首页 > 网络相关产品 > 技术资料 > 和Juniper产品的IPsec相互连接设置例
和Juniper产品的IPsec相互连接设置例
通过IPsec(Aggressive mode)和SRX100进行连接。
使用机型
- YAMAHA RTX800(Rev 10.01.40)
- Juniper SRX100(SW Version 10.0R3.10)
网络构成
PC2
|
------+------ 192.168.1.0/24
|.1
+--------+
| SRX100 | SW Version 10.0R3.10
+--------+
172.16.1.1 | ∥
| ∥
~~~ ∥
~~~ ∥IPsec
| ∥
| ∥
| ∥
172.16.2.1 | ∥
+---------+
| RTX810 | Rev10.01.40
+---------+
|.1
------+------ 192.168.2.0/24
|
PC1
RTX800的设置
ip route default gateway 172.16.2.254
ip route 192.168.1.0/24 gateway tunnel 1
ip lan1 address 192.168.2.254/24
ip lan2 address 172.16.2.1/24
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac local-id=192.168.2.0/24 remote-id=192.168.1.0/24 ...*1
ipsec ike duration ipsec-sa 1 3600 ....................................................*2
ipsec ike duration isakmp-sa 1 3600 ....................................................*2
ipsec ike encryption 1 aes-cbc .......................................................*3
ipsec ike group 1 modp1024 .......................................................*3
ipsec ike hash 1 sha .......................................................*3
ipsec ike local address 1 172.16.2.1 .......................................................*4
ipsec ike local name 1 kyoten1 fqdn .......................................................*5
ipsec ike pre-shared-key 1 text test .......................................................*6
ipsec ike remote address 1 172.16.1.1 .......................................................*7
tunnel enable 1
ipsec auto refresh on
- *1 设置security・gateway的SA的policy。
- *2 设置SA的有效时间。
- *3 设置IKE的Phase1的条件。
- *4 设置IKE使用的本方的源地址。
- *5 设置本方的security・gateway的名字。
- *6 设置PSK(预先共享密钥)。
- *7 设置对方的security・gateway的IP地址。
SRX100的设置
system {
host-name SRX100;
root-authentication {
encrypted-password "$1$sMxRBhfi$NWLX9kcGcj8FVeMqjPuSy."; ## SECRET-DATA
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/0 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.1.254;
route 192.168.2.0/24 next-hop st0.0;
}
}
security {
ike {
respond-bad-spi 5;
proposal test-p1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy test-p1-policy {
mode aggressive;
proposals test-p1-proposal;
pre-shared-key ascii-text "$9$s1YJD.mT3/t5Q"; ## SECRET-DATA .........*8
}
gateway test-p1-gw {
ike-policy test-p1-policy;
dynamic hostname kyoten1; ...........................................*9
external-interface fe-0/0/0;
}
}
ipsec {
proposal test-p2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy test-p2-policy {
proposals test-p2-proposal;
}
vpn test-vpn {
bind-interface st0.0;
ike {
gateway test-p1-gw;
proxy-identity {
local 192.168.1.0/24;
remote 192.168.2.0/24;
service any;
}
ipsec-policy test-p2-policy;
}
establish-tunnels immediately;
}
}
zones {
security-zone trust {
address-book {
address net1 192.168.1.0/24;
address net2 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
vlan.0;
st0.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
fe-0/0/0.0;
}
}
}
policies {
from-zone trust to-zone trust {
policy n1-n2-policy {
match {
source-address net1;
destination-address net2;
application any;
}
then {
permit;
}
}
policy n2-n1-policy {
match {
source-address net2;
destination-address net1;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
- *8 设置对方的security・gateway的名字。
- *9 设置PSK(预先共享密钥)。
返回顶部