при настройке VPN туннеля между dfl 860 и Juniper 208Е
есть проблема туннель поднимается но адреса удалённой сети (10.10.1.0/24) не пингуется

настройки vpn :

lan_ip 192.168.15.253 IPAddress of interface lan
lannet 192.168.15.0/24 The network on interface lan
wan1_dns1 212.109.хх.хх Primary DNS server for interface wan1.
wan1_dns2 212.109.хх.хх Secondary DNS server for interface wan1.
wan1_gw 85.223.хх.хх Default gateway for interface wan1.
wan1_ip 85.223.хх.хх IPAddress of interface wan1
wan1net 255.255.255.0/24 The network on interface wan1
Remote_Net 10.10.1.0/24 remote network
RemoteGw 85.223.хх.хх remote gateway


ip rules :
VPN_Out Allow lan lannet Alba_15_tun Remote_Net all_services
2 VPN_In Allow Alba_15_tun Remote_Net lan lannet all_services

ike algoritms:
Al15tunnel 3DES, MD5

ipsec algoritms:
Al15tunnel 3DES, MD5

ipsec interfase:

general:
Name: Al_15_tun
Local Network: lannet
Remote Network: Remote_Net
Remote Endpoint: RemoteGw

Encapsulation Mode: tunnel

Algorithms

IKE Algorithms: Al_15_tun
IKE Life Time 28800 sec

IPsec Algorithms: Al_15_tun
IPsec Life Time 3600
IPsec Life Time 0

Authentication
Pre-shared Key

Pre-shared Key: Al_15_tun


IKE XAuth
off

Routing
Packet Sizes
Specify the size at which to fragment plaintext packets (rather than fragmenting IPsec).
Plaintext MTU: 1024

IP Addresses
IP address to use as source IP of the tunnel
Automatically pick the address of a local interface that corresponds to the local net

ike settings

IKE
Aggressive 2

Perfect Forward Secrecy

PFS

Security Association
Per Net


NAT Traversal

On if supported and NATed

Dead Peer Detection
Dead Peer Detection off

Keep-alive

Disabled

Automatic Route Creation

Automatically add route for remote network.

Add route for remote network on

Route Metric: 90


В логах следующее :

2009-11-25
15:34:09 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:07 Warning IPSEC
01800106


ike_invalid_payload
rev=1 local_ip=85.223.153.78 remote_ip=194.110.78.3 cookies= reason="IKE_INVALID_COOKIE"
2009-11-25
15:34:07 Info IPSEC
01802708


ike_sa_destroyed
ike_sa_killed
rev=1 ike_sa= Initiator SPI ESP=0x839674b7, AH=0x16fa05d7, IPComp=0xa6eba41
2009-11-25
15:34:07 Warning IPSEC
01802022


ike_sa_failed
no_ike_sa
rev=2 statusmsg="No proposal chosen" local_peer=85.223.153.78 ID No Id remote_peer=194.110.78.3 ID No Id initiator_spi=ESP=0x839674b7, AH=0x16fa05d7, IPComp=0xa6eb
2009-11-25
15:34:07 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:34:07 Warning IPSEC
01800107


ike_invalid_proposal
rev=1 local_ip=85.223.153.78 remote_ip=194.110.78.3 cookies=839674b716fa05d7a6eba411b765141c reason="Could not find acceptable proposal"
2009-11-25
15:34:07 Notice IPSEC
01802300


rule_selection_failed
rev=1 info=Peer IP address mismatch int_severity=6
2009-11-25
15:34:07 Info IPSEC
01803001


failed_to_select_policy_rule
rev=1
2009-11-25
15:34:07 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:34:06 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:05 Info IPSEC
01802708


ike_sa_destroyed
ike_sa_killed
rev=1 ike_sa= Initiator SPI ESP=0x7d09c819, AH=0x8fc235af, IPComp=0x84e6655
2009-11-25
15:34:05 Warning IPSEC
01802022


ike_sa_failed
no_ike_sa
rev=2 statusmsg="No proposal chosen" local_peer=85.223.153.78 ID No Id remote_peer=212.109.39.99 ID No Id initiator_spi=ESP=0x7d09c819, AH=0x8fc235af, IPComp=0x84e
2009-11-25
15:34:05 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:34:05 Warning IPSEC
01800107


