2010年8月13日星期五
LAN to LAN VPN between two Juniper firewalls in Transparent mode
方案图和方案说明:
Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.
当vpn通道在端节点采用一对处于透明模式的netscreen防火墙,安全网关必须指明对等节点VLAN1接口的ip地址。处于透明模式的netscreen防火墙需要到达远程ipsec网关的静态路由。
要求1.1.1.0/24和1.1.2.0/24可以通过vpn隧道互访。
设备:
site A: Juniper SSG 5
site B: Juniper SSG 5
Internet: Cisco 3750模拟
具体配置
site A Juniper SSG 5
1、接口配置
set interface vlan1 ip 1.1.1.50/24
set interface vlan1 ip manageable
set interface vlan1 broadcast arp (webUI可以勾选trace route,但CLI无法表现)
set interface "ethernet0/0" zone "V1-Untrust"
set interface "ethernet0/1" zone "V1-DMZ"
set interface "ethernet0/6" zone "V1-Trust"
2、zone区段设置
设置V1-Untrust可以管理,V1-Trust默认可以管理,只是去掉无用的snmp和ssl。
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage web
3、默认出互联网路由设置
set route 0.0.0.0/0 interface vlan1 gateway 1.1.1.1
4、策略设置准备
set address "V1-Trust" "lan-B" 1.1.2.0 255.255.255.0
set address "V1-Untrust" "lan-A" 1.1.1.0 255.255.255.0
set ike gateway "toB" address 1.1.2.50 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "toB" gateway "toB" no-replay tunnel idletime 0 sec-level standard
5、 策略设置
set policy id 2 from "V1-Trust" to "V1-Untrust" "lan-A" "lan-B" "ANY" tunnel vpn "toB" id 0x1 pair-policy 3
set policy id 3 from "V1-Untrust" to "V1-Trust" "lan-B" "lan-A" "ANY" tunnel vpn
site B Juniper SSG 5
1、接口配置
set interface vlan1 ip 1.1.2.50/24
set interface vlan1 ip manageable
set interface vlan1 broadcast arp (webUI可以勾选trace route,但CLI无法表现)
set interface "ethernet0/0" zone "V1-Untrust"
set interface "ethernet0/1" zone "V1-DMZ"
set interface "ethernet0/6" zone "V1-Trust"
2、zone区段设置
设置V1-Untrust可以管理,V1-Trust默认可以管理,去掉snmp和ssl。
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage web
3、默认出互联网路由设置
set route 0.0.0.0/0 interface vlan1 gateway 1.1.2.1
4、策略设置准备
set address "V1-Trust" "lan-B" 1.1.2.0 255.255.255.0
set address "V1-Untrust" "lan-A" 1.1.1.0 255.255.255.0
set ike gateway "toA" address 1.1.1.50 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "toA" gateway "toA" no-replay tunnel idletime 0 sec-level standard
5、策略设置
set policy id 2 from "V1-Trust" to "V1-Untrust" "lan-B" "lan-A" "ANY" tunnel vpn "toA" id 0x1 pair-policy 3
set policy id 3 from "V1-Untrust" to "V1-Trust" "lan-A" "lan-B" "ANY" tunnel vpn "toA" id 0x1 pair-policy 2
Internet Cisco 3750配置:
vlan11: 1.1.1.1/24
vlan12: 1.1.2.1/24
gi1/0/1: 加入vlan11
gi1/0/2: 加入vlan12
客户端设置:
客户a:
ip:1.1.1.3
gateway: 1.1.1.1
1.1.1.3直接到1.1.1.1是ping不通的,因为没规则。
客户b:
ip: 1.1.2.3
gateway: 1.1.2.1
1.1.2.3直接到1.1.2.1是ping不通的,因为没规则。
Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.
当vpn通道在端节点采用一对处于透明模式的netscreen防火墙,安全网关必须指明对等节点VLAN1接口的ip地址。处于透明模式的netscreen防火墙需要到达远程ipsec网关的静态路由。
要求1.1.1.0/24和1.1.2.0/24可以通过vpn隧道互访。
设备:
site A: Juniper SSG 5
site B: Juniper SSG 5
Internet: Cisco 3750模拟
具体配置
site A Juniper SSG 5
1、接口配置
set interface vlan1 ip 1.1.1.50/24
set interface vlan1 ip manageable
set interface vlan1 broadcast arp (webUI可以勾选trace route,但CLI无法表现)
set interface "ethernet0/0" zone "V1-Untrust"
set interface "ethernet0/1" zone "V1-DMZ"
set interface "ethernet0/6" zone "V1-Trust"
2、zone区段设置
设置V1-Untrust可以管理,V1-Trust默认可以管理,只是去掉无用的snmp和ssl。
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage web
3、默认出互联网路由设置
set route 0.0.0.0/0 interface vlan1 gateway 1.1.1.1
4、策略设置准备
set address "V1-Trust" "lan-B" 1.1.2.0 255.255.255.0
set address "V1-Untrust" "lan-A" 1.1.1.0 255.255.255.0
set ike gateway "toB" address 1.1.2.50 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "toB" gateway "toB" no-replay tunnel idletime 0 sec-level standard
5、 策略设置
set policy id 2 from "V1-Trust" to "V1-Untrust" "lan-A" "lan-B" "ANY" tunnel vpn "toB" id 0x1 pair-policy 3
set policy id 3 from "V1-Untrust" to "V1-Trust" "lan-B" "lan-A" "ANY" tunnel vpn
site B Juniper SSG 5
1、接口配置
set interface vlan1 ip 1.1.2.50/24
set interface vlan1 ip manageable
set interface vlan1 broadcast arp (webUI可以勾选trace route,但CLI无法表现)
set interface "ethernet0/0" zone "V1-Untrust"
set interface "ethernet0/1" zone "V1-DMZ"
set interface "ethernet0/6" zone "V1-Trust"
2、zone区段设置
设置V1-Untrust可以管理,V1-Trust默认可以管理,去掉snmp和ssl。
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage web
3、默认出互联网路由设置
set route 0.0.0.0/0 interface vlan1 gateway 1.1.2.1
4、策略设置准备
set address "V1-Trust" "lan-B" 1.1.2.0 255.255.255.0
set address "V1-Untrust" "lan-A" 1.1.1.0 255.255.255.0
set ike gateway "toA" address 1.1.1.50 Main outgoing-zone "V1-Untrust" preshare "netscreen" sec-level standard
set vpn "toA" gateway "toA" no-replay tunnel idletime 0 sec-level standard
5、策略设置
set policy id 2 from "V1-Trust" to "V1-Untrust" "lan-B" "lan-A" "ANY" tunnel vpn "toA" id 0x1 pair-policy 3
set policy id 3 from "V1-Untrust" to "V1-Trust" "lan-A" "lan-B" "ANY" tunnel vpn "toA" id 0x1 pair-policy 2
Internet Cisco 3750配置:
vlan11: 1.1.1.1/24
vlan12: 1.1.2.1/24
gi1/0/1: 加入vlan11
gi1/0/2: 加入vlan12
客户端设置:
客户a:
ip:1.1.1.3
gateway: 1.1.1.1
1.1.1.3直接到1.1.1.1是ping不通的,因为没规则。
客户b:
ip: 1.1.2.3
gateway: 1.1.2.1
1.1.2.3直接到1.1.2.1是ping不通的,因为没规则。
标签: Double Tranparent mode, Lan to Lan VPN, SSG 5
// 发贴者:放牛娃的春天 @ 八月 13, 2010 
订阅 博文 [Atom]