kernel  scope link  src 98.0.0.2  metric 1 
81.164.40.0/21 dev wlan0  proto kernel  scope link  src 81.164.44.90  metric 2 
default via 98.0.0.1 dev em1  proto static 

[root@example ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:19:b9:85:96:c5 brd ff:ff:ff:ff:ff:ff
    inet 98.0.0.2/24 brd 98.0.0.255 scope global em1
    inet6 fe80::219:b9ff:fe85:96c5/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:19:7e:a7:f8:76 brd ff:ff:ff:ff:ff:ff
    inet 81.164.44.90/21 brd 81.164.47.255 scope global wlan0
    inet6 fe80::219:7eff:fea7:f876/64 scope link 
       valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff


[root@example ~]# ping 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_req=1 ttl=63 time=0.531 ms
64 bytes from 10.2.2.2: icmp_req=2 ttl=63 time=0.482 ms
^C
--- 10.2.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.482/0.506/0.531/0.033 ms
[root@example ~]# ping 98.0.0.1
PING 98.0.0.1 (98.0.0.1) 56(84) bytes of data.
64 bytes from 98.0.0.1: icmp_req=1 ttl=64 time=0.518 ms
^C
--- 98.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.518/0.518/0.518/0.000 ms


[root@example ~]# traceroute 98.0.0.1
traceroute to 98.0.0.1 (98.0.0.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
You have mail in /var/spool/mail/root

У кого-нибудь есть какие-либо идеи?