![]() Set security ipsec vpn IPSEC-VPN ike gateway IKE-gw Set security ipsec vpn IPSEC-VPN vpn-monitor Set security ipsec vpn IPSEC-VPN bind-interface st0.0 Set security ipsec policy IPSEC-POL proposals IPSEC-prop Set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group2 Set security ipsec proposal IPSEC-prop lifetime-seconds 3600 Set security ipsec proposal IPSEC-prop encryption-algorithm aes-128-cbc Set security ipsec proposal IPSEC-prop authentication-algorithm hmac-sha1-96 Set security ipsec proposal IPSEC-prop protocol esp Teraz prejdeme k druhej faze IPSEC, najprv vytovrime IPSEC proposal IPSEC-prop opat mozno pouzit aj defaultny standard Set security ike gateway IKE-gw external-interface fe-0/0/0 Set security ike gateway IKE-gw address 80.94.50.5 Set security ike gateway IKE-gw ike-policy IKE-pol Set security ike policy IKE-pol pre-shared-key ascii-text my-pre-shared-keyĪ ako posledne nastavime IKE gateway, kde nastavime nase IKE policy, interface cez ktory sa pripajame k remote srx a ip adresu remote srx Set security ike policy IKE-pol proposals IKE-prop Set security ike policy IKE-pol mode main Set security ike proposal IKE-prop lifetime-seconds 3600set security ike gateway IKE-gw ike-policy IKE-pol Set security ike proposal IKE-prop encryption-algorithm aes-128-cbc Set security ike proposal IKE-prop authentication-algorithm sha1 Set security ike proposal IKE-prop dh-group group2 Set security ike proposal IKE-prop authentication-method pre-shared-keys Vytvorime IKE proposal IKE-prop, je mozne pouzit aj default proposal napr. Konfiguracia IKE a IPSEC je na oboch zariadeniach zhodna, jedine co sa meni je IKE-GW kde treba nastavit spravny external-interface a remote ip adresu. Faza 2 – VPN tunel pre uzivatelsky traffic.Faza 1 – vytorenie bezpecneho kanala pre komunikaciu zariadeni nastavuje sa v sekcii. ![]() Internet Key Exchange protkol na vytovorenie tunelu medzi SRX zariadeniami.IKE pracuje v dvoch fazach. Konfiguracia srx-a (LOCAL), sipky ukazuju smer trafficu medzi zonami lan a vpn.IPsec pakety idu von cez interface fe-0/0/0 v security zone internet.Nie je potrebna ziadna policy medzi zonami vpn a internet.Pre zonu internet musi byt povoleny host-inbound-traffic ike, Ulohou je teda vytvorit bezpecny tunel medzi srx-a(LOCAL) a srx-b(REMOTE).Vyuzijeme na route based ipsec vpn, ktora nam umoznuje oddelit vpn konfiguraciu od security-policies konfiguracie. V tomto navode sa pozrieme na to ako nastavit route-based site-to-site vpn medzi dvoma Juniper SRX 100 zariadeniami.Podla schemy mame zapojenu siet takze mame 2 SRXy LOCAL a REMOTE, ktore poskytuju pristup na internet a potrebujeme zabezpecit bezpecnu kominukaciu pre klienov z LOCAL lan-ky do REMOTE lan-ky a naopak.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |