Juniper SRX基于路由的IPSEC ×××_第1张图片


由于在实际工作中有时会遇到SRX系列的路由器防火墙模块设备,在网上能到的资料大多也是一些界面文档或者以Netscreen为主的资料,官方资料大部分都是英文的,有时候排错或者配置,真的很头痛;

开两台 VmSRX

Juniper SRX基于路由的IPSEC ×××_第2张图片

SRX1

第一步:配置IP

set interfaces ge-0/0/0 unit 0 family inetaddress 10.247.171.1/24

set interfaces lo0 unit 10 family inetaddress 192.168.10.1/24

set interfaces st0 unit 1 family inetaddress 1.1.1.1/24

第二步:配置地址条目

set security address-book trust address A10192.168.10.0/24

set security address-book trust attach zonetrust

set security address-book untrust addressA20 192.168.20.0/24

set security address-book untrust attachzone untrust

第三步:配置IKE

set security ike policy abc mode aggressive

set security ike policy abc proposal-setstandard

set security ike policy abc pre-shared-keyascii-text "$9$JZUi.QF/0BEP5BEcyW8ZUj"

set security ike gateway gw1 ike-policy abc

set security ike gateway gw1 address10.247.171.2

set security ike gateway gw1external-interface ge-0/0/0.0

第四步:配置IPSEC

set security ipsec policy aaa proposal-setstandard

set security ipsec *** ***1 bind-interfacest0.1

set security ipsec *** ***1 ike gateway gw1

set security ipsec *** ***1 ikeipsec-policy aaa

set security ipsec *** ***1establish-tunnels immediately

第五步:配置NAT:

set security nat source rule-set rsl fromzone trust

set security nat source rule-set rsl tozone untrust

set security nat source rule-set rsl ruler1 match source-address 0.0.0.0/0

set security nat source rule-set rsl ruler1 match destination-address 0.0.0.0/0

set security nat source rule-set rsl ruler1 then source-nat interface

第六步:配置策略

set security policies from-zone trustto-zone untrust policy 3 match source-address A10

set security policies from-zone trustto-zone untrust policy 3 match destination-address A20

set security policies from-zone trustto-zone untrust policy 3 match application any

set security policies from-zone trustto-zone untrust policy 3 then permit

set security policies from-zone trustto-zone untrust policy 1 match source-address any

set security policies from-zone trustto-zone untrust policy 1 match destination-address any

set security policies from-zone trustto-zone untrust policy 1 match application any

set security policies from-zone trustto-zone untrust policy 1 then permit

set security policies from-zone untrustto-zone trust policy 4 match source-address A20

set security policies from-zone untrustto-zone trust policy 4 match destination-address A10

set security policies from-zone untrustto-zone trust policy 4 match application any

set security policies from-zone untrustto-zone trust policy 4 then permit

set security policies from-zone untrustto-zone trust policy 2 match source-address any

set security policies from-zone untrustto-zone trust policy 2 match destination-address any

set security policies from-zone untrustto-zone trust policy 2 match application any

set security policies from-zone untrustto-zone trust policy 2 then permit

第七步:开启相应的系统服务

set security zones security-zone untrustinterfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone untrustinterfaces st0.1 host-inbound-traffic system-services all

set security zones security-zone trustinterfaces lo0.10 host-inbound-traffic system-services all

第八步:路由

set routing-options static route192.168.20.0/24 next-hop st0.1

第九步:测试

juniper@SRX1# run show security ikeactive-peer

Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP

10.247.171.2                        500      10.247.171.2


juniper@SRX1# run show security ikesecurity-associations

Index  State  Initiator cookie  Responder cookie  Mode          Remote Address  

2186252 UP     68aa002abd20d235  10437397ed758938  Aggressive    10.247.171.2


juniper@SRX1# run show security ipsecsecurity-associations

Total active tunnels: 1

ID    Algorithm       SPI     Life:sec/kb  Mon lsys Port  Gateway  

<131073 ESP:3des/sha1 efe41cb5 3431/ unlim   -  root 500   10.247.171.2    

>131073 ESP:3des/sha1 ada231d7 3431/ unlim   -  root 500   10.247.171.2

juniper@SRX1# run show security ipsecstatistics    

ESP Statistics:

Encrypted bytes:            31864

Decrypted bytes:            19300

Encrypted packets:            236

Decrypted packets:            231

AH Statistics:

Input bytes:                    0

Output bytes:                   0

Input packets:                  0

Output packets:                 0

Errors:

 AHauthentication failures: 0, Replay errors: 0

 ESPauthentication failures: 0, ESP decryption failures: 0

 Badheaders: 0, Bad trailers: 0



juniper@SRX1# run ping 192.168.20.1 source192.168.10.1

PING 192.168.20.1 (192.168.20.1): 56 databytes

64 bytes from 192.168.20.1: icmp_seq=0ttl=64 time=3.892 ms

64 bytes from 192.168.20.1: icmp_seq=1ttl=64 time=4.428 ms

64 bytes from 192.168.20.1: icmp_seq=2ttl=64 time=2.309 ms

64 bytes from 192.168.20.1: icmp_seq=3ttl=64 time=2.347 ms

64 bytes from 192.168.20.1: icmp_seq=4ttl=64 time=2.332 ms

^C

--- 192.168.20.1 ping statistics ---

5 packets transmitted, 5 packets received,0% packet loss

round-trip min/avg/max/stddev =2.309/3.062/4.428/0.913 ms


Juniper SRX基于路由的IPSEC ×××_第3张图片



交流:1124287125


下面是SRX1的完整体配置:

juniper@SRX1# run show configuration |display set    

set version 12.1X44.4

set system host-name SRX1

set system domain-name juniper.net

set system authentication-order password

set system root-authenticationencrypted-password "$1$hY6E.7uG$pn0ThmAXMrL2vf7BSLhmG0"

set system login user juniper uid 2001

set system login user juniper classsuper-user

set system login user juniperauthentication encrypted-password"$1$3VlKTGll$5MGwhUdY4BYtY2hILDRc/1"

set system services ssh protocol-version v2

set system services telnet

set system services web-management httpinterface ge-0/0/0.0

set system services web-management sessionidle-timeout 10

set system syslog user * any emergency

set system syslog file messages any any

set system syslog file messagesauthorization info

set system syslog file interactive-commandsinteractive-commands any

set system syslog file monitor-log match192.168.159.128

set system license autoupdate urlhttps://ae1.juniper.net/junos/key_retrieval

set chassis aggregated-devices ethernetdevice-count 2

set interfaces ge-0/0/0 unit 0 family inetaddress 10.247.171.1/24

set interfaces lo0 unit 10 family inetaddress 192.168.10.1/24

set interfaces st0 unit 1 family inetaddress 1.1.1.1/24

set routing-options static route192.168.20.0/24 next-hop st0.1

set security pki

set security ike policy abc mode aggressive

set security ike policy abc proposal-setstandard

set security ike policy abc pre-shared-keyascii-text "$9$JZUi.QF/0BEP5BEcyW8ZUj"

set security ike gateway gw1 ike-policy abc

set security ike gateway gw1 address10.247.171.2

set security ike gateway gw1external-interface ge-0/0/0.0

set security ipsec policy aaa proposal-setstandard

set security ipsec *** ***1 bind-interfacest0.1

set security ipsec *** ***1 ike gateway gw1

set security ipsec *** ***1 ikeipsec-policy aaa

set security ipsec *** ***1establish-tunnels immediately

set security address-book trust address A10192.168.10.0/24

set security address-book trust attach zonetrust

set security address-book untrust addressA20 192.168.20.0/24

set security address-book untrust attachzone untrust

set security nat source rule-set rsl fromzone trust

set security nat source rule-set rsl tozone untrust

set security nat source rule-set rsl ruler1 match source-address 0.0.0.0/0

set security nat source rule-set rsl ruler1 match destination-address 0.0.0.0/0

set security nat source rule-set rsl ruler1 then source-nat interface

set security policies from-zone trustto-zone untrust policy 3 match source-address A10

set security policies from-zone trustto-zone untrust policy 3 match destination-address A20

set security policies from-zone trustto-zone untrust policy 3 match application any

set security policies from-zone trustto-zone untrust policy 3 then permit

set security policies from-zone trustto-zone untrust policy 1 match source-address any

set security policies from-zone trustto-zone untrust policy 1 match destination-address any

set security policies from-zone trustto-zone untrust policy 1 match application any

set security policies from-zone trustto-zone untrust policy 1 then permit

set security policies from-zone untrustto-zone trust policy 4 match source-address A20

set security policies from-zone untrustto-zone trust policy 4 match destination-address A10

set security policies from-zone untrustto-zone trust policy 4 match application any

set security policies from-zone untrustto-zone trust policy 4 then permit

set security policies from-zone untrustto-zone trust policy 2 match source-address any

set security policies from-zone untrustto-zone trust policy 2 match destination-address any

set security policies from-zone untrustto-zone trust policy 2 match application any

set security policies from-zone untrustto-zone trust policy 2 then permit

set security zones security-zone untrustinterfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone untrustinterfaces st0.1 host-inbound-traffic system-services all

set security zones security-zone trustinterfaces lo0.10 host-inbound-traffic system-services all

ese