2010年8月12日星期四
基于Juniper SSG 5的局域网到局域网vpn实验
方案图:10.10.10.2<——>1.1.1.3
设备:
Firewall A: Juniper SSG 5
Firewall B: Juniper SSG 5
Internet: Cisco 3750,用3750实现互联网拓扑
配置细节:
Firewall A:路由模式
1、端口配置。
ethernet0/0:
zone:untrust
ip: 2.2.2.2/24,manageable
manage options: webui、ssh、telnet、ping
cli下:
set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 ip 2.2.2.2/24
set interface ethernet0/0 route (端口路由模式)
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
ethernet0/2:将其从bgroup中解除绑定,在ssg 5中,ethernet0/2-0/6默认属于端口组bgroup,作为整体加入zone trust。
zone: trust
ip: 10.10.10.1/24, manageable
manage options: webui、ssh、telnet、ping
cli下:
set interface "ethernet0/2" zone "Trust"
set interface ethernet0/2 ip 10.10.10.1/24
set interface ethernet0/2 route (端口路由模式,trust zone的端口默认为nat接口)
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
2、设置到Internet的默认路由
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1
3、设置地址
set address "Trust" "FirewallA_Local" 10.10.10.2 255.255.255.255
set address "Untrust" "FirewallB_Remote" 1.1.1.3 255.255.255.255
4、设置vpn
Phase 1:
VPNs->AutoKey Advanced->Gateway->New
Gateway Name: p1-VPN
Security Level: Standard
Remote Gateway Type->Static IP Address: 1.1.1.2
Preshared Key: netscreen
Outgoing Interface: ethernet0/0
Phase 2:
VPNs->AutoKey IKE->New
VPN Name: p2-VPN
Security Level: Standard
Predefined: p1-VPN
cli下:
set ike gateway "p1-VPN" address 1.1.1.2 Main outgoing-interface "ethernet0/0" preshare "netscreen" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
5、设置policy
Policies->From Trust to Untrust->New
Source Address Book Entry: FirewallA_Local
Destination Address Book Entry: FirewallB_Remote
Service: Any
Action: Tunnel
Tunnel VPN: p2-VPN
Modify matching bidirectional policy: Checked
Logging: Checked
cli下:
set policy id 2 from "Trust" to "Untrust" "FirewallA_Local" "FirewallB_Remote" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 3 log
set policy id 3 from "Untrust" to "Trust" "FirewallB_Remote" "FirewallA_Local" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 2 log
Firewall B:透明模式
1、将Firewall B设为透明模式,可通过get sys来确认。
2、端口配置。
vlan1:用于管理.
ip: 1.1.1.2/24,manageable
manage options: webui、ssh、telnet、ping
broadcast: arp,check trace route
cli下:
set interface vlan1 ip 1.1.1.2/24
set interface vlan1 ip manageable
ethernet0/0:
zone:v1-untrust
cli:
set interface "ethernet0/0" zone "V1-Untrust"
ethernet0/1:
zone: v1-dmz
cli:
set interface "ethernet0/1" zone "V1-DMZ"
ethernet0/2:
zone: v1-trust
cli:
set interface "ethernet0/2" zone "V1-Trust"
3、设置 到Internet的默认路由
set route 0.0.0.0/0 interface vlan1 gateway 1.1.1.1
4、设置地址
set address "V1-Trust" "FirewallB_Local" 1.1.1.3 255.255.255.255
set address "V1-Untrust" "FirewallA_Remote" 10.10.10.2 255.255.255.255
5、 设置vpn
Phase 1:
VPNs->AutoKey Advanced->Gateway->New
Gateway Name: p1-VPN
Security Level: Standard
Remote Gateway Type->Static IP Address: 2.2.2.2
Preshared Key: netscreen
outgoing-zone: "V1-Untrust"
Phase 2:
VPNs->AutoKey IKE->New
VPN Name: p2-VPN
Security Level: Standard
Predefined: p1-VPN
cli下:
set ike gateway "p1-VPN" address 2.2.2.2 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
6、设置policy
Policies->From V1-Trust to V1-Untrust->New
Source Address Book Entry: FirewallB_Local
Destination Address Book Entry: FirewallA_Remote
Service: Any
Action: Tunnel
Tunnel VPN: p2-VPN
Modify matching bidirectional policy: Checked
Logging: Checked
cli下:
set policy id 2 from "V1-Trust" to "V1-Untrust" "FirewallB_Local" "FirewallA_Remote" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 3 log
set policy id 3 from "V1-Untrust" to "V1-Trust" "FirewallA_Remote" "FirewallB_Local" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 2 log
不需要在Firewall B上设置从v1-trust any到v1-untrust any的允许any service的policy。
3750设置:
vlan11: 1.1.1.1/24
vlan12: 2.2.2.1/24
gi1/0/1: 加入vlan11
gi1/0/2: 加入vlan12
路由:ip route 10.10.10.0 255.255.255.0 2.2.2.2
客户端设置:
客户a:
ip:10.10.10.2
gateway: 10.10.10.1
客户b:
ip: 1.1.1.3
gateway: 1.1.1.1
这里从1.1.1.3到1.1.1.1是ping不通的,但是1.1.1.3必须以1.1.1.1为网关,才能实现双方的互通。
