War diese Seite hilfreich?
Ihr Feedback ist uns wichtig. Teilen Sie uns Ihre Meinung mit.
Weiteres Feedback?
1500 verbleibende Zeichen
Exportieren (0) Drucken
Alle erweitern

Juniper SRX-Vorlagen

Letzte Aktualisierung: Juli 2015

Die folgenden Vorlagen sind für die Juniper SRX-Series-Gerätefamilie konzipiert. Verwenden Sie die Vorlagen als Richtlinie. Informationen zur Unterstützung von VPN-Geräten erhalten Sie vom Gerätehersteller.

Eine Liste aller verfügbaren Gerätevorlagen finden Sie unter Informationen zu VPN-Geräten und Gateways für virtuelle Netzwerkverbindungen. Weitere Informationen zum Konfigurieren einer Gerätevorlage für Ihre Umgebung finden Sie unter About configuring VPN device templates.

# Microsoft Corporation
# Microsoft Azure Virtual Network
# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 10.2.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>
# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm  hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>
# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>
# ---------------------------------------------------------------------------------------------------------------------
# This section binds the above-defined IPSec VPN policy to the cross-premise network traffic so that such traffic will be
# properly encrypted and transmitted via the IPSec VPN tunnel.
edit security policies from-zone trust to-zone untrust
set policy <RP_TrustToUntrustPolicy> match source-address <RP_OnPremiseNetwork>
set policy <RP_TrustToUntrustPolicy> match destination-address <RP_AzureNetwork>
set policy <RP_TrustToUntrustPolicy> match application any
set policy <RP_TrustToUntrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_TrustToUntrustPolicy> then permit tunnel pair-policy <RP_UntrustToTrustPolicy>
exit
edit security policies from-zone untrust to-zone trust
set policy <RP_UntrustToTrustPolicy> match source-address <RP_AzureNetwork>
set policy <RP_UntrustToTrustPolicy> match destination-address <RP_OnPremiseNetwork>
set policy <RP_UntrustToTrustPolicy> match application any
set policy <RP_UntrustToTrustPolicy> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set policy <RP_UntrustToTrustPolicy> then permit tunnel pair-policy <RP_TrustToUntrustPolicy>
exit
show security policies
edit security policy from-zone trust to-zone untrust
insert policy <RP_TrustToUntrustPolicy> before policy <NameOfYourDefaultTrustToUntrustPolicy>
# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350
commit
exit

# Microsoft Corporation
# Microsoft Azure Virtual Network
# This configuration template applies to Juniper SRX Series Services Gateway running JunOS 11.4.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set security ike proposal <RP_IkeProposal> authentication-method pre-shared-keys
set security ike proposal <RP_IkeProposal> authentication-algorithm sha1
set security ike proposal <RP_IkeProposal> encryption-algorithm aes-256-cbc
set security ike proposal <RP_IkeProposal> lifetime-seconds 28800
set security ike proposal <RP_IkeProposal> dh-group group2
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposals <RP_IkeProposal>
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>
set security ike gateway <RP_IkeGateway> version v2-only
# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association.
set security ipsec proposal <RP_IPSecProposal> protocol esp
set security ipsec proposal <RP_IPSecProposal> authentication-algorithm hmac-sha1-96
set security ipsec proposal <RP_IPSecProposal> encryption-algorithm aes-256-cbc
set security ipsec proposal <RP_IPSecProposal> lifetime-seconds 3600
set security ipsec policy <RP_IPSecPolicy> proposals <RP_IPSecProposal>
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>
# ---------------------------------------------------------------------------------------------------------------------
# ACL rules and Policy-based VPN tunnel configuration
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set security zones security-zone trust interfaces <NameOfYourInsideInterface>
set security zones security-zone trust host-inbound-traffic system-services ike
set security zones security-zone trust address-book address <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set security zones security-zone untrust interfaces <NameOfYourOutsideInterface>
set security zones security-zone untrust host-inbound-traffic system-services ike
# you may need the following line if you have interface specific host-inbound-traffic rule
# because that will overwrite the zone specific rule
# set security zones security-zone untrust interface <NameOfYourOutsideInterface> host-inbound-traffic system-services ike
set security zones security-zone untrust address-book address <RP_AzureNetwork> <SP_AzureNetworkCIDR>
# ---------------------------------------------------------------------------------------------------------------------
# This section creates a new virtual tunnel interface and binds the above-defined IPSec VPN policy to this interface so that
# the cross-premise network traffic will be properly encrypted and transmitted via the IPSec VPN tunnel
set interfaces st0 unit 0 family inet
set security zones security-zone untrust interfaces st0.0
set security ipsec vpn <RP_IPSecVpn> bind-interface st0.0
set routing-options static route <SP_AzureNetworkCIDR> next-hop st0.0
# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1350
commit
exit

Siehe auch

Anzeigen:
© 2015 Microsoft