和Juniper产品的IPsec相互连接设置例

通过IPsec(Aggressive mode)和SRX100进行连接。

使用机型

  • YAMAHA RTX800(Rev 10.01.40)
  • Juniper SRX100(SW Version 10.0R3.10)

网络构成

         PC2
          |
       ------+------ 192.168.1.0/24
             |.1
        +--------+
        | SRX100 | SW Version 10.0R3.10
        +--------+
  172.16.1.1 |          
             |          
            ~~~         
            ~~~         IPsec
             |          
             |          
             |          
  172.16.2.1 |          
        +---------+
        | RTX810  | Rev10.01.40
        +---------+
             |.1
       ------+------ 192.168.2.0/24
          |
         PC1

RTX800的设置

ip route default gateway 172.16.2.254
ip route 192.168.1.0/24 gateway tunnel 1
ip lan1 address 192.168.2.254/24
ip lan2 address 172.16.2.1/24
tunnel select 1
 ipsec tunnel 1
  ipsec sa policy 1 1 esp aes-cbc sha-hmac local-id=192.168.2.0/24 remote-id=192.168.1.0/24 ...*1
  ipsec ike duration ipsec-sa 1 3600       ....................................................*2
  ipsec ike duration isakmp-sa 1 3600      ....................................................*2
  ipsec ike encryption 1 aes-cbc        .......................................................*3
  ipsec ike group 1 modp1024            .......................................................*3
  ipsec ike hash 1 sha                  .......................................................*3
  ipsec ike local address 1 172.16.2.1  .......................................................*4
  ipsec ike local name 1 kyoten1 fqdn   .......................................................*5
  ipsec ike pre-shared-key 1 text test  .......................................................*6
  ipsec ike remote address 1 172.16.1.1 .......................................................*7
 tunnel enable 1
ipsec auto refresh on
  • *1 设置security・gateway的SA的policy。
  • *2 设置SA的有效时间。
  • *3 设置IKE的Phase1的条件。
  • *4 设置IKE使用的本方的源地址。
  • *5 设置本方的security・gateway的名字。
  • *6 设置PSK(预先共享密钥)。
  • *7 设置对方的security・gateway的IP地址。

SRX100的设置

system {
    host-name SRX100;
    root-authentication {
        encrypted-password "$1$sMxRBhfi$NWLX9kcGcj8FVeMqjPuSy."; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member fe-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.1.254;
        route 192.168.2.0/24 next-hop st0.0;
    }
}
security {
    ike {
        respond-bad-spi 5;
        proposal test-p1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy test-p1-policy {
            mode aggressive;
            proposals test-p1-proposal;
            pre-shared-key ascii-text "$9$s1YJD.mT3/t5Q"; ## SECRET-DATA  .........*8
        }
        gateway test-p1-gw {
            ike-policy test-p1-policy;
            dynamic hostname kyoten1;   ...........................................*9
            external-interface fe-0/0/0;
        }
    }
    ipsec {
        proposal test-p2-proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy test-p2-policy {
            proposals test-p2-proposal;
        }
        vpn test-vpn {
            bind-interface st0.0;
            ike {
                gateway test-p1-gw;
                proxy-identity {
                    local 192.168.1.0/24;
                    remote 192.168.2.0/24;
                    service any;
                }
                ipsec-policy test-p2-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            address-book {
                address net1 192.168.1.0/24;
                address net2 192.168.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                vlan.0;
                st0.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                }
            }
            interfaces {
                fe-0/0/0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy n1-n2-policy {
                match {
                    source-address net1;
                    destination-address net2;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy n2-n1-policy {
                match {
                    source-address net2;
                    destination-address net1;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
  • *8 设置对方的security・gateway的名字。
  • *9 设置PSK(预先共享密钥)。

返回顶部Return to Top