Scribd Logo
Upload

Welcome to Scribd!

  • Туннель Juniper SRX - VMWare Cloud

    Uploaded by

    vorav
    9 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views6 pages

    Туннель Juniper SRX - VMWare Cloud

    Uploaded by

    vorav

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Туннель Juniper SRX - VMWare Cloud

     1114 просмотров

    VMWare Cloud - это платформа для размещения виртуальных машин


    (https://cloud.vmware.com). Часто такую используют крупные провайдеры,
    предоставляя ресурсы в Дата-Центре.
    Мы можем разместить свои сервера в ДЦ.
    А чтобы соединить подсеть ДЦ с внутренней подсетью, нам необходимо
    подключиться по IPSec.

    Настраиваем Route Based VPN

    Juniper SRX 650


    1) Создание туннельного интерфейса, зоны безопасности и статического
    маршрута на сеть VDC:
    set interfaces st0 unit 10 description "To cloud Tunnel"
    set interfaces st0 unit 10 family inet address 10.2.252.25/30
    set security zones security-zone vpn interfaces st0.10
    set routing-options static route 10.240.0.0/16 next-hop 10.2.252.26

    2) Настройка IKE phase 1:


    set security ike proposal PRP-IKE-EDGE authentication-method pre-shared-keys
    set security ike proposal PRP-IKE-EDGE dh-group group14
    set security ike proposal PRP-IKE-EDGE authentication-algorithm sha1
    set security ike proposal PRP-IKE-EDGE encryption-algorithm aes-128-cbc
    set security ike proposal PRP-IKE-EDGE lifetime-seconds 28800
    set security ike policy ike-policy-cloud mode main
    set security ike policy ike-policy-cloud proposals PRP-IKE-EDGE
    set security ike policy ike-policy-cloud pre-shared-key ascii-text [PASSWORD]
    set security ike gateway ike-gate-cloud ike-policy ike-policy-cloud
    set security ike gateway ike-gate-cloud address [IP EDGE Cloud]
    set security ike gateway ike-gate-cloud external-interface lo0.0
    set security ike gateway ike-gate-cloud local-address [IP Juniper]

    3) Настройка IKE phase 2:


    set security ipsec proposal PRP-IPS-EDGE protocol esp
    set security ipsec proposal PRP-IPS-EDGE authentication-algorithm hmac-sha1-
    96
    set security ipsec proposal PRP-IPS-EDGE encryption-algorithm aes-128-cbc
    set security ipsec proposal PRP-IPS-EDGE lifetime-seconds 3600

    set security ipsec policy ipsec-policy-cloud perfect-forward-secrecy keys


    group14
    set security ipsec policy ipsec-policy-cloud proposals PRP-IPS-EDGE

    set security ipsec vpn ipsec-vpn-cloud bind-interface st0.10


    set security ipsec vpn ipsec-vpn-cloud ike gateway ike-gate-cloud
    set security ipsec vpn ipsec-vpn-cloud ike proxy-identity local 10.10.0.0/16
    remote 10.240.0.0/16 service any
    set security ipsec vpn ipsec-vpn-cloud ike ipsec-policy ipsec-policy-cloud
    set security ipsec vpn ipsec-vpn-cloud establish-tunnels immediately

    set security zones security-zone vpn address-book address net-cloud-


    10_240_0_0-16 10.240.0.0/16

    set security policies from-zone trust to-zone vpn policy trust-vpn-cloud


    match source-address net-imh
    set security policies from-zone trust to-zone vpn policy trust-vpn-cloud
    match destination-address net-cloud-10_240_0_0-16
    set security policies from-zone trust to-zone vpn policy trust-vpn-cloud
    match application any
    set security policies from-zone trust to-zone vpn policy trust-vpn-cloud then
    permit

    set security policies from-zone vpn to-zone trust policy vpn-trust-cloud


    match source-address net-cloud-10_240_0_0-16
    set security policies from-zone vpn to-zone trust policy vpn-trust-cloud
    match destination-address net-imh
    set security policies from-zone vpn to-zone trust policy vpn-trust-cloud
    match application any
    set security policies from-zone vpn to-zone trust policy vpn-trust-cloud then
    permit

    Настройки со стороны VMWare Cloud


    Проверка
    SRX> show security ike security-associations | match 92.X.149.136
    5687084 UP 2bd01e30587976f3 ce200e6e99fbe13e Main
    92.X.149.136

    SRX> show security ipsec security-associations | match 92.X.149.136


    131094 ESP:aes-cbc-128/sha1 c3621395 2600/ unlim - root 500 92.246.149.136

    SRX> show interfaces st0.10 terse


    Interface Admin Link Proto Local Remote
    st0.10 up up inet 10.2.252.25/30

    SRX> ping 10.2.252.26


    PING 10.2.252.26 (10.2.252.26): 56 data bytes
    64 bytes from 10.2.252.26: icmp_seq=0 ttl=64 time=3.375 ms
    64 bytes from 10.2.252.26: icmp_seq=1 ttl=64 time=3.264 ms
    64 bytes from 10.2.252.26: icmp_seq=2 ttl=64 time=3.199 ms
    64 bytes from 10.2.252.26: icmp_seq=3 ttl=64 time=3.245 ms

    You might also like