VPN Juniper
| Requirements | Policy-Based VPN |
| Configuring Interface, Static Route, Security Zone, and Address Book Information |
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 |
| set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 | |
| set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 | |
| set security zones security-zone untrust interfaces ge-0/0/3.0 | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| set security zones security-zone trust interfaces ge-0/0/0.0 | |
| set security zones security-zone trust host-inbound-traffic system-services all | |
| set security address-book book1 address sunnyvale 10.10.10.0/24 | |
| set security address-book book1 attach zone trust | |
| set security address-book book2 address chicago 192.168.168.0/24 | |
| set security address-book book2 attach zone untrust | |
| Configuring IKE | set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys |
| set security ike proposal ike-phase1-proposal dh-group group2 | |
| set security ike proposal ike-phase1-proposal authentication-algorithm sha1 | |
| set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc | |
| set security ike policy ike-phase1-policy mode main | |
| set security ike policy ike-phase1-policy proposals ike-phase1-proposal | |
| set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t | |
| set security ike gateway gw-chicago external-interface ge-0/0/3.0 | |
| set security ike gateway gw-chicago ike-policy ike-phase1-policy | |
| set security ike gateway gw-chicago address 2.2.2.2 | |
| Configuring IPsec | set security ipsec proposal ipsec-phase2-proposal protocol esp |
| set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc | |
| set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal | |
| set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2 | |
| set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago | |
| set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy | |
| Configuring Security Policies | set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago | |
| set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address chicago | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address sunnyvale | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicago | |
| set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr | |
| set security policies from-zone trust to-zone untrust policy permit-any match source-address any | |
| set security policies from-zone trust to-zone untrust policy permit-any match destination-address any | |
| set security policies from-zone trust to-zone untrust policy permit-any match application any | |
| set security policies from-zone trust to-zone untrust policy permit-any then permit | |
| insert security policies from-zone trust to-zone untrust policy vpn-tr-untr before policy permit-any | |
| Requirements | Route-Based VPN |
| Configuring Interface, Static Route, Security Zone, and Address Book Information |
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 |
| set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 | |
| set interfaces st0 unit 0 family inet address 10.11.11.10/24 | |
| set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 | |
| set routing-options static route 192.168.168.0/24 next-hop st0.0 | |
| set security zones security-zone untrust interfaces ge-0/0/3.0 | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| set security zones security-zone trust interfaces ge-0/0/0.0 | |
| set security zones security-zone trust host-inbound-traffic system-services all | |
| set security zones security-zone vpn-chicago interfaces st0.0 | |
| set security address-book book1 address sunnyvale 10.10.10.0/24 | |
| set security address-book book1 attach zone trust | |
| set security address-book book2 address chicago 192.168.168.0/24 | |
| set security address-book book2 attach zone untrust | |
| Configuring IKE | set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys |
| set security ike proposal ike-phase1-proposal dh-group group2 | |
| set security ike proposal ike-phase1-proposal authentication-algorithm sha1 | |
| set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc | |
| set security ike policy ike-phase1-policy mode main | |
| set security ike policy ike-phase1-policy proposals ike-phase1-proposal | |
| set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t | |
| set security ike gateway gw-chicago external-interface ge-0/0/3.0 | |
| set security ike gateway gw-chicago ike-policy ike-phase1-policy | |
| set security ike gateway gw-chicago address 2.2.2.2 | |
| Configuring IPsec | set security ipsec proposal ipsec-phase2-proposal protocol esp |
| set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc | |
| set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal | |
| set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2 | |
| set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago | |
| set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy | |
| set security ipsec vpn ike-vpn-chicago bind-interface st0.0 | |
| Configuring Security Policies | set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match source-address sunnyvale |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match destination-address chicago | |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match application any | |
| set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi then permit | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match source-address chicago | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match destination-address sunnyvale | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match application any | |
| set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr then permit | |
1 comentario :
Hola! buscando en la red llegué a tu blog!
Así como lo ves... estoy haciendo un pequeño manual y estoy empezando de cero, en realidad no pretendo documentar el 100% sólo busco dejar en papel, tareas muy concretas ojalá me puedas echar la mano!
Que es lo que se está realizando con este par de rutinas:
edit routing-options static
set route 10.216.14.0/24 next-hop st0.0
exit
edit
set security zones security-zone untrust address-book address FC_MIS_EUL 10.216.14.0/24
commit
exit
Muchísimas gracias de antemano!
Publicar un comentario