ike_invalid_proposal
rev=1 local_ip=85.223.153.78 remote_ip=212.109.39.99 cookies=7d09c8198fc235af84e6655895b5b7df reason="Could not find acceptable proposal"
2009-11-25
15:34:05 Notice IPSEC
01802300


rule_selection_failed
rev=1 info=Peer IP address mismatch int_severity=6
2009-11-25
15:34:05 Info IPSEC
01803001


failed_to_select_policy_rule
rev=1
2009-11-25
15:34:05 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:34:04 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:03 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:01 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:00 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:34:00 Info IPSEC
01803021


ipsec_sa_statistics
rev=1 done=3758 success=3712 failed=46
2009-11-25
15:34:00 Info IPSEC
01802046


ipsec_sa_lifetime
rev=1 sec=3600
2009-11-25
15:34:00 Info IPSEC
01802043


ipsec_sa_informal
rev=2 spiin=54b86422 spiout=cf45a31a alg=3des-cbc keysize= mac=hmac-md5-96
2009-11-25
15:34:00 Info IPSEC
01802058


ipsec_sa_informal
rev=1 local_id=192.168.15.0/24 any remote_id=10.10.1.0/24
2009-11-25
15:34:00 Info IPSEC
01802703


ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="85.223.153.78 ID 85.223.153.78" remote_peer="85.223.239.34 ID 85.223.239.34" initiator_spi="e5d18cbe e8b95248"
2009-11-25
15:34:00 Info IPSEC
01802041


ipsec_sa_informal
rev=1 dhgroup=2 bits=1024
2009-11-25
15:34:00 Info IPSEC
01802040


ipsec_sa_negotiation_completed
ipsec_sa_enabled
rev=2 sa=Responder info="tunnel" local_peer="85.223.153.78 ID 85.223.153.78" remote_peer="85.223.239.34 ID 85.223.239.34" spi_in="ESP 54b86
2009-11-25
15:33:57 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:33:56 Warning IPSEC
01800106


ike_invalid_payload
rev=1 local_ip=85.223.153.78 remote_ip=194.110.78.3 cookies= reason="IKE_INVALID_COOKIE"
2009-11-25
15:33:56 Warning RULE
06000051 Default_Access_Rule UDP lan
85.223.153.77
239.192.152.143 6771
6771 ruleset_drop_packet
drop
rev=1 ipdatalen=127 udptotlen=127
2009-11-25
15:33:56 Warning RULE
06000051 Default_Access_Rule UDP lan
85.223.153.77
239.192.152.143 6771
6771 ruleset_drop_packet
drop
rev=1 ipdatalen=127 udptotlen=127
2009-11-25
15:33:56 Info IPSEC
01802708


ike_sa_destroyed
ike_sa_killed
rev=1 ike_sa= Initiator SPI ESP=0x839674b7, AH=0x16fa05d7, IPComp=0x9f66c93
2009-11-25
15:33:56 Warning IPSEC
01802022


ike_sa_failed
no_ike_sa
rev=2 statusmsg="No proposal chosen" local_peer=85.223.153.78 ID No Id remote_peer=194.110.78.3 ID No Id initiator_spi=ESP=0x839674b7, AH=0x16fa05d7, IPComp=0x9f66
2009-11-25
15:33:56 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:33:56 Warning IPSEC
01800107


ike_invalid_proposal
rev=1 local_ip=85.223.153.78 remote_ip=194.110.78.3 cookies=839674b716fa05d79f66c934085eaba1 reason="Could not find acceptable proposal"
2009-11-25
15:33:56 Notice IPSEC
01802300


rule_selection_failed
rev=1 info=Peer IP address mismatch int_severity=6
2009-11-25
15:33:56 Info IPSEC
01803001


failed_to_select_policy_rule
rev=1
2009-11-25
15:33:56 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:33:56 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:33:54 Warning ARP
00300049 Default_Access_Rule lan
85.223.153.77

invalid_arp_sender_ip_address
drop
rev=1 hwsender=00-23-54-c0-49-83 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-23-54-c0-49-83
2009-11-25
15:33:54 Info IPSEC
01802708


ike_sa_destroyed
ike_sa_killed
rev=1 ike_sa= Initiator SPI ESP=0x7d09c819, AH=0x8fc235af, IPComp=0x5bdfb3e
2009-11-25
15:33:54 Warning IPSEC
01802022


