ipsec tunnel tra local and remote site con steps config juniper example
16.12 2019 | by massimilianoconfigurazione tunnel IPSEC tra due site locale e remota attraverso steps di configurazione juniper example ARCHITETTURA DI RIFERIMENTO […]
https://www.ingegnerianetworking.com/wp-content/uploads/2019/12/ipsec-tunnel-junos-d45.png
configurazione tunnel IPSEC tra due site locale e remota attraverso steps di configurazione juniper example
ARCHITETTURA DI RIFERIMENTO
I parametri debbono rispondere ai seguenti step di configurazione:
LOCAL SITE:
local IP private network
public network zone
public network interface
tunnel zone
tunnel interface
tunnel IP interface:
REMOTE SITE:
remote IP address public router
remote IP private network
ESEMPIO DI CONFIGURAZIONE:
Remote Endpoint : 192.168.0.0/28
Local Endpoint : 10.10.10.0/24
Phase 1 : AES-256,SHA1, DH2
Phase 2 : ESP, SHA1, AES-256
TUNNEL INTERFACE
set interfaces st0 unit 22 family inet
set security zones security-zone untrust-vpn interfaces st0.22
ROUTE
set routing-options static route 192.168.0.0/28 next-hop st0.22
PROPOSALS
set security ike proposal IKE-DH2-AES256-SHA1 authentication-method pre-shared-keys
set security ike proposal IKE-DH2-AES256-SHA1 dh-group group2
set security ike proposal IKE-DH2-AES256-SHA1 authentication-algorithm sha1
set security ike proposal IKE-DH2-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-DH2-AES256-SHA1 lifetime-seconds 3600
set security ipsec proposal IPSEC-ESP-AES256-SHA1 protocol esp
set security ipsec proposal IPSEC-ESP-AES256-SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-ESP-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-ESP-AES256-SHA1 lifetime-seconds 3600
PHASE 1
set security ike policy IKE-POLICY-SITE-A mode main
set security ike policy IKE-POLICY-SITE-A proposals IKE-DH2-AES256-SHA1
set security ike policy IKE-POLICY-SITE-A pre-shared-key ascii-text
set security ike gateway IKE-PEER-SITE-A ike-policy IKE-POLICY-SITE-A
set security ike gateway IKE-PEER-SITE-A address
set security ike gateway IKE-PEER-SITE-A external-interface rethx.y
PHASE 2
set security ipsec policy IPSEC-POLICY proposals IPSEC-ESP-AES256-SHA1
set security ipsec vpn VPN-SITE-A bind-interface st0.22
set security ipsec vpn VPN-SITE-A ike gateway IKE-PEER-SITEA
set security ipsec vpn VPN-SITE-A ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-SITE-A establish-tunnels immediately
POLICY
set security zones security-zone untrust-vpn address-book address 192.168.0.0/28 192.168.0.0/28
set security zones security-zone trust address-book address 10.10.10.0/24 10.10.10.0/24
!
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match source-address 10.10.10.0./24
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match destination-address 192.168.0.0/28
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match application any
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn then permit
!
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match source-address 192.168.0.0/28
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match destination-address 10.10.10.0/24
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match application any
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn then permit