āĻ˛āĻā§āĻˇā§āĻ¯
āĻĻā§āĻāĻŋ āĻĄāĻŋāĻāĻžāĻāĻ¸ā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻāĻŋ VPN āĻāĻžāĻ¨ā§āĻ˛ āĻ¸āĻāĻāĻ āĻŋāĻ¤ āĻāĻ°āĻž āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨, āĻ¯ā§āĻŽāĻ¨ Mikrotik āĻāĻŦāĻ Juniper of the SRX āĻ˛āĻžāĻāĻ¨āĨ¤
āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻŋ āĻāĻā§
Mikrotiks āĻāĻ° āĻŽāĻ§ā§āĻ¯ā§, āĻāĻŽāĻ°āĻž āĻāĻ¯āĻŧā§āĻŦāĻ¸āĻžāĻāĻā§ āĻāĻāĻāĻŋ Mikrotik āĻāĻāĻāĻŋ āĻŦā§āĻā§ āĻ¨āĻŋāĻ¯āĻŧā§āĻāĻŋ, āĻāĻāĻāĻŋ āĻŽāĻĄā§āĻ˛ āĻ¯āĻž IPSec āĻšāĻžāĻ°ā§āĻĄāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ° āĻāĻ¨āĻā§āĻ°āĻŋāĻĒāĻļāĻ¨āĻā§ āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§, āĻāĻŽāĻžāĻĻā§āĻ° āĻŽāĻ¤ā§, āĻāĻāĻŋ āĻŦā§āĻļ āĻāĻŽāĻĒā§āĻ¯āĻžāĻā§āĻ āĻāĻŦāĻ āĻ¸āĻ¸ā§āĻ¤āĻž, āĻ¯āĻĨāĻž Mikrotik hEXSāĨ¤
USB āĻŽāĻĄā§āĻŽāĻāĻŋ āĻ¨āĻŋāĻāĻāĻ¤āĻŽ āĻŽā§āĻŦāĻžāĻāĻ˛ āĻ āĻĒāĻžāĻ°ā§āĻāĻ° āĻĨā§āĻā§ āĻā§āĻ¨āĻž āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛, āĻŽāĻĄā§āĻ˛āĻāĻŋ āĻāĻŋāĻ˛ Huawei E3370ā§ˇ āĻ āĻĒāĻžāĻ°ā§āĻāĻ° āĻĨā§āĻā§ āĻĄāĻŋāĻāĻĒāĻ˛ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻŽāĻ°āĻž āĻā§āĻ¨ā§ āĻ āĻĒāĻžāĻ°ā§āĻļāĻ¨ āĻāĻ°āĻŋāĻ¨āĻŋāĨ¤ āĻ¸āĻŦāĻāĻŋāĻā§ āĻŽāĻžāĻ¨āĻ¸āĻŽā§āĻŽāĻ¤ āĻāĻŦāĻ āĻ āĻĒāĻžāĻ°ā§āĻāĻ° āĻ¨āĻŋāĻā§āĻ āĻ¸ā§āĻ˛āĻžāĻ āĻāĻ°ā§āĨ¤
āĻā§āĻ°ā§ āĻāĻāĻāĻŋ āĻā§āĻ¨āĻŋāĻĒāĻžāĻ° SRX240H āĻā§āĻ¨ā§āĻĻā§āĻ°ā§āĻ¯āĻŧ āĻ°āĻžāĻāĻāĻžāĻ° āĻ°āĻ¯āĻŧā§āĻā§āĨ¤
āĻāĻŋ āĻšāĻ˛ā§
āĻāĻāĻāĻŋ āĻāĻžāĻā§āĻ° āĻ¸ā§āĻāĻŋāĻŽ āĻŦāĻžāĻ¸ā§āĻ¤āĻŦāĻžāĻ¯āĻŧāĻ¨ āĻāĻ°āĻž āĻ¸āĻŽā§āĻāĻŦ āĻāĻŋāĻ˛ āĻ¯āĻž āĻāĻāĻāĻŋ āĻ¸ā§āĻ˛ā§āĻ˛āĻžāĻ° āĻ āĻĒāĻžāĻ°ā§āĻāĻ° āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻžāĻ° āĻ āĻ¨ā§āĻŽāĻ¤āĻŋ āĻĻā§āĻ¯āĻŧ, āĻāĻāĻāĻŋ āĻ¸ā§āĻā§āĻ¯āĻžāĻāĻŋāĻ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻāĻžāĻĄāĻŧāĻžāĻ, āĻāĻāĻāĻŋ āĻŽāĻĄā§āĻŽ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻāĻāĻāĻŋ IPsec āĻ¸āĻāĻ¯ā§āĻ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻ¤ā§ āĻ¯āĻžāĻ° āĻŽāĻ§ā§āĻ¯ā§ GRE āĻāĻžāĻ¨ā§āĻ˛āĻāĻŋ āĻŽā§āĻĄāĻŧāĻžāĻ¨ā§ āĻšāĻ¯āĻŧāĨ¤
āĻāĻ āĻ¸āĻāĻ¯ā§āĻ āĻ¸ā§āĻāĻŋāĻŽāĻāĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻāĻŦāĻ Beeline āĻāĻŦāĻ Megafon USB āĻŽāĻĄā§āĻŽāĻā§āĻ˛āĻŋāĻ¤ā§ āĻāĻžāĻ āĻāĻ°ā§āĨ¤
āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻ¨āĻŋāĻŽā§āĻ¨āĻ˛āĻŋāĻāĻŋāĻ¤:
āĻā§āĻ¨āĻŋāĻĒāĻžāĻ° SRX240H āĻāĻžāĻ°ā§āĻ¨ā§āĻ˛ā§ āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°āĻž āĻāĻā§
āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻ āĻŋāĻāĻžāĻ¨āĻž: 192.168.1.1/24
