网络拓扑如下所示:
配置Zone 、Policy ,Interface
1.[edit]
root@junos# show security zones | display set
set security zones security-zone untrust address-book address 11.11.11.0/24 11.11.11.0/24
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic protocols all
set security zones security-zone trust address-book address 10.10.10.0/24 10.10.10.0/24
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic protocols all
[edit]
root@junos# show security policies | display set
set security policies from-zone trust to-zone untrust policy ipsec1 match source-address any
set security policies from-zone trust to-zone untrust policy ipsec1 match destination-address any
set security policies from-zone trust to-zone untrust policy ipsec1 match application any
set security policies from-zone trust to-zone untrust policy ipsec1 then permit
set security policies from-zone untrust to-zone trust policy ipsec2 match source-address any
set security policies from-zone untrust to-zone trust policy ipsec2 match destination-address any
set security policies from-zone untrust to-zone trust policy ipsec2 match application any
set security policies from-zone untrust to-zone trust policy ipsec2 then permit
[edit]
root@junos# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 192.168.200.1/24
set interfaces lo0 unit 0 family inet address 10.10.10.10/24
set interfaces st0 unit 0 family inet address 4.4.4.4/24
配置IKE 、IPSEC
2.[edit]
配置步骤:
Base Route VPN NAT--->
2015年4月30日
14:11
root@junos# show security ike | display set
set security ike traceoptions file ike
set security ike traceoptions file files 10
set security ike traceoptions flag ike
set security ike traceoptions flag all
set security ike proposal ike1 authentication-method pre-shared-keys
set security ike proposal ike1 dh-group group2
set security ike proposal ike1 authentication-algorithm sha1
set security ike proposal ike1 encryption-algorithm 3des-cbc
set security ike proposal ike1 lifetime-seconds 3600
set security ike policy ike2 mode main
set security ike policy ike2 proposals ike1
set security ike policy ike2 pre-shared-key ascii-text "$9$41JUHfT3tu1Tzcl"
set security ike gateway ike3 ike-policy ike2
set security ike gateway ike3 address 1.1.100.2
set security ike gateway ike3 local-identity inet 1.1.1.1
set security ike gateway ike3 remote-identity inet 2.2.2.2
set security ike gateway ike3 external-interface ge-0/0/0.0
[edit]
root@junos# show security ipsec | display set
set security ipsec proposal ipsec1 protocol esp
set security ipsec proposal ipsec1 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec1 encryption-algorithm 3des-cbc
set security ipsec policy ipsec2 proposals ipsec1
set security ipsec ipsec3 bind-interface st0.0
set security ipsec ipsec3 ike gateway ike3
set security ipsec ipsec3 ike ipsec-policy ipsec2
set security ipsec ipsec3 establish-tunnels immediately
4.
配置路由
[edit]
root@junos# show routing-options | display set
set routing-options static route 192.168.150.0/24 next-hop 192.168.200.12 set routing-options static route 1.1.100.0/24 next-hop 192.168.200.12
set routing-options static route 11.11.11.0/24 next-hop st0.0
5.
配置Cisco 路由器
R1:
interface FastEthernet0/0
ip address 192.168.200.12 255.255.255.0
ip nat inside
ip nat enable
interface FastEthernet0/1
ip address 1.1.100.1 255.255.255.0
ip nat outside
ip nat enable
ip nat inside source static 192.168.200.1 1.1.100.1
ip route 0.0.0.0 0.0.0.0 1.1.100.2
R2:
!
interface FastEthernet0/0
ip address 192.168.150.11 255.255.255.0
ip nat insideip nat inside
ip nat enable
interface FastEthernet0/1
ip address 1.1.100.2 255.255.255.0
ip nat outside
ip nat enable
ip nat inside source static 192.168.150.10 1.1.100.2
ip route 0.0.0.0 0.0.0.0 1.1.100.1
6.
测试
对端地址互通:
[edit]
root@junos# run ping 192.168.150.10 rapid
PING 192.168.150.10 (192.168.150.10): 56 data bytes
!!!!!
---192.168.150.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 38.380/41.259/47.997/3.425 ms
[edit]
root@junos# run ping 4.4.4.5 rapid
PING 4.4.4.5 (4.4.4.5): 56 data bytes
!!!!!
---4.4.4.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 39.854/45.660/58.112/6.945 ms
IKE阶段
[edit]
root@junos# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address 6788754 UP 98d3b033abe09f4f 4749e1ef030bf03d Main 1.1.100.2
[edit]
root@junos# run show security ike security-associations detail
IKE peer 1.1.100.2, Index 6788754, Gateway Name: ike3
Role: Responder, State: UP
Initiator cookie: 98d3b033abe09f4f, Responder cookie: 4749e1ef030bf03d
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 192.168.200.1:4500, Remote: 1.1.100.2:4500
Lifetime: Expires in 2183 seconds
Peer ike-id: 2.2.2.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 836
Output bytes : 752
Input packets: 5
Output packets: 4
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deletedIPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 192.168.200.1:4500, Remote: 1.1.100.2:4500
Local identity: 1.1.1.1
Remote identity: 2.2.2.2
Flags: IKE SA is created
[edit]
root@junos# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 1d49c006 2171/ unlim - root 4500 1.1.100.2
>131073 ESP:3des/sha1 744c6952 2171/ unlim - root 4500 1.1.100.2
[edit]
root@junos# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 20336
Decrypted bytes: 19332
Encrypted packets: 150
Decrypted packets: 232
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
测试私网地址:
[edit]
root@junos# run ping 11.11.11.11 source 10.10.10.10
PING 11.11.11.11 (11.11.11.11): 56 data bytes
bytes from 11.11.11.11: icmp_seq=0 ttl= time=49.195 ms
bytes from 11.11.11.11: icmp_seq=1 ttl= time=44.308 ms
C
---11.11.11.11 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/stddev = 40.904/49.993/61.456/7.316 ms
安全数据包流会话:
Session ID: 1081, Policy name: ipsec2/5, Timeout: 2, Valid
In: 10.10.10.10/1 --> 11.11.11.11/29997;icmp, If: st0.0, Pkts: 1, Bytes: 84
Out: 11.11.11.11/29997 --> 10.10.10.10/1;icmp, If: .local..0, Pkts: 1, Bytes: 84
Session ID: 1083, Policy name: ipsec2/5, Timeout: 2, Valid
In: 10.10.10.10/2 --> 11.11.11.11/29997;icmp, If: st0.0, Pkts: 1, Bytes: 84
Out: 11.11.11.11/29997 --> 10.10.10.10/2;icmp, If: .local..0, Pkts: 1, Bytes: 84 NAT转换:R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global udp 1.1.100.1:4500 192.168.200.1:4500 1.1.100.2:4500 1.1.100.2:4500 ---1.1.100.1 192.168.200.1 --- ---下载本文
