Диаграмата:
LAN (10.1.1.0/24) - SSG140 WAN (1.1.1.1) <–> Internet <–> IPCop RED (2.2.2.1) – GREEN (10.2.2.0/24)
SSG140
Untrust zone eth0/0 IP 1.1.1.1
Trust zone eth0/2 IP 10.1.1.1/24
IPCop 1.4.15
RED IP: 2.2.2.1
GREEN: 10.2.2.1/24
Juniper configuration CLI
Phase 1 Config
set ike gateway "IPCOP" address 2.2.2.1 Main outgoing-interface "ethernet0/0" preshare "secret" proposal "pre-g2-3des-md5"
set ike gateway "IPCOP" dpd interval 30
Phase 2 Config
set vpn "IPCOP-VPN" gateway "IPCOP" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
Policy setup
set policy id 2 from "Trust" to "Untrust" "10.1.1.0/24" "10.2.2.0/24" "ANY" tunnel vpn "IPCOP-VPN" id 2 pair-policy 3
set policy id 3 from "Untrust" to "Trust" "10.2.2.0/24" "10.1.1.0/24" "ANY" tunnel vpn "IPCOP-VPN" id 3 pair-policy 2
IPCop configuration
ipsec.conf
config setup
interfaces="%defaultroute "
klipsdebug="none"
plutodebug="none"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.2.2.0/255.255.255.0,%v4:!10.1.1.0/255.255.255.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn Juniper #RED
left=2.2.2.1
leftnexthop=%defaultroute
leftsubnet=10.2.2.0/255.255.255.0
right=1.1.1.1
rightsubnet=10.1.1.0/255.255.255.0
rightnexthop=%defaultroute
ike=3des-md5-modp1024
esp=3des-md5
pfsgroup=modp1024
ikelifetime=8h
keylife=1h
dpddelay=30
dpdtimeout=120
dpdaction=restart
pfs=no
authby=secret
auto=start
ipsec.secret.conf
: RSA /var/ipcop/certs/hostkey.pem
2.2.2.1 1.1.1.1 : PSK 'secret'
RED IP: 2.2.2.1
GREEN: 10.2.2.1/24
Juniper configuration CLI
Phase 1 Config
set ike gateway "IPCOP" address 2.2.2.1 Main outgoing-interface "ethernet0/0" preshare "secret" proposal "pre-g2-3des-md5"
set ike gateway "IPCOP" dpd interval 30
Phase 2 Config
set vpn "IPCOP-VPN" gateway "IPCOP" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
Policy setup
set policy id 2 from "Trust" to "Untrust" "10.1.1.0/24" "10.2.2.0/24" "ANY" tunnel vpn "IPCOP-VPN" id 2 pair-policy 3
set policy id 3 from "Untrust" to "Trust" "10.2.2.0/24" "10.1.1.0/24" "ANY" tunnel vpn "IPCOP-VPN" id 3 pair-policy 2
IPCop configuration
ipsec.conf
config setup
interfaces="%defaultroute "
klipsdebug="none"
plutodebug="none"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.2.2.0/255.255.255.0,%v4:!10.1.1.0/255.255.255.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn Juniper #RED
left=2.2.2.1
leftnexthop=%defaultroute
leftsubnet=10.2.2.0/255.255.255.0
right=1.1.1.1
rightsubnet=10.1.1.0/255.255.255.0
rightnexthop=%defaultroute
ike=3des-md5-modp1024
esp=3des-md5
pfsgroup=modp1024
ikelifetime=8h
keylife=1h
dpddelay=30
dpdtimeout=120
dpdaction=restart
pfs=no
authby=secret
auto=start
ipsec.secret.conf
: RSA /var/ipcop/certs/hostkey.pem
2.2.2.1 1.1.1.1 : PSK 'secret'
No comments:
Post a Comment
Note: only a member of this blog may post a comment.