このページは役に立ちましたか。
このページのコンテンツについての ご意見をお待ちしております
その他にご意見はありますか。
残り 1500 文字
エクスポート (0) 印刷
すべて展開

Juniper SSG 用テンプレート

更新日: 2015年7月

次のテンプレートは Juniper SSG デバイス ファミリのデバイス用です。このテンプレートをガイドラインとして使用します。VPN デバイスのサポートについては、デバイスの製造元にお問い合わせください。

使用できるすべてのデバイス テンプレートの一覧については、「仮想ネットワークの接続に使用する VPN デバイスとゲートウェイについて」を参照してください。目的の環境に合わせたデバイス テンプレートの構成については、「About configuring VPN device templates」を参照してください。

# Microsoft Corporation
# Microsoft Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# !!! 2. Only 1 subnet is allowed for your on-premises network.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike p1-proposal <RP_IkeProposal> preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> proposal <RP_IkeProposal>
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set ike p2-proposal <RP_IPSecProposal> no-pfs esp aes256 sha-1 seconds 3600
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 proposal <RP_IPSecProposal>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> proxy-id local-ip <SP_OnPremiseNetworkCIDR> remote-ip <SP_AzureNetworkCIDR> "ANY"
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

# Microsoft Corporation
# Microsoft Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

関連項目

表示:
© 2015 Microsoft