Goal
It is needsaaklik om in VPN-tunnel te organisearjen tusken twa apparaten, lykas Mikrotik en Juniper fan 'e SRX-line.
Wat hawwe wy
Fan 'e Mikrotiks hawwe wy in Mikrotik-wiki op' e webside keazen, in model dat IPSec-hardware-fersifering kin stypje, nei ús miening, it blykte frij kompakt en goedkeap te wêzen, nammentlik Mikrotik hEXS.
De USB Modem waard kocht fan de tichtstbye mobile operator, it model wie Huawei E3370. Wy hawwe gjin operaasjes útfierd om los te koppelen fan 'e operator. Alles is standert en stitched troch de operator sels.
De kearn hat in Juniper SRX240H sintrale router.
Wat is bard
It wie mooglik om in wurkskema út te fieren dat it mooglik makket om in sellulêre operator te brûken, sûnder in statysk adres, mei in modem om in IPsec-ferbining te meitsjen wêryn de GRE-tunnel is ferpakt.
Dit ferbiningskema wurdt brûkt en wurket op Beeline en Megafon USB-modems.
De konfiguraasje is de folgjende:
Juniper SRX240H ynstallearre yn de kearn
Lokaal adres: 192.168.1.1/24
Eksterne adres: 1.1.1.1/30
GW: 1.1.1.2
ôfstân punt
Mikrotik hEX S
Lokaal adres: 192.168.152.1/24
Eksterne adres: Dynamic
In lyts diagram om it wurk te begripen:
Juniper SRX240 konfiguraasje:
JUNOS Software Release Ferzje [12.1X46-D82]
Juniper Konfiguraasje
interfaces {
ge-0/0/0 {
description Internet-1;
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
gr-0/0/0 {
unit 1 {
description GRE-Tunnel;
tunnel {
source 172.31.152.2;
destination 172.31.152.1;
}
family inet;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
st0 {
unit 5 {
description "Area - 192.168.152.0/24";
family inet {
mtu 1400;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
route 192.168.152.0/24 next-hop gr-0/0/0.1;
route 172.31.152.0/30 next-hop st0.5;
}
router-id 192.168.1.1;
}
security {
ike {
traceoptions {
file vpn.log size 256k files 5;
flag all;
}
policy ike-gretunnel {
mode aggressive;
description area-192.168.152.0;
proposal-set standard;
pre-shared-key ascii-text "mysecret"; ## SECRET-DATA
}
gateway gw-gretunnel {
ike-policy ike-gretunnel;
dynamic inet 172.31.152.1;
external-interface ge-0/0/0.0;
version v2-only;
}
ipsec {
}
policy vpn-policy0 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn vpn-gretunnel {
bind