ike_sa_failed
no_ike_sa
rev=2 statusmsg="No proposal chosen" local_peer=85.223.153.78 ID No Id remote_peer=212.109.39.99 ID No Id initiator_spi=ESP=0x7d09c819, AH=0x8fc235af, IPComp=0x5bd
2009-11-25
15:33:54 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6
2009-11-25
15:33:54 Warning IPSEC
01800107


ike_invalid_proposal
rev=1 local_ip=85.223.153.78 remote_ip=212.109.39.99 cookies=7d09c8198fc235af5bdfb3e05d1fc4f1 reason="Could not find acceptable proposal"
2009-11-25
15:33:54 Notice IPSEC
01802300


rule_selection_failed
rev=1 info=Peer IP address mismatch int_severity=6
2009-11-25
15:33:54 Info IPSEC
01803001


failed_to_select_policy_rule
rev=1
2009-11-25
15:33:54 Warning IPSEC
01802715


event_on_ike_sa
rev=1 side=Responder msg="failed" int_severity=6

непонятно откуда в логе берутся адреса remote_ip=194.110.78.3, remote_ip=212.109.39.99

Судя по куску лога

ваш IPsec поднимается нормально. Другие ошибочные строки по IPsec - это скорее всего боты, которые пытаются пробиться к вам. Можете банить их при желании.

По поводу доступа - запускайте ping -t и смотрите статистику - а DFL Status-Connections чтобы ваши пинги уходили в IPsec, на Juniper думаю должно быть аналогичное средство. Ну и логи там смотрите, ессно.

_________________
Хотите хороший девайс? D-Link DFL!

Хотите считать с него трафик?
http://www.raresoftware.ru/products/lan/dfltc

wan1net 255.255.255.0/24 The network on interface wan1 Вот с этим точно работать ничего не будет, как бы не старались, устройство чувствительно к корректной настройки адресации на интерфейсах.

_________________
Сообщения в PM игнорируются, задавайте вопросы на форуме.

поменял wan1net на 85.223.153.0/24 и RemoteGW 62.80.180.225

как вижу впн туннель есть но удалённый адрес 192.168.11.0 не пингуется

2009-11-30
18:19:49 Info IPSEC
01803021


ipsec_sa_statistics
rev=1 done=238 success=69 failed=169
2009-11-30
18:19:49 Info IPSEC
01802046


ipsec_sa_lifetime
rev=1 sec=3600
2009-11-30
18:19:49 Info IPSEC
01802043


ipsec_sa_informal
rev=2 spiin=db591ad8 spiout=cf45b2cf alg=3des-cbc keysize= mac=hmac-md5-96
2009-11-30
18:19:49 Info IPSEC
01802058


ipsec_sa_informal
rev=1 local_id=192.168.15.0/24 any remote_id=192.168.11.0/24
2009-11-30
18:19:49 Info IPSEC
01802703


ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="85.223.153.74 ID 85.223.153.74" remote_peer="62.80.180.225 ID 62.80.180.225" initiator_spi="713ffacb e156d709"
2009-11-30
18:19:49 Info IPSEC
01802041


ipsec_sa_informal
rev=1 dhgroup=2 bits=1024
2009-11-30
18:19:49 Info IPSEC
01802040


ipsec_sa_negotiation_completed
ipsec_sa_enabled
rev=2 sa=Responder info="tunnel" local_peer="85.223.153.74 ID 85.223.153.74" remote_peer="62.80.180.225 ID 62.80.180.225" spi_in="ESP db591

Удаленный адрес 192.168.11.0 и не будет пинговаться, ибо это сеть
Пингуйте какой-нибудь хост или сам удаленный DFL, только правила соответствующие сделайте.
Ну и смотрите Ststus-Connections, по нему видно доходит ли пинг и где копать.

_________________
Хотите хороший девайс? D-Link DFL!

Хотите считать с него трафик?
http://www.raresoftware.ru/products/lan/dfltc

ясно что пингую не 192.168.11.0
192.168.11.250 меня смущает
2009-12-01
13:20:31 Warning IP_FLAG
01600001 TTLOnLow ICMP lan
192.168.15.2
192.168.11.250
ttl_low
ignore

хотя TTL on Low: имеет значение log то есть по идее трассировка маршрута разрешена