Exportar (0) Imprimir
Expandir todo

Plantillas de Juniper SSG

Actualizado: marzo de 2014

Las plantillas siguientes son para dispositivos de la familia de dispositivos Juniper SSG. Para obtener una lista de todas las plantillas de dispositivo disponibles, vea Acerca de los dispositivos VPN de la red virtual. Para obtener información acerca de cómo configurar una plantilla de dispositivo para su entorno, vea Sobre configurar plantillas de dispositivos VPN.

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# !!! 1. Policy-based VPN configuration is not supported.
# !!! 2. Only 1 subnet is allowed for your on-premise network.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike p1-proposal <RP_IkeProposal> preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> proposal <RP_IkeProposal>
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set ike p2-proposal <RP_IPSecProposal> no-pfs esp aes256 sha-1 seconds 3600
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 proposal <RP_IPSecProposal>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> proxy-id local-ip <SP_OnPremiseNetworkCIDR> remote-ip <SP_AzureNetworkCIDR> "ANY"
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

[Esta característica solo está disponible como vista previa. El contenido relacionado con esta característica es preliminar.]

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350
# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

Vea también

Mostrar:
© 2014 Microsoft