edit security address-book set global address 192.168.100.0/24 192.168.100.0/24 set global address 10.0.0.10/32 10.0.0.10/32 # phase1-proposal. # # , # Cisco, isakmp policy, proposals. # proposal
top edit security ike set proposal ike_prop_1 description "ike proposal" set proposal ike_prop_1 authentication-method pre-shared-keys set proposal ike_prop_1 dh-group group5 set proposal ike_prop_1 authentication-algorithm sha1 set proposal ike_prop_1 encryption-algorithm 3des-cbc set proposal ike_prop_1 lifetime-seconds 86400 # "". proposal, # psk. # , set policy ike_policy_1 mode main set policy ike_policy_1 description "ike policy" set policy ike_policy_1 proposals ike_prop_1 # , . #, psk set policy ike_policy_1 ike pre-shared-key ascii-text XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #IKE gw . # , , gw ( ). # ike policy set gateway ike_gateway_1 ike-policy ike_policy_1 # , set gateway ike_gateway_1 address 2.2.2.2 # set gateway ike_gateway_1 dead-peer-detection interval 10 set gateway ike_gateway_1 dead-peer-detection threshold 5 # "" , . set gateway ike_gateway_1 external-interface reth2.10; # # , proposal-policy #
top edit security ipsec set proposal ipsec_prop_1 description "ipsec proposal" set proposal ipsec_prop_1 protocol esp set proposal ipsec_prop_1 authentication-algorithm hmac-sha1-96 set proposal ipsec_prop_1 encryption-algorithm 3des-cbc set proposal ipsec_prop_1 lifetime-seconds 3600 set policy ipsec_policy_1 description "ipsec policy" set policy ipsec_policy_1 perfect-forward-secrecy keys group5 set policy ipsec_policy_1 proposals ipsec_prop_1; # vpn instance. , set vpn vpn_1 df-bit clear set vpn vpn_1 ike gateway ike_gateway_1 set vpn vpn_1 ike ipsec-policy ipsec_policy_1 # - , # set vpn_1 establish-tunnels on-traffic
top edit security set policies from-zone trust to-zone untrust policy vpn-to-untrust match source-address 192.168.100.0/24 # , addressbook! set policies from-zone trust to-zone untrust policy vpn-to-untrust match destination-address 10.0.0.10/32 set policies from-zone trust to-zone untrust policy vpn-to-untrust match application any set policies from-zone trust to-zone untrust policy vpn-to-untrust then permit tunnel ipsec-vpn vpn_1 # "" . # set policies from-zone trust to-zone untrust then permit tunnel pair-policy vpn-from-untrust set policies from-zone untrust to-zone trust policy vpn-from-untrust match source-address 10.0.0.10/32 set policies from-zone untrust to-zone trust policy vpn-from-untrust match destination-address 192.168.100.0/24 set policies from-zone untrust to-zone trust policy vpn-from-untrust match application any set policies from-zone untrust to-zone trust policy vpn-from-untrust then permit tunnel ipsec-vpn vpn_1 set policies from-zone untrust to-zone trust policy vpn-from-untrust then permit tunnel pair-policy vpn-to-untrust
edit security ike #, -, set policy ike_policy_1 mode main set policy ike_policy_1 proposals ike_prop_1 set policy ike_policy_1 pre-shared-key ascii-text "XXXXXXXXXXXX" set gateway ike_gateway_1 ike-policy ike_policy_1 set gateway ike_gateway_1 address 2.2.2.2 set gateway ike_gateway_1 dead-peer-detection always-send set gateway ike_gateway_1 external-interface reth2.10 top edit security ipsec # : bind-interface # st0 set vpn vpn_1 bind-interface st0.1 set vpn vpn_1 df-bit clear set vpn vpn_1 ike gateway ike_gateway_1 # #proxy-identity, , , ipsec acl # Cisco, , # crypto map set vpn vpn_1 ike proxy-identity local 192.168.100.100/32 set vpn vpn_1 ike proxy-identity remote 10.0.0.10/32 set vpn vpn_1 ike proxy-identity service any #proxy-identity acl , # . , # set vpn vpn_1 ike ipsec-policy ipsec_policy_1 # , set vpn supervpn establish-tunnels immediately
# , #, , vpn top set interfaces st0 unit 1 description vpn_1 # "": set interfaces st0 unit 1 family inet next-hop-tunnel 172.27.1.1 ipsec-vpn vpn_1 set interfaces st0 unit 1 family inet address 172.27.1.254/24 #.. , , # host-inbound . # , , ping set security zones security-zone VPN interfaces st0.1 # "" ike set security zones security-zone INTERNET host-inbound-traffic system-services ping set security zones security-zone INTERNET host-inbound-traffic system-services traceroute set security zones security-zone INTERNET host-inbound-traffic system-services ike set security zones security-zone INTERNET interfaces reth2.10 # set routing-options static route 10.0.0.10/32 next-hop 172.27.1.1
#, P2MP set interfaces st0 unit 1 multipoint # set interfaces st0 unit 1 family inet next-hop-tunnel 172.27.1.2 ipsec-vpn vpn_2 set routing-options static route 10.0.0.3/32 next-hop 172.27.1.2
edit security ipsec set vpn vpn_2 bind-interface st0.1 set vpn vpn_2 df-bit clear #IKE GW set vpn vpn_2 ike gateway ike_gateway_1 set vpn vpn_2 ike proxy-identity local 192.168.100.100/32 set vpn vpn_2 ike proxy-identity remote 10.0.0.3/32 set vpn vpn_2 ike proxy-identity service any
edit security nat set source pool pool1 address 192.168.100.100/32 to 192.168.100.100/32 set source rule-set SNAT-TO-VPN from zone trust set source rule-set SNAT-TO-VPN to zone VPN set source rule-set SNAT-TO-VPN rule snat match source-address-name 192.168.100.0/24 set source rule-set SNAT-TO-VPN rule snat match destination-address-name 10.0.0.3/32 set source rule-set SNAT-TO-VPN rule snat match destination-address-name 10.0.0.10/32 set source rule-set SNAT-TO-VPN rule snat then source-nat pool pool1
edit security set policies from-zone VPN to-zone trust policy permit-all match source-address any set policies from-zone VPN to-zone trust policy permit-all match destination-address any set policies from-zone VPN to-zone trust policy permit-all match application any set policies from-zone VPN to-zone trust policy permit-all then permit
commit
show security ipsec statistics show security ike security-associations detail
Source: https://habr.com/ru/post/230267/
All Articles