Конфигурация VPN GRE over IPSEC между Juniper SRX и Cisco 1841
Введение.
Есть две локальных сети. Каждую сеть обслуживает сое устройство. Одну Juniper SRX , другую Cisco 1841.
Задача:
сконфигурировать GRE over VPN для обеспечения возможности динамического OSPF обмена маршрутами.
Детальная информация.
Juniper SRX не может инкапсулировать GRE и IPSEC на одном и том же физическом интерфейсе. Для решения этой проблемы мы будем использовать lo интерфейс для GRE.
Адресация
Juniper SRX:
GLOBAL IP: 217.9.80.22
Lo IP: 172.31.254.1
Gre IP: 192.168.254.0
Cisco 1841:
GLOBAL IP: 91.208.39.30
Lo IP: 172.31.254.2
Gre IP: 192.168.254.1
IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 5
pre shared key: test
IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 5
VPN - tunnel mode esp
Конфигурация Juniper.
1. Установка ip на lo интерфейс:
{primary:node1}[edit]
set interfaces lo0 unit 0 family inet address 172.31.254.1/32
2. Создание GRE интерфейса:
{primary:node1}[edit]
set interfaces gr-0/0/0 unit 0 description Cisco_link
set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.1
set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.2
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 192.168.254.0/31
3. Создание ST интерфейс:
{primary:node1}[edit]
set interfaces st0 unit 0 description VPN_Cisco_link
set interfaces st0 unit 0 family inet
4. Конфигурация трех security zones:
{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone Internal interfaces reth1.0
set security zones security-zone Tunnels gr-0/0/0.0
set security zones security-zone Tunnels st0.0
set security zones security-zone Tunnels lo0.0
5. Конфигурация security policies (для данного примера не будем останавливаться на детальной конфигурации а просто разрешим все)
{primary:node1}[edit]
set security policies default-policy permit-all
6. Конфигурация IKE
{primary:node1}[edit]
set security ike proposal IKE_PRO_MY_NET description MY_NETWORK_IKE_PROPOSAL
set security ike proposal IKE_PRO_MY_NET authentication-method pre-shared-keys
set security ike proposal IKE_PRO_MY_NET dh-group group5
set security ike proposal IKE_PRO_MY_NET authentication-algorithm sha1
set security ike proposal IKE_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ike proposal IKE_PRO_MY_NET lifetime-seconds 28800
set security ike policy IKE_POL_MY_NET mode aggressive
set security ike policy IKE_POL_MY_NET proposals IKE_PRO_MY_NET
set security ike policy IKE_POL_MY_NET pre-shared-key ascii-text test
set security ike gateway IKE_CISCO_1841 ike-policy IKE_POL_MY_NET
set security ike gateway IKE_CISCO_1841 address 91.208.39.30
set security ike gateway IKE_CISCO_1841 local-identity inet 217.9.80.22
set security ike gateway IKE_CISCO_1841 external-interface reth0.0
7. Конфигурация IPSEC
{primary:node1}[edit]
set security ipsec proposal IPSEC_PRO_MY_NET protocol esp
set security ipsec proposal IPSEC_PRO_MY_NET authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-seconds 28800
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-kilobytes 4608000
set security ipsec policy IPSEC_POL_MY_NET perfect-forward-secrecy keys group5
set security ipsec policy IPSEC_POL_MY_NET proposals IPSEC_PRO_MY_NET
set security ipsec vpn VPN_CISCO_1841 bind-interface st0.0
set security ipsec vpn VPN_CISCO_1841 df-bit clear
set security ipsec vpn VPN_CISCO_1841 ike gateway IKE_CISCO_1841
set security ipsec vpn VPN_CISCO_1841 ike no-anti-replay
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity local 172.31.254.1/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity remote 172.31.254.2/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity service junos-gre
set security ipsec vpn VPN_CISCO_1841 ike ipsec-policy IPSEC_POL_MY_NET
set security ipsec vpn VPN_CISCO_1841 establish-tunnels immediately
8. Конфигурация маршрутизации
{primary:node1}[edit]
set routing-options static route 172.31.254.2/32 next-hop st0.0
9. Сохранение и применение созданной конфигурации
{primary:node1}[edit]
commit
Конфигурация Cisco.
1. Установка ip на lo интерфейс:
conf t
interface Loopback0
ip address 172.31.254.2 255.255.255.255
end
2. Создание GRE интерфейса:
conf t
interface Tunnel0
description link1 Cisco_1841 -> Juniper SRX
ip address 192.168.254.1 255.255.255.254
ip mtu 1476
ip ospf network point-to-point
no clns route-cache
tunnel source Loopback0
tunnel destination 172.31.254.2
end
3. Конфигурация IKE
conf t
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 28800
exit
crypto isakmp key test address 217.9.80.22
end
4. Конфигурация access list
conf t
ip access-list extended ipsec_Juniper_SRX
permit ip host 172.31.254.2 host 172.31.254.1
end
5. Конфигурация IPSEC
conf t
crypto ipsec transform-set MY_NET esp-aes esp-sha-hmac
exit
crypto map my-cmap 10 ipsec-isakmp
set peer 217.9.80.22
set security-association lifetime seconds 28800
set transform-set MY_NET
set pfs group5
match address ipsec_Juniper_SRX
6. Применение crypto-map
conf t
int fa 0/0
crypto map my-cmap
end
7. Сохранение созданной конфигурации
wr
Об авторе
Главная страница
