Esporta (0) Stampa
Espandi tutto

Modelli SRX Juniper

Aggiornamento: marzo 2014

I modelli riportati di seguito sono per il gruppo di dispositivi della serie SRX Juniper. Per un elenco di tutti i modelli di dispositivi disponibili, vedere Informazioni sui dispositivi VPN per Rete virtuale. Per informazioni sulla configurazione di un modello di dispositivo per l'ambiente, vedere Informazioni sulla configurazione di modelli di dispositivi VPN.

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 10.2.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm  hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>

set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>

# ---------------------------------------------------------------------------------------------------------------------
# This section binds the above-defined IPSec VPN policy to the cross-premise network traffic so that such traffic will be
# properly encrypted and transmitted via the IPSec VPN tunnel.
edit security policies from-zone trust to-zone untrust
set policy <RP_TrustToUntrustPolicy> match source-address <RP_OnPremiseNetwork>
set policy <RP_TrustToUntrustPolicy> match destination-address <RP_AzureNetwork>
set policy <RP_TrustToUntrustPolicy> match application any
set policy <RP_TrustToUntrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_TrustToUntrustPolicy> then permit tunnel pair-policy <RP_UntrustToTrustPolicy>
exit

edit security policies from-zone untrust to-zone trust
set policy <RP_UntrustToTrustPolicy> match source-address <RP_AzureNetwork>
set policy <RP_UntrustToTrustPolicy> match destination-address <RP_OnPremiseNetwork>
set policy <RP_UntrustToTrustPolicy> match application any
set policy <RP_UntrustToTrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_UntrustToTrustPolicy> then permit tunnel pair-policy <RP_TrustToUntrustPolicy>
exit

show security policies
edit security policy from-zone trust to-zone untrust
insert policy <RP_TrustToUntrustPolicy> before policy <NameOfYourDefaultTrustToUntrustPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350

commit
exit

[Questa funzionalità è attualmente disponibile solo come anteprima. Il contenuto relativo alla funzionalità è preliminare.]

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 11.4.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>
set security ike gateway <RP_IkeGateway> version v2-only

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>

set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>

# ---------------------------------------------------------------------------------------------------------------------
# This section creates a new virtual tunnel interface and binds the above-defined IPSec VPN policy to this interface so that
# the cross-premise network traffic will be properly encrypted and transmitted via the IPSec VPN tunnel
set interfaces st0 unit 0 family inet
set security zones security-zone untrust interfaces st0.0
set security ipsec vpn <RP_IPSecVpn> bind-interface st0.0
set routing-options static route <SP_AzureNetworkCIDR> next-hop st0.0

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350

commit
exit

Vedere anche

Mostra:
© 2014 Microsoft