Exporteren (0) Afdrukken
Alles uitvouwen
EN
Deze inhoud is niet beschikbaar in uw taal, maar wel in het Engels.

Juniper SRX templates

Updated: March 19, 2014

The templates below are for devices in the Juniper SRX-series device family. For a list of all available device templates, see About VPN Devices for Virtual Network. For information about configuring a device template for your environment, see About configuring VPN device templates.

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 10.2.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm  hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>

set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>

# ---------------------------------------------------------------------------------------------------------------------
# This section binds the above-defined IPSec VPN policy to the cross-premise network traffic so that such traffic will be
# properly encrypted and transmitted via the IPSec VPN tunnel.
edit security policies from-zone trust to-zone untrust
set policy <RP_TrustToUntrustPolicy> match source-address <RP_OnPremiseNetwork>
set policy <RP_TrustToUntrustPolicy> match destination-address <RP_AzureNetwork>
set policy <RP_TrustToUntrustPolicy> match application any
set policy <RP_TrustToUntrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_TrustToUntrustPolicy> then permit tunnel pair-policy <RP_UntrustToTrustPolicy>
exit

edit security policies from-zone untrust to-zone trust
set policy <RP_UntrustToTrustPolicy> match source-address <RP_AzureNetwork>
set policy <RP_UntrustToTrustPolicy> match destination-address <RP_OnPremiseNetwork>
set policy <RP_UntrustToTrustPolicy> match application any
set policy <RP_UntrustToTrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_UntrustToTrustPolicy> then permit tunnel pair-policy <RP_TrustToUntrustPolicy>
exit

show security policies
edit security policy from-zone trust to-zone untrust
insert policy <RP_TrustToUntrustPolicy> before policy <NameOfYourDefaultTrustToUntrustPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350

commit
exit

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 11.4.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>
set security ike gateway <RP_IkeGateway> version v2-only

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>

set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>

# ---------------------------------------------------------------------------------------------------------------------
# This section creates a new virtual tunnel interface and binds the above-defined IPSec VPN policy to this interface so that
# the cross-premise network traffic will be properly encrypted and transmitted via the IPSec VPN tunnel
set interfaces st0 unit 0 family inet
set security zones security-zone untrust interfaces st0.0
set security ipsec vpn <RP_IPSecVpn> bind-interface st0.0
set routing-options static route <SP_AzureNetworkCIDR> next-hop st0.0

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350

commit
exit

See Also

Weergeven:
© 2014 Microsoft