Конфигурация VPN GRE over IPSEC между Juniper SRX и Cisco 1841

Введение.

Есть две локальных сети. Каждую сеть обслуживает сое устройство. Одну Juniper SRX , другую Cisco 1841.
Задача:
сконфигурировать GRE over VPN для обеспечения возможности динамического OSPF обмена маршрутами.

500

Детальная информация.

Juniper SRX не может инкапсулировать GRE и IPSEC на одном и том же физическом интерфейсе. Для решения этой проблемы мы будем использовать lo интерфейс для GRE.

Адресация
Juniper SRX:
GLOBAL IP: 217.9.80.22
Lo IP: 172.31.254.1
Gre IP: 192.168.254.0

Cisco 1841:
GLOBAL IP: 91.208.39.30
Lo IP: 172.31.254.2
Gre IP: 192.168.254.1

IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 5 pre shared key: test

IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 5

VPN - tunnel mode esp

Конфигурация Juniper.

1. Установка ip на lo интерфейс:

{primary:node1}[edit]
set interfaces lo0 unit 0 family inet address 172.31.254.1/32

2. Создание GRE интерфейса:

{primary:node1}[edit]
set interfaces gr-0/0/0 unit 0 description Cisco_link
set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.1
set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.2
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 192.168.254.0/31

3. Создание ST интерфейс:

{primary:node1}[edit]
set interfaces st0 unit 0 description VPN_Cisco_link
set interfaces st0 unit 0 family inet

4. Конфигурация трех security zones:

{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone Internal interfaces reth1.0
set security zones security-zone Tunnels gr-0/0/0.0
set security zones security-zone Tunnels st0.0
set security zones security-zone Tunnels lo0.0

5. Конфигурация security policies (для данного примера не будем останавливаться на детальной конфигурации а просто разрешим все)

{primary:node1}[edit]
set security policies default-policy permit-all

6. Конфигурация IKE

{primary:node1}[edit]
set security ike proposal IKE_PRO_MY_NET description MY_NETWORK_IKE_PROPOSAL
set security ike proposal IKE_PRO_MY_NET authentication-method pre-shared-keys
set security ike proposal IKE_PRO_MY_NET dh-group group5
set security ike proposal IKE_PRO_MY_NET authentication-algorithm sha1
set security ike proposal IKE_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ike proposal IKE_PRO_MY_NET lifetime-seconds 28800
set security ike policy IKE_POL_MY_NET mode aggressive
set security ike policy IKE_POL_MY_NET proposals IKE_PRO_MY_NET
set security ike policy IKE_POL_MY_NET pre-shared-key ascii-text test

set security ike gateway IKE_CISCO_1841 ike-policy IKE_POL_MY_NET
set security ike gateway IKE_CISCO_1841 address 91.208.39.30
set security ike gateway IKE_CISCO_1841 local-identity inet 217.9.80.22
set security ike gateway IKE_CISCO_1841 external-interface reth0.0

7. Конфигурация IPSEC

{primary:node1}[edit]
set security ipsec proposal IPSEC_PRO_MY_NET protocol esp
set security ipsec proposal IPSEC_PRO_MY_NET authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PRO_MY_NET encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-seconds 28800
set security ipsec proposal IPSEC_PRO_MY_NET lifetime-kilobytes 4608000

set security ipsec policy IPSEC_POL_MY_NET perfect-forward-secrecy keys group5
set security ipsec policy IPSEC_POL_MY_NET proposals IPSEC_PRO_MY_NET
set security ipsec vpn VPN_CISCO_1841 bind-interface st0.0
set security ipsec vpn VPN_CISCO_1841 df-bit clear
set security ipsec vpn VPN_CISCO_1841 ike gateway IKE_CISCO_1841
set security ipsec vpn VPN_CISCO_1841 ike no-anti-replay
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity local 172.31.254.1/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity remote 172.31.254.2/32
set security ipsec vpn VPN_CISCO_1841 ike proxy-identity service junos-gre
set security ipsec vpn VPN_CISCO_1841 ike ipsec-policy IPSEC_POL_MY_NET
set security ipsec vpn VPN_CISCO_1841 establish-tunnels immediately

8. Конфигурация маршрутизации

{primary:node1}[edit]
set routing-options static route 172.31.254.2/32 next-hop st0.0

9. Сохранение и применение созданной конфигурации

{primary:node1}[edit]
commit

Конфигурация Cisco.

1. Установка ip на lo интерфейс:

conf t
interface Loopback0
ip address 172.31.254.2 255.255.255.255
end

2. Создание GRE интерфейса:

conf t
interface Tunnel0
description link1 Cisco_1841 -> Juniper SRX
ip address 192.168.254.1 255.255.255.254
ip mtu 1476
ip ospf network point-to-point
no clns route-cache
tunnel source Loopback0
tunnel destination 172.31.254.2
end

3. Конфигурация IKE

conf t
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 28800
exit

crypto isakmp key test address 217.9.80.22
end

4. Конфигурация access list

conf t
ip access-list extended ipsec_Juniper_SRX
permit ip host 172.31.254.2 host 172.31.254.1
end 
 

5. Конфигурация IPSEC

conf t
crypto ipsec transform-set MY_NET esp-aes esp-sha-hmac
exit

crypto map my-cmap 10 ipsec-isakmp
set peer 217.9.80.22
set security-association lifetime seconds 28800
set transform-set MY_NET
set pfs group5
match address ipsec_Juniper_SRX

6. Применение crypto-map

conf t
int fa 0/0
crypto map my-cmap
end

7. Сохранение созданной конфигурации

wr

Об авторе

Profile автора

ru/jobs/vpn_gre_over_ipsec_1.txt · Last modified: 2015/03/12 17:14 by admin
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki