RTシリーズとJuniper製品の相互接続のための設定例集
IPsec(Aggressive mode)でのSRX100との接続
新規作成日 | 2012/Jun/12 |
最終変更日 | 2012/Jun/12 |
文書サイズ | 8kB |
IPsec(Aggressive mode)での接続
PC2 | ------+------ 192.168.1.0/24 |.1 +--------+ | SRX100 | SW Version 10.0R3.10 +--------+ 172.16.1.1 | ‖ | ‖ ~~~ ‖ ~~~ ‖IPsec | ‖ | ‖ | ‖ 172.16.2.1 | ‖ +---------+ | RTX810 | Rev11.01.07 +---------+ |.1 ------+------ 192.168.2.0/24 | PC1 |
ip route default gateway 172.16.2.254 ip route 192.168.1.0/24 gateway tunnel 1 ip lan1 address 192.168.2.254/24 ip lan2 address 172.16.2.1/24 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac local-id=192.168.2.0/24 remote-id=192.168.1.0/24 ...*1 ipsec ike duration ipsec-sa 1 3600 ....................................................*2 ipsec ike duration isakmp-sa 1 3600 ....................................................*2 ipsec ike encryption 1 aes-cbc .......................................................*3 ipsec ike group 1 modp1024 .......................................................*3 ipsec ike hash 1 sha .......................................................*3 ipsec ike local address 1 172.16.2.1 .......................................................*4 ipsec ike local name 1 kyoten1 fqdn .......................................................*5 ipsec ike pre-shared-key 1 text test .......................................................*6 ipsec ike remote address 1 172.16.1.1 .......................................................*7 tunnel enable 1 ipsec auto refresh on |
*1 | セキュリティ・ゲートウェイに対するSAのポリシーを設定します。 |
*2 | SAの有効期間を設定します。 |
*3 | IKEのフェーズ1で用いる条件を設定します。 |
*4 | IKE動作の自分側のソースアドレスを設定します。 |
*5 | 自分側のセキュリティゲートウェイの名前を設定します。 |
*6 | 事前共有鍵を設定します。 |
*7 | 相手側のセキュリティゲートウェイのIPアドレスを設定します。 |
system { host-name SRX100; root-authentication { encrypted-password "$1$sMxRBhfi$NWLX9kcGcj8FVeMqjPuSy."; ## SECRET-DATA } services { ssh; telnet; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings fe-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member fe-0/0/1; member fe-0/0/2; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; member fe-0/0/6; member fe-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/0 { unit 0 { family inet { address 172.16.1.1/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } st0 { unit 0 { family inet; } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 172.16.1.254; route 192.168.2.0/24 next-hop st0.0; } } security { ike { respond-bad-spi 5; proposal test-p1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy test-p1-policy { mode aggressive; proposals test-p1-proposal; pre-shared-key ascii-text "$9$s1YJD.mT3/t5Q"; ## SECRET-DATA .........*8 } gateway test-p1-gw { ike-policy test-p1-policy; dynamic hostname kyoten1; ...........................................*9 external-interface fe-0/0/0; } } ipsec { proposal test-p2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy test-p2-policy { proposals test-p2-proposal; } vpn test-vpn { bind-interface st0.0; ike { gateway test-p1-gw; proxy-identity { local 192.168.1.0/24; remote 192.168.2.0/24; service any; } ipsec-policy test-p2-policy; } establish-tunnels immediately; } } zones { security-zone trust { address-book { address net1 192.168.1.0/24; address net2 192.168.2.0/24; } host-inbound-traffic { system-services { all; } } interfaces { vlan.0; st0.0; } } security-zone untrust { host-inbound-traffic { system-services { ping; ike; } } interfaces { fe-0/0/0.0; } } } policies { from-zone trust to-zone trust { policy n1-n2-policy { match { source-address net1; destination-address net2; application any; } then { permit; } } policy n2-n1-policy { match { source-address net2; destination-address net1; application any; } then { permit; } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } } |
*8 | 相手側のセキュリティゲートウェイの名前を設定します。 |
*9 | 事前共有鍵を設定します。 |
|