07 июля 2015

IPSec между Cisco и кластером из Juniper SRX


Реально работающая и удобная конфигурация.




Поскольку в кластере нельзя использовать Loopback для терминирования IPSec, я использую специально созданный сабинтерфейс на одном из reth (Redundancy Group) интерфейсов смотрящий внутрь сети. Этот интерфейс необходимо поместить в зону untrust
set interfaces reth1 unit 777 description From-IPSec-OUTSIDE
set interfaces reth1 unit 777 vlan-id 777
set interfaces reth1 unit 777 family inet address 33.33.33.33/32

set security zones security-zone untrust interfaces reth1.777

set security policies from-zone untrust to-zone untrust policy permit-all match source-address any
set security policies from-zone untrust to-zone untrust policy permit-all match destination-address any
set security policies from-zone untrust to-zone untrust policy permit-all match application any
set security policies from-zone untrust to-zone untrust policy permit-all then permit

Собираем 1-ю и 2-ю фазу IPSec
set security ike proposal cisco-long authentication-method pre-shared-keys
set security ike proposal cisco-long dh-group group2
set security ike proposal cisco-long authentication-algorithm sha1
set security ike proposal cisco-long encryption-algorithm aes-256-cbc
set security ike proposal cisco-long lifetime-seconds 86400

set security ike policy TEST-IKE mode main
set security ike policy TEST-IKE proposals cisco-long
set security ike policy TEST-IKE pre-shared-key ascii-text "123"

set security ike gateway CISCO1 ike-policy TEST-IKE
set security ike gateway CISCO1 address 44.44.44.44
set security ike gateway CISCO1 dead-peer-detection always-send
set security ike gateway CISCO1 local-identity inet 33.33.33.33
set security ike gateway CISCO1 external-interface reth1.777

set security ipsec proposal Cisco-AES256-SHA protocol esp
set security ipsec proposal Cisco-AES256-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal Cisco-AES256-SHA encryption-algorithm aes-256-cbc
set security ipsec proposal Cisco-AES256-SHA lifetime-seconds 3600
set security ipsec proposal Cisco-AES256-SHA lifetime-kilobytes 4608000

set security ipsec policy VPN-Cisco-AES256 perfect-forward-secrecy keys group2
set security ipsec policy VPN-Cisco-AES256 proposals Cisco-AES256-SHA

set security ipsec vpn CISCO1 bind-interface st0.4
set security ipsec vpn CISCO1 ike gateway CISCO1
set security ipsec vpn CISCO1 ike proxy-identity local 20.20.20.0/24
set security ipsec vpn CISCO1 ike proxy-identity remote 10.10.10.0/24
set security ipsec vpn CISCO1 ike proxy-identity service any
set security ipsec vpn CISCO1 ike ipsec-policy VPN-Cisco-AES256
set security ipsec vpn CISCO1 establish-tunnels immediately

Интерфейс multipoint st0.4. Поскольку на другой стороне не будет никаких интерфесов эту конфигурацию можно использовать также для поднятия туннеля с Cisco ASA. На джунипере этот P2MP интерфейс нужен лишь для закидывания трафика в IPSec. Поэтому адреса на нем могут быть любые. Для каждой пары source и destination необходим отдельный security ipsec vpn.
set interfaces st0 unit 4 multipoint
set interfaces st0 unit 4 family inet next-hop-tunnel 172.31.255.2 ipsec-vpn CISCO1
set interfaces st0 unit 4 family inet address 172.31.255.1/24

set security zones security-zone trust interfaces st0.4

set routing-options static route 10.10.10.0/24 next-hop 172.31.255.2

Собираем IPSec на стороне Cisco
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key 123 address 33.33.33.33
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 33.33.33.33
set transform-set TEST
match address to-SRX
!
interface FastEthernet4
ip address 44.44.44.44 255.255.255.0
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 44.44.44.1
!
ip access-list extended to-SRX
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Не благодарите.