āĻŦāĻžāĻšā§āĻ¯āĻŋāĻ āĻ āĻŋāĻāĻžāĻ¨āĻž: 1.1.1.1/30
GW: 1.1.1.2
āĻĻā§āĻ°āĻŦāĻ°ā§āĻ¤ā§ āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ
Mikrotik hEX S
āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻ āĻŋāĻāĻžāĻ¨āĻž: 192.168.152.1/24
āĻŦāĻžāĻšā§āĻ¯āĻŋāĻ āĻ āĻŋāĻāĻžāĻ¨āĻž: āĻāĻ¤āĻŋāĻļā§āĻ˛
āĻāĻžāĻāĻāĻŋ āĻŦā§āĻāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻā§āĻ āĻĄāĻžāĻ¯āĻŧāĻžāĻā§āĻ°āĻžāĻŽ:
āĻā§āĻ¨āĻŋāĻĒāĻžāĻ° SRX240 āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨:
āĻā§āĻ¨āĻ¸ āĻ¸āĻĢāĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ° āĻ°āĻŋāĻ˛āĻŋāĻ āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖ [12.1X46-D82]
āĻā§āĻ¨āĻŋāĻĒāĻžāĻ° āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨
interfaces {
ge-0/0/0 {
description Internet-1;
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
gr-0/0/0 {
unit 1 {
description GRE-Tunnel;
tunnel {
source 172.31.152.2;
destination 172.31.152.1;
}
family inet;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
st0 {
unit 5 {
description "Area - 192.168.152.0/24";
family inet {
mtu 1400;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
route 192.168.152.0/24 next-hop gr-0/0/0.1;
route 172.31.152.0/30 next-hop st0.5;
}
router-id 192.168.1.1;
}
security {
ike {
traceoptions {
file vpn.log size 256k files 5;
flag all;
}
policy ike-gretunnel {
mode aggressive;
description area-192.168.152.0;
proposal-set standard;
pre-shared-key ascii-text "mysecret"; ## SECRET-DATA
}
gateway gw-gretunnel {
ike-policy ike-gretunnel;
dynamic inet 172.31.152.1;
external-interface ge-0/0/0.0;
version v2-only;
}
ipsec {
}
policy vpn-policy0 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn vpn-gretunnel {
bind-interface st0.5;
df-bit copy;
vpn-monitor {
optimized;
source-interface st0.5;
destination-ip 172.31.152.1;
}
ike {
gateway gw-gretunnel;
no-anti-replay;
ipsec-policy vpn-policy0;
install-interval 10;
}
establish-tunnels immediately;
}
}
policies {
from-zone vpn to-zone vpn {
policy st-vpn-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone trust to-zone vpn {
policy st-trust-to-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone vpn to-zone trust {
policy st-vpn-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
zones {
security-zone trust {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone vpn {
interfaces {
st0.5 {
host-inbound-traffic {
protocols {
ospf;
}
}
}
