Thứ tự cấu hình:
- Configure interfaces
- IPv4 default route
- Security zones
- Address books
- IKE Phase 1
- IPsec Phase 2
- Security policy
- TCP-MSS parameters
| Feature | Name | Configuration Parameters |
| Interface | ge-0/0/0.0 | 192.168.10.1/24 |
| ge-0/0/3.0 | 10.1.1.2/30 | |
| Security zones | trust |
|
| untrust |
| |
| Address book | sunnyvale |
|
| chicago |
|
Table 1: Interface, Security Zone, and Address Book Information
| Feature | Name | Configuration Parameters |
| Proposal | ike-phase1-proposal |
|
| Policy | ike-phase1-policy |
|
| Gateway | gw-chicago |
|
Table 2: IKE Phase 1 Configuration Parameters
| Feature | Name | Configuration Parameters |
| Proposal | ipsec-phase2-proposal |
|
| Policy | ipsec-phase2-policy |
|
| VPN | ike-vpn-chicago |
|
Table 3: IPsec Phase 2 Configuration Parameters
| Purpose | Name | Configuration Parameters |
| This security policy permits traffic from the trust zone to the untrust zone | vpn-tr-untr |
|
| This security policy permits traffic from the untrust zone to the trust zone. | vpn-untr-tr |
|
This security policy permits all traffic from the trust zone to the untrust zone. Note: You must put the vpn-tr-untr policy before the permit-any security policy. Junos OS performs a security policy lookup starting at the top of the list. If the permit-any policy comes before the vpn-tr-untr policy, all traffic from the trust zone will match the permit-any policy and be permitted. Thus, no traffic will ever match the vpn-tr-untr policy. | permit-any |
|
Table 4: Security Policy Configuration Parameters
| Purpose | Configuration Parameters |
TCP-MSS is negotiated as part of the TCP three-way handshake and limits the maximum size of a TCP segment to better fit the maximum transmission unit (MTU) limits on a network Note: We recommend a value of 1350 as the starting point for most Ethernet-based networks with an MTU of 1500 or greater. You might need to experiment with different TCP-MSS values to obtain optimal performance. For example, you might need to change the value if any device in the path has a lower MTU, or if there is any additional overhead such as PPP or Frame Relay. | MSS value: 1350 |
Configuration
Configuring Basic Network, Security Zone, and Address Book Information
- Configure Ethernet interface information.[edit]user@host# set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.1/24user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.1.1.2/30
- Configure static route information.[edit]user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
- Configure the untrust security zone.[edit ]user@host# edit security zones security-zone untrust
- Assign an interface to the security zone.[edit security zones security-zone untrust]user@host# set interfaces ge-0/0/3.0
- Specify allowed system services for the security zone.[edit security zones security-zone untrust]user@host# set host-inbound-traffic system-services ike
- Configure the trust security zone.[edit]user@host# edit security zones security-zone trust
- Assign an interface to the security zone.[edit security zones security-zone trust]user@host# set interfaces ge-0/0/0.0
- Specify allowed system services for the security zone.[edit security zones security-zone trust]user@host# set host-inbound-traffic system-services all
- Create an address book and attach it to a zone.[edit security address-book book1]user@host# set address sunnyvale 192.168.10.0/24user@host# set attach zone trust
- Create another address book and attach it to a zone.[edit security address-book book2]user@host# set address chicago 192.168.168.0/24user@host# set attach zone untrustResults[edit]user@host# show interfacesge-0/0/0 {unit 0 {family inet {address 192.168.10.1/24;}}}ge-0/0/3 {unit 0 {family inet {address 10.1.1.2/30}}}[edit]user@host# show routing-optionsstatic {route 0.0.0.0/0 next-hop 10.1.1.1;}[edit]user@host# show security zonessecurity-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/3.0;}}security-zone trust {host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}[edit]user@host# show security address-bookbook1 {address sunnyvale 192.168.10.0/24;attach {zone trust;}}book2 {address chicago 192.168.168.0/24;attach {zone untrust;}}
If you are done configuring the device, enter commit from configuration mode.
Configuring IKE
Step-by-Step Procedure
To configure IKE:
- Create the IKE Phase 1 proposal.[edit security ike]user@host# set proposal ike-phase1-proposal
- Define the IKE proposal authentication method.[edit security ike proposal ike-phase1-proposal]user@host# set authentication-method pre-shared-keys
- Define the IKE proposal Diffie-Hellman group.[edit security ike proposal ike-phase1-proposal]user@host# set dh-group group2
- Define the IKE proposal authentication algorithm.[edit security ike proposal ike-phase1-proposal]user@host# set authentication-algorithm sha1
- Define the IKE proposal encryption algorithm.[edit security ike proposal ike-phase1-proposal]user@host# set encryption-algorithm aes-128-cbc
- Create an IKE Phase 1 policy.[edit security ike]user@host# set policy ike-phase1-policy
- Set the IKE Phase 1 policy mode.[edit security ike policy ike-phase1-policy]user@host# set mode main
- Specify a reference to the IKE proposal.[edit security ike policy ike-phase1-policy]user@host# set proposals ike-phase1-proposal
- Define the IKE Phase 1 policy authentication method.[edit security ike policy ike-phase1-policy]user@host# set pre-shared-key ascii-text “$ABC123”
- Create an IKE Phase 1 gateway and define its external interface.[edit security ike gateway gw-chicago]user@host# set external-interface ge-0/0/3.0
- Define the IKE Phase 1 policy reference.[edit security ike gateway gw-chicago]user@host# set ike-policy ike-phase1-policy
Results
[edit]user@host# show security ikeproposal ike-phase1-proposal {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;}policy ike-phase1-policy {mode main;proposals ike-phase1-proposal;pre-shared-key ascii-text “$ABC123”; ## SECRET-DATA}gateway gw-chicago {ike-policy ike-phase1-policy;address 10.2.2.2;external-interface ge-0/0/3.0;}If you are done configuring the device, enter commit from configuration mode.
