2010年10月13日星期三
配置Netscreen的基于路由的IPSec vpn
方案图如下:
配置步骤:
SSG520:
1、添加三层区段zone_test1
set zone id 100 "zone_test1"
2、设置接口基本信息
set interface "ethernet0/0" zone "zone_test1"
set interface ethernet0/0 ip 195.168.1.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 10.0.1.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
3、建立tunnel接口
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/2
4、设置地址,为policy做准备
5、添加vpn gateway和vpn,并绑定tunnel
set ike gateway "p1-VPN" address 10.0.2.1 Main outgoing-interface "ethernet0/2" preshare "b8T7jXayN9IQk3sjBvCRFCCE3rn4M+aNWQ==" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "p2-VPN" id 0x4 bind interface tunnel.1
6、设置规则
set policy id 1 from "Untrust" to "zone_test1" "192.168.1.0" "195.168.1.0" "ANY" permit
7、设置必要的路由
set route 10.0.2.0/24 interface ethernet0/2 gateway 10.0.1.254
set route 192.168.1.0/24 interface tunnel.1
注意:一定不要添加
set route 192.168.1.0/24 interface ethernet0/2 gateway 10.0.1.254
否则,流量不会被加密。
SSG5:
set zone id 100 "zone_test1"
2、设置接口基本信息
3、建立tunnel接口
4、设置地址,为policy做准备
5、添加vpn gateway和vpn,并绑定tunnel
6、设置规则
set policy id 1 from "zone_test1" to "Untrust" "192.168.1.0" "Any" "ANY" permit
set policy id 1
SSG520:
1、添加三层区段zone_test1
set zone id 100 "zone_test1"
2、设置接口基本信息
set interface "ethernet0/0" zone "zone_test1"
set interface ethernet0/0 ip 195.168.1.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 10.0.1.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
3、建立tunnel接口
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/2
4、设置地址,为policy做准备
set address "Untrust" "10.0.1.0" 10.0.1.0 255.255.255.0
set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "Untrust" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "zone_test1" "195.168.1.0" 195.168.1.0 255.255.255.0
set ike gateway "p1-VPN" address 10.0.2.1 Main outgoing-interface "ethernet0/2" preshare "b8T7jXayN9IQk3sjBvCRFCCE3rn4M+aNWQ==" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "p2-VPN" id 0x4 bind interface tunnel.1
6、设置规则
set policy id 1 from "Untrust" to "zone_test1" "192.168.1.0" "195.168.1.0" "ANY" permit
7、设置必要的路由
set route 10.0.2.0/24 interface ethernet0/2 gateway 10.0.1.254
set route 192.168.1.0/24 interface tunnel.1
注意:一定不要添加
set route 192.168.1.0/24 interface ethernet0/2 gateway 10.0.1.254
否则,流量不会被加密。
SSG5:
1、添加三层区段zone_test1
set zone id 100 "zone_test1"
2、设置接口基本信息
set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 ip 10.0.2.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/6" zone "zone_test1"
set interface ethernet0/6 ip 192.168.1.1/24
set interface ethernet0/6 route
set interface ethernet0/6 ip manageable
set interface ethernet0/6 manage ping
set interface ethernet0/6 manage ssh
set interface ethernet0/6 manage telnet
set interface ethernet0/6 manage snmp
set interface ethernet0/6 manage ssl
set interface ethernet0/6 manage web
3、建立tunnel接口
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface tunnel.1 mtu 1500
4、设置地址,为policy做准备
set address "Untrust" "10.0.1.0" 10.0.1.0 255.255.255.0
set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "Untrust" "195.168.1.0" 195.168.1.0 255.255.255.0
set address "zone_test1" "192.168.1.0" 192.168.1.0 255.255.255.0
5、添加vpn gateway和vpn,并绑定tunnel
set ike gateway "p1-VPN" address 10.0.1.1 Main outgoing-interface "ethernet0/0" preshare "b4glVk9XNYDwPwsBewCwnDL3ZJnIqufiRA==" sec-level standard
set vpn "p2-VPN" gateway "p1-VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "p2-VPN" id 0x4 bind interface tunnel.1
set policy id 1 from "zone_test1" to "Untrust" "192.168.1.0" "Any" "ANY" permit
set policy id 1
7、设置必要的路由
set route 10.0.1.0/24 interface ethernet0/0 gateway 10.0.2.254
set route 195.168.1.0/24 interface tunnel.1
注意:一定不要添加
set route 195.168.1.0/24 interface ethernet0/0 gateway 10.0.2.254
否则,流量不会被加密。
3750上:
vlan 11:
gateway: 10.0.1.254
端口:gi1/0/1
vlan 12:
gateway: 10.0.2.254
端口:gi1/0/2
打通vlan之间路由:
ip routing
gateway: 10.0.1.254
端口:gi1/0/1
vlan 12:
gateway: 10.0.2.254
端口:gi1/0/2
打通vlan之间路由:
ip routing
添加端口复制,至24口
monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/24
添加静态路由:
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 195.168.1.0 255.255.255.0 10.0.1.1
ok!
最后:
1、看一下ssg 5上的vpn monitor
2、从192.168.1.100主机ping195.168.1.100,在两台主机上wireshark抓包都是明文的icmp包,源地址和目的地址均没有问题。
看一下在中途数据包的样子,在cisco3750的24口作了端口镜像,抓包如下
tunnel模式的ipsec隐藏了原始的源ip地址和目的ip地址,新包头中使用的源地址和目的地址是外向接口(NAT或路由模式下)的IP地址。
ok!
最后:
1、看一下ssg 5上的vpn monitor
2、从192.168.1.100主机ping195.168.1.100,在两台主机上wireshark抓包都是明文的icmp包,源地址和目的地址均没有问题。
看一下在中途数据包的样子,在cisco3750的24口作了端口镜像,抓包如下
tunnel模式的ipsec隐藏了原始的源ip地址和目的ip地址,新包头中使用的源地址和目的地址是外向接口(NAT或路由模式下)的IP地址。
标签: Juniper, Netscreen, Route-based VPN
// 发贴者:放牛娃的春天 @ 十月 13, 2010 
订阅 博文 [Atom]