gr-0/0/0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
}
}
}
vlans {
vlan-local {
vlan-id 5;
l3-interface vlan.1;
}
Mikrotik hEX S āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨:
āĻ°āĻžāĻāĻāĻžāĻ°āĻāĻāĻ¸ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ° āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖ [6.44.3]
Mikrotik āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
/interface gre
add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2
/ip ipsec policy group
add name=srx-gre
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s name=profile1
/ip ipsec peer
add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc,3des name=proposal1
/ip route
add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx
/ip ipsec identity
add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
āĻĢāĻ˛āĻžāĻĢāĻ˛:
āĻā§āĻ¨āĻŋāĻĒāĻžāĻ° āĻāĻ¸āĻāĻ°āĻāĻā§āĻ¸ āĻ¸āĻžāĻāĻĄ
netscreen@srx240> ping 192.168.152.1
PING 192.168.152.1 (192.168.152.1): 56 data bytes
64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms
64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms
64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms
64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms
^C
--- 192.168.152.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 ms
āĻŽāĻŋāĻā§āĻ°ā§āĻāĻŋāĻ āĻĻāĻŋāĻ āĻĨā§āĻā§
net[admin@GW-LTE-] > ping 192.168.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.1.1 56 64 34ms
1 192.168.1.1 56 64 40ms
2 192.168.1.1 56 64 37ms
3 192.168.1.1 56 64 40ms
4 192.168.1.1 56 64 51ms
sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms
āĻ¤āĻĨā§āĻ¯āĻ
āĻāĻžāĻ āĻ¸āĻŽā§āĻĒāĻ¨ā§āĻ¨ āĻāĻ°āĻžāĻ° āĻĒāĻ°ā§, āĻāĻŽāĻ°āĻž āĻāĻāĻāĻŋ āĻ¸ā§āĻĨāĻŋāĻ¤āĻŋāĻļā§āĻ˛ āĻāĻŋāĻĒāĻŋāĻāĻ¨ āĻāĻžāĻ¨ā§āĻ˛ āĻĒā§āĻ¯āĻŧā§āĻāĻŋ, āĻ°āĻŋāĻŽā§āĻ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻ āĻĨā§āĻā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻĒā§āĻ°ā§ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻāĻā§ āĻ¯āĻž āĻā§āĻ¨āĻŋāĻĒāĻžāĻ°ā§āĻ° āĻĒāĻŋāĻāĻ¨ā§ āĻ āĻŦāĻ¸ā§āĻĨāĻŋāĻ¤ āĻāĻŦāĻ āĻ¸ā§āĻ āĻ āĻ¨ā§āĻ¯āĻžāĻ¯āĻŧā§, āĻĒāĻŋāĻāĻ¨ā§āĨ¤
āĻāĻŽāĻŋ āĻāĻ āĻ¸ā§āĻāĻŋāĻŽā§ IKE2 āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻžāĻ° āĻĒāĻ°āĻžāĻŽāĻ°ā§āĻļ āĻĻāĻŋāĻ āĻ¨āĻž, āĻāĻŽāĻ¨ āĻāĻāĻāĻŋ āĻĒāĻ°āĻŋāĻ¸ā§āĻĨāĻŋāĻ¤āĻŋ āĻāĻŋāĻ˛ āĻ¯ā§ āĻāĻ āĻŦāĻž āĻ
āĻ¨ā§āĻ¯ āĻĄāĻŋāĻāĻžāĻāĻ¸ āĻ°āĻŋāĻŦā§āĻ āĻāĻ°āĻžāĻ° āĻĒāĻ°ā§, IPSec āĻāĻ ā§ āĻ¨āĻžāĨ¤
āĻāĻ¤ā§āĻ¸: www.habr.com