Configuring IPsec
Step-by-Step Procedure
To configure IPsec:
- Create an IPsec Phase 2 proposal.[edit]user@host# set security ipsec proposal ipsec-phase2-proposal
- Specify the IPsec Phase 2 proposal protocol.[edit security ipsec proposal ipsec-phase2-proposal]user@host# set protocol esp
- Specify the IPsec Phase 2 proposal authentication algorithm.[edit security ipsec proposal ipsec-phase2-proposal]user@host# set authentication-algorithm hmac-sha1-96
- Specify the IPsec Phase 2 proposal encryption algorithm.[edit security ipsec proposal ipsec-phase2-proposal]user@host# set encryption-algorithm aes-128-cbc
- Create the IPsec Phase 2 policy.[edit security ipsec]user@host# set policy ipsec-phase2-policy
- Specify the IPsec Phase 2 proposal reference.[edit security ipsec policy ipsec-phase2-policy]user@host# set proposals ipsec-phase2-proposal
- Specify IPsec Phase 2 PFS to use Diffie-Hellman group 2.[edit security ipsec policy ipsec-phase2-policy]user@host# set perfect-forward-secrecy keys group2
- Specify the IKE gateway.[edit security ipsec]user@host# set vpn ike-vpn-chicago ike gateway gw-chicago
- Specify the IPsec Phase 2 policy.[edit security ipsec]user@host# set vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy
Results
[edit]user@host# show security ipsecproposal ipsec-phase2-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;}policy ipsec-phase2-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-phase2-proposal;}vpn ike-vpn-chicago {ike {gateway gw-chicago;ipsec-policy ipsec-phase2-policy;}}Configuring Security Policies
Step-by-Step Procedure
To configure security policies:
- Create the security policy to permit traffic from the trust zone to the untrust zone.[edit security policies from-zone trust to-zone untrust]user@host# set policy vpn-tr-untr match source-address sunnyvaleuser@host# set policy vpn-tr-untr match destination-address chicagouser@host# set policy vpn-tr-untr match application anyuser@host# set policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicagouser@host# set policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr
- Create the security policy to permit traffic from the untrust zone to the trust zone.[edit security policies from-zone untrust to-zone trust]user@host# set policy vpn-untr-tr match source-address chicagouser@host# set policy vpn-untr-tr match destination-address sunnyvaleuser@host# set policy vpn-untr-tr match application anyuser@host# set policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicagouser@host# set policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr
- Create the security policy to permit traffic from the trust zone to the untrust zone.[edit security policies from-zone trust to-zone untrust]user@host# set policy permit-any match source-address anyuser@host# set policy vpn-untr-tr match destination-address anyuser@host# set policy vpn-untr-tr match application anyuser@host# set policy vpn-untr-tr then permit
- Reorder the security policies so that the vpn-tr-untr security policy is placed above the permit-any security policy.[edit security policies from-zone trust to-zone untrust]user@host# insert policy vpn-tr-untr before policy permit-any
Results
[edit]user@host# show security policiesfrom-zone trust to-zone untrust {policy vpn-tr-untr {match {source-address sunnyvale;destination-address chicago;application any;}then {permit {tunnel {ipsec-vpn ike-vpn-chicago;pair-policy vpn-untr-tr;}}}}policy permit-any {match {source-address any;destination-address any;application any;}then {permit}}}from-zone untrust to-zone trust {policy vpn-untr-tr {match {source-address chicago;destination-address sunnyvale;application any;}then {permit {tunnel {ipsec-vpn ike-vpn-chicago;pair-policy vpn-tr-untr;}}}}}If you are done configuring the device, enter commit from configuration mode.
Configuring TCP-MSS
Configure TCP-MSS information.
[edit]user@host# set security flow tcp-mss ipsec-vpn mss 1350Results
[edit]user@host# show security flowtcp-mss {ipsec-vpn {mss 1350;}}If you are done configuring the device, enter commit from configuration mode.
Configuring the SSG Series Device
set interface ethernet0/6 zone Trustset interface ethernet0/0 zone Untrustset interface ethernet0/6 ip 192.168.168.1/24set interface ethernet0/6 routeset interface ethernet0/0 ip 10.2.2.2/30set interface ethernet0/0 routeset flow tcp-mss 1350set address Trust “local-net” 192.168.168.0 255.255.255.0set address Untrust “corp-net” 192.168.10.0 255.255.255.0set ike gateway corp-ike address 10.1.1.2 Main outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standardset vpn corp-vpn gateway corp-ike replay tunnel idletime 0 sec-level standardset policy id 11 from Trust to Untrust “local-net” “corp-net” “ANY” tunnel vpn “corp-vpn” pair-policy 10set policy id 10 from Untrust to Trust “corp-net” “local-net” “ANY” tunnel vpn “corp-vpn” pair-policy 11set policy id 1 from Trust to Untrust “ANY” “ANY” “ANY” nat src permitset route 0.0.0.0/0 interface ethernet0/0 gateway 10.2.2.1
Tham khảo: Configuring a Policy-Based VPN
- Create the security policy to permit traffic from the trust zone to the untrust zone.
- Create an IPsec Phase 2 proposal.
- Create the IKE Phase 1 proposal.
