ipsec tunnel tra local and remote site con steps config juniper example

Home » Blog » Routing » ipsec » ipsec design » ipsec tunnel tra local and remote site con steps config juniper example

ipsec tunnel tra local and remote site con steps config juniper example

16.12 2019 | by massimiliano

configurazione tunnel IPSEC tra due site locale e remota attraverso steps di configurazione juniper example   ARCHITETTURA DI RIFERIMENTO   […]


https://www.ingegnerianetworking.com/wp-content/uploads/2019/12/ipsec-tunnel-junos-d45.png

configurazione tunnel IPSEC tra due site locale e remota attraverso steps di configurazione juniper example

 

ARCHITETTURA DI RIFERIMENTO

 

ipsec tunnel junos

 

 

I parametri debbono rispondere ai seguenti step di configurazione:

LOCAL SITE:

     local IP private network

     public network zone

     public network interface

     tunnel zone

     tunnel interface

     tunnel IP interface:

 

REMOTE SITE:

      remote IP address public router

      remote IP private network

 

 

 

ESEMPIO DI CONFIGURAZIONE:

 

Remote Endpoint : 192.168.0.0/28

 

Local Endpoint : 10.10.10.0/24

 

Phase 1 : AES-256,SHA1, DH2

 

Phase 2 : ESP, SHA1, AES-256

 

 

 

TUNNEL INTERFACE


set interfaces st0 unit 22 family inet
set security zones security-zone untrust-vpn interfaces st0.22

 

 

ROUTE


set routing-options static route 192.168.0.0/28 next-hop st0.22

 

 

PROPOSALS


set security ike proposal IKE-DH2-AES256-SHA1 authentication-method pre-shared-keys
set security ike proposal IKE-DH2-AES256-SHA1 dh-group group2
set security ike proposal IKE-DH2-AES256-SHA1 authentication-algorithm sha1
set security ike proposal IKE-DH2-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-DH2-AES256-SHA1 lifetime-seconds 3600

set security ipsec proposal IPSEC-ESP-AES256-SHA1 protocol esp
set security ipsec proposal IPSEC-ESP-AES256-SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-ESP-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-ESP-AES256-SHA1 lifetime-seconds 3600

 

 

PHASE 1


set security ike policy IKE-POLICY-SITE-A mode main
set security ike policy IKE-POLICY-SITE-A proposals IKE-DH2-AES256-SHA1
set security ike policy IKE-POLICY-SITE-A pre-shared-key ascii-text
set security ike gateway IKE-PEER-SITE-A ike-policy IKE-POLICY-SITE-A
set security ike gateway IKE-PEER-SITE-A address
set security ike gateway IKE-PEER-SITE-A external-interface rethx.y

 

 

PHASE 2


set security ipsec policy IPSEC-POLICY proposals IPSEC-ESP-AES256-SHA1
set security ipsec vpn VPN-SITE-A bind-interface st0.22 
set security ipsec vpn VPN-SITE-A ike gateway IKE-PEER-SITEA
set security ipsec vpn VPN-SITE-A ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-SITE-A establish-tunnels immediately

 

 

 

POLICY


set security zones security-zone untrust-vpn address-book address 192.168.0.0/28 192.168.0.0/28
set security zones security-zone trust address-book address 10.10.10.0/24 10.10.10.0/24

 !
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match source-address 10.10.10.0./24
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match destination-address 192.168.0.0/28
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match application any
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn then permit

 !
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match source-address 192.168.0.0/28
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match destination-address 10.10.10.0/24
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match application any
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn then permit

 

 

 

 

 

 

 

 

Torna in alto