=======Конфигурация VPN GRE over IPSEC между Juniper SRX и Cisco 1841 ======= ==== Введение. ==== Есть две локальных сети. Каждую сеть обслуживает сое устройство. Одну Juniper SRX , другую Cisco 1841.\\ **Задача**:\\ сконфигурировать GRE over VPN для обеспечения возможности динамического OSPF обмена маршрутами.\\ {{:ru:jobs:vpn_juniper_cisco.jpg?500|500}} ==== Детальная информация. ==== Juniper SRX не может инкапсулировать GRE и IPSEC на одном и том же физическом интерфейсе. Для решения этой проблемы мы будем использовать lo интерфейс для GRE. **Адресация**\\ Juniper SRX:\\ GLOBAL IP: 217.9.80.22\\ Lo IP: 172.31.254.1\\ Gre IP: 192.168.254.0\\ Cisco 1841:\\ GLOBAL IP: 91.208.39.30\\ Lo IP: 172.31.254.2\\ Gre IP: 192.168.254.1\\ **IKE policy:**\\ encryption: aes128\\ hash: sha1\\ Diffie-Hellman group: 5 pre shared key: test\\ **IPSEC policy:**\\ encryption: aes128\\ hash: hmac_sha1\\ Diffie-Hellman group: 5 **VPN** - tunnel mode esp ==== Конфигурация Juniper. ==== 1. Установка ip на lo интерфейс:\\ {primary:node1}[edit] set interfaces lo0 unit 0 family inet address 172.31.254.1/32 2. Создание GRE интерфейса:\\ {primary:node1}[edit] set interfaces gr-0/0/0 unit 0 description Cisco_link set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.1 set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.2 set interfaces gr-0/0/0 unit 0 family inet mtu 1476 set interfaces gr-0/0/0 unit 0 family inet address 192.168.254.0/31 3. Создание ST интерфейс:\\ {primary:node1}[edit] set interfaces st0 unit 0 description VPN_Cisco_link set interfaces st0 unit 0 family inet 4. Конфигурация трех security zones:\\ {primary:node1}[edit] set security zones security-zone ISPs interfaces reth0.0 set security zones security-zone Internal interfaces reth1.0 set security zones security-zone Tunnels gr-0/0/0.0 set security zones security-zone Tunnels st0.0 set security zones security-zone Tunnels lo0.0 5. Конфигурация security policies (для данного примера не будем останавливаться на детальной конфигурации а просто разрешим все)\\ {primary:node1}[edit] set security policies default-policy permit-all 6. Конфигурация IKE {primary:node1}[edit] set security ike proposal IKE_PRO_MY_NET description MY_NETWORK_IKE_PROPOSAL set security ike proposal IKE_PRO_MY_NET authentication-method pre-shared-keys set security ike proposal IKE_PRO_MY_NET dh-group group5 set security ike proposal IKE_PRO_MY_NET authentication-algorithm sha1 set security ike proposal IKE_PRO_MY_NET encryption-algorithm aes-128-cbc set security ike proposal IKE_PRO_MY_NET lifetime-seconds 28800 set security ike policy IKE_POL_MY_NET mode aggressive set security ike policy IKE_POL_MY_NET proposals IKE_PRO_MY_NET set security ike policy IKE_POL_MY_NET pre-shared-key ascii-text test set security ike gateway IKE_CISCO_1841 ike-policy IKE_POL_MY_NET set security ike gateway IKE_CISCO_1841 address 91.208.39.30 set security ike gateway IKE_CISCO_1841 local-identity inet 217.9.80.22 set security ike gateway IKE_CISCO_1841 external-interface reth0.0 7. Конфигурация IPSEC {primary:node1}[edit] set security ipsec proposal IPSEC_PRO_MY_NET protocol esp set security ipsec proposal IPSEC_PRO_MY_NET authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PRO_MY_NET encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC_PRO_MY_NET lifetime-seconds 28800 set security ipsec proposal IPSEC_PRO_MY_NET lifetime-kilobytes 4608000 set security ipsec policy IPSEC_POL_MY_NET perfect-forward-secrecy keys group5 set security ipsec policy IPSEC_POL_MY_NET proposals IPSEC_PRO_MY_NET set security ipsec vpn VPN_CISCO_1841 bind-interface st0.0 set security ipsec vpn VPN_CISCO_1841 df-bit clear set security ipsec vpn VPN_CISCO_1841 ike gateway IKE_CISCO_1841 set security ipsec vpn VPN_CISCO_1841 ike no-anti-replay set security ipsec vpn VPN_CISCO_1841 ike proxy-identity local 172.31.254.1/32 set security ipsec vpn VPN_CISCO_1841 ike proxy-identity remote 172.31.254.2/32 set security ipsec vpn VPN_CISCO_1841 ike proxy-identity service junos-gre set security ipsec vpn VPN_CISCO_1841 ike ipsec-policy IPSEC_POL_MY_NET set security ipsec vpn VPN_CISCO_1841 establish-tunnels immediately 8. Конфигурация маршрутизации {primary:node1}[edit] set routing-options static route 172.31.254.2/32 next-hop st0.0 9. Сохранение и применение созданной конфигурации {primary:node1}[edit] commit ==== Конфигурация Cisco. ==== 1. Установка ip на lo интерфейс:\\ conf t interface Loopback0 ip address 172.31.254.2 255.255.255.255 end 2. Создание GRE интерфейса:\\ conf t interface Tunnel0 description link1 Cisco_1841 -> Juniper SRX ip address 192.168.254.1 255.255.255.254 ip mtu 1476 ip ospf network point-to-point no clns route-cache tunnel source Loopback0 tunnel destination 172.31.254.2 end 3. Конфигурация IKE conf t crypto isakmp policy 10 encr aes authentication pre-share group 5 lifetime 28800 exit crypto isakmp key test address 217.9.80.22 end 4. Конфигурация access list conf t ip access-list extended ipsec_Juniper_SRX permit ip host 172.31.254.2 host 172.31.254.1 end 5. Конфигурация IPSEC conf t crypto ipsec transform-set MY_NET esp-aes esp-sha-hmac exit crypto map my-cmap 10 ipsec-isakmp set peer 217.9.80.22 set security-association lifetime seconds 28800 set transform-set MY_NET set pfs group5 match address ipsec_Juniper_SRX 6. Применение crypto-map conf t int fa 0/0 crypto map my-cmap end 7. Сохранение созданной конфигурации wr ==== Об авторе ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] автора