设备:
Firewall A: Juniper SSG 5
Firewall B: Juniper SSG 5
Internet: Cisco 3750,用3750实现互联网拓扑
配置细节:
Firewall A:路由模式
1、端口配置。
ethernet0/0:
zone:untrust
ip: 2.2.2.2/24,manageable
manage options: webui、ssh、telnet、ping
cli下:
set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 ip 2.2.2.2/24
set interface ethernet0/0 route (端口路由模式)
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
ethernet0/2:将其从bgroup中解除绑定,在ssg 5中,ethernet0/2-0/6默认属于端口组bgroup,作为整体加入zone trust。
zone: trust
ip: 10.10.10.1/24, manageable
manage options: webui、ssh、telnet、ping
cli下:
set interface "ethernet0/2" zone "Trust"
set interface ethernet0/2 ip 10.10.10.1/24
set interface ethernet0/2 route (端口路由模式,trust zone的端口默认为nat接口)
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
2、设置到Internet的默认路由
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1
3、设置地址
set address "Trust" "FirewallA_Local" 10.10.10.2 255.255.255.255
set address "Untrust" "FirewallB_Remote" 1.1.1.3 255.255.255.255
4、设置vpn
Phase 1:
VPNs->AutoKey Advanced->Gateway->New
Gateway Name: p1-VPN
Security Level: Standard
Remote Gateway Type->Static IP Address: 1.1.1.2
Preshared Key: netscreen
Outgoing Interface: ethernet0/0
Phase 2:
VPNs->AutoKey IKE->New
VPN Name: p2-VPN
Security Level: Standard
Predefined: p1-VPN
cli下:
set ike gateway "p1-VPN" address 1.1.1.2 Main outgoing-interface "ethernet0/0" preshare "netscreen" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
5、设置policy
Policies->From Trust to Untrust->New
Source Address Book Entry: FirewallA_Local
Destination Address Book Entry: FirewallB_Remote
Service: Any
Action: Tunnel
Tunnel VPN: p2-VPN
Modify matching bidirectional policy: Checked
Logging: Checked
cli下:
set policy id 2 from "Trust" to "Untrust" "FirewallA_Local" "FirewallB_Remote" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 3 log
set policy id 3 from "Untrust" to "Trust" "FirewallB_Remote" "FirewallA_Local" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 2 log
Firewall B:透明模式
1、将Firewall B设为透明模式,可通过get sys来确认。
2、端口配置。
vlan1:用于管理.
ip: 1.1.1.2/24,manageable
manage options: webui、ssh、telnet、ping
broadcast: arp,check trace route
cli下:
set interface vlan1 ip 1.1.1.2/24
set interface vlan1 ip manageable
ethernet0/0:
zone:v1-untrust
cli:
set interface "ethernet0/0" zone "V1-Untrust"
ethernet0/1:
zone: v1-dmz
cli:
set interface "ethernet0/1" zone "V1-DMZ"
ethernet0/2:
zone: v1-trust
cli:
set interface "ethernet0/2" zone "V1-Trust"
3、设置 到Internet的默认路由
set route 0.0.0.0/0 interface vlan1 gateway 1.1.1.1
4、设置地址
set address "V1-Trust" "FirewallB_Local" 1.1.1.3 255.255.255.255
set address "V1-Untrust" "FirewallA_Remote" 10.10.10.2 255.255.255.255
5、 设置vpn
Phase 1:
VPNs->AutoKey Advanced->Gateway->New
Gateway Name: p1-VPN
Security Level: Standard
Remote Gateway Type->Static IP Address: 2.2.2.2
Preshared Key: netscreen
outgoing-zone: "V1-Untrust"
Phase 2:
VPNs->AutoKey IKE->New
VPN Name: p2-VPN
Security Level: Standard
Predefined: p1-VPN
cli下:
set ike gateway "p1-VPN" address 2.2.2.2 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
6、设置policy
Policies->From V1-Trust to V1-Untrust->New
Source Address Book Entry: FirewallB_Local
Destination Address Book Entry: FirewallA_Remote
Service: Any
Action: Tunnel
Tunnel VPN: p2-VPN
Modify matching bidirectional policy: Checked
Logging: Checked
cli下:
set policy id 2 from "V1-Trust" to "V1-Untrust" "FirewallB_Local" "FirewallA_Remote" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 3 log
set policy id 3 from "V1-Untrust" to "V1-Trust" "FirewallA_Remote" "FirewallB_Local" "ANY" tunnel vpn "p2-VPN" id 0x1 pair-policy 2 log
不需要在Firewall B上设置从v1-trust any到v1-untrust any的允许any service的policy。
3750设置:
vlan11: 1.1.1.1/24
vlan12: 2.2.2.1/24
gi1/0/1: 加入vlan11
gi1/0/2: 加入vlan12
路由:ip route 10.10.10.0 255.255.255.0 2.2.2.2
客户端设置:
客户a:
ip:10.10.10.2
gateway: 10.10.10.1
客户b:
ip: 1.1.1.3
gateway: 1.1.1.1
这里从1.1.1.3到1.1.1.1是ping不通的,但是1.1.1.3必须以1.1.1.1为网关,才能实现双方的互通。
标签: Juniper SSG 5, Lan 2 Lan VPN
// 发贴者:放牛娃的春天 @ 八月 12, 2010 
订阅 博文 [Atom]