Вы здесь

Juniper. Подключение двух SRX туннелями IPsec

juniper._podklyuchenie_dvuh_srx_tunnelyami_ipsec_01_ciscomaster.ru.jpg

  1. Создаём Secure Tunnel interface st0.1, и назначаем ему адрес.
    jun100_obn36a#
    set interfaces st0 unit 1 family inet address 10.252.1.2/30 set security zones security-zone vpn interfaces st0.1

    imhtst1#

    set interfaces st0 unit 1 family inet address 10.252.1.1/30 set security zones security-zone vpn interfaces st0.1

    На этом этапе каждый с каждого роутера мы сможем пинговать его туннельный интерфейс.

  2. Создаём зоны и помещаем туда соответствующие интерфейсы
    imhtst1#
    set security zones security-zone trust address-book address net-imhtst1-10_253_10_0-24 10.253.10.0/24 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/7.0
    set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone vpn address-book address net-obn-192_168_254_0-24 192.168.254.0/24 set security zones security-zone vpn address-book address net-ptp-10_252_1_0-24 10.252.1.0/24 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.1

    jun100_obn36a#

    set security zones security-zone trust address-book address net-obn-192_168_254_0-24 192.168.254.0/24 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.0
    set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
    set security zones security-zone vpn address-book address net-all-10_0_0_0-8 10.0.0.0/8 set security zones security-zone vpn address-book address net-all-172_16_0_0-12 172.16.0.0/12 set security zones security-zone vpn address-book address net-all-192_168_0_0-16 192.168.0.0/16 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.1
  3. Создаём политики
    imhtst1#
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone trust to-zone vpn policy trust-vpn match source-address net-imhtst1-10_253_10_0-24 set security policies from-zone trust to-zone vpn policy trust-vpn match destination-address net-obn-192_168_254_0-24 set security policies from-zone trust to-zone vpn policy trust-vpn match destination-address net-ptp-10_252_1_0-24 set security policies from-zone trust to-zone vpn policy trust-vpn match application any set security policies from-zone trust to-zone vpn policy trust-vpn then permit set security policies from-zone trust to-zone vpn policy trust-vpn then log session-init set security policies from-zone trust to-zone vpn policy trust-vpn then log session-close set security policies from-zone trust to-zone vpn policy trust-vpn then count
    set security policies from-zone vpn to-zone trust policy vpn-trust match source-address net-obn-192_168_254_0-24 set security policies from-zone vpn to-zone trust policy vpn-trust match source-address net-ptp-10_252_1_0-24 set security policies from-zone vpn to-zone trust policy vpn-trust match destination-address net-imhtst1-10_253_10_0-24 set security policies from-zone vpn to-zone trust policy vpn-trust match application any set security policies from-zone vpn to-zone trust policy vpn-trust then permit set security policies from-zone vpn to-zone trust policy vpn-trust then log session-init set security policies from-zone vpn to-zone trust policy vpn-trust then log session-close set security policies from-zone vpn to-zone trust policy vpn-trust then count
    set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match source-address any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match destination-address any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match application any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match source-identity any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then permit set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then log session-init set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then log session-close set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then count

    jun100_obn36a#

    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone trust policy trust-to-trust then log session-init set security policies from-zone trust to-zone trust policy trust-to-trust then log session-close set security policies from-zone trust to-zone trust policy trust-to-trust then count
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone trust to-zone vpn policy trust-vpn-kma match source-address net-obn-192_168_254_0-24 set security policies from-zone trust to-zone vpn policy trust-vpn-kma match destination-address net-all-10_0_0_0-8 set security policies from-zone trust to-zone vpn policy trust-vpn-kma match destination-address net-all-172_16_0_0-12 set security policies from-zone trust to-zone vpn policy trust-vpn-kma match destination-address net-all-192_168_0_0-16 set security policies from-zone trust to-zone vpn policy trust-vpn-kma match application any set security policies from-zone trust to-zone vpn policy trust-vpn-kma then permit
    set security policies from-zone vpn to-zone trust policy vpn-trust-kma match source-address net-all-10_0_0_0-8 set security policies from-zone vpn to-zone trust policy vpn-trust-kma match source-address net-all-172_16_0_0-12 set security policies from-zone vpn to-zone trust policy vpn-trust-kma match source-address net-all-192_168_0_0-16 set security policies from-zone vpn to-zone trust policy vpn-trust-kma match destination-address net-obn-192_168_254_0-24 set security policies from-zone vpn to-zone trust policy vpn-trust-kma match application any set security policies from-zone vpn to-zone trust policy vpn-trust-kma then permit
    set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match source-address any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match destination-address any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match application any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn match source-identity any set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then permit set security policies from-zone vpn to-zone vpn policy vpn-to-vpn then count
  4. Создаём ike policy
    imhtst1#
    set security ike policy ike-policy-jun100 mode aggressive set security ike policy ike-policy-jun100 proposal-set compatible set security ike policy ike-policy-jun100 pre-shared-key ascii-text "secretkey"

    jun100_obn36a#

    set security ike policy ike-policy-imhtst1 mode aggressive set security ike policy ike-policy-imhtst1 proposal-set compatible set security ike policy ike-policy-imhtst1 pre-shared-key ascii-text "secretkey"
  5. Создаём IKE gateway
    imhtst1#
    set security ike gateway ike-gate-jun100 ike-policy ike-policy-jun100 set security ike gateway ike-gate-jun100 address 195.112.100.134 set security ike gateway ike-gate-jun100 external-interface ge-0/0/0.0

    jun100_obn36a#

    set security ike gateway ike-gate-imhtst1 ike-policy ike-policy-imhtst1 set security ike gateway ike-gate-imhtst1 address 81.211.66.195 set security ike gateway ike-gate-imhtst1 external-interface fe-0/0/0.0
  6. Создаём IPSec policy
    imhtst1#
    set security ipsec policy ipsec-policy-jun100 proposal-set compatible

    jun100_obn36a#

    set security ipsec policy ipsec-policy-imhtst1 proposal-set compatible
  7. Создаём IPsec VPN, с использованием IKE gateway, IPsec policy
    imhtst1#
    set security ipsec vpn ipsec-vpn-imhtst1 ike gateway ike-gate-jun100 set security ipsec vpn ipsec-vpn-imhtst1 ike ipsec-policy ipsec-policy-jun100 set security ipsec vpn ipsec-vpn-imhtst1 bind-interface st0.1 set security ipsec vpn ipsec-vpn-imhtst1 establish-tunnels immediately

    jun100_obn36a#

    set security ipsec vpn ipsec-vpn-imh ike gateway ike-gate-imhtst1 set security ipsec vpn ipsec-vpn-imh ike ipsec-policy ipsec-policy-imhtst1 set security ipsec vpn ipsec-vpn-imh bind-interface st0.1 set security ipsec vpn ipsec-vpn-imh establish-tunnels immediately

Добавить комментарий

Filtered HTML

  • Адреса страниц и электронной почты автоматически преобразуются в ссылки.
  • Допустимые HTML-теги: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Строки и абзацы переносятся автоматически.

Plain text

  • HTML-теги не обрабатываются и показываются как обычный текст
  • Адреса страниц и электронной почты автоматически преобразуются в ссылки.
  • Строки и абзацы переносятся автоматически.
CAPTCHA
Этот вопрос задается для того, чтобы выяснить, являетесь ли Вы человеком или представляете из себя автоматическую спам-рассылку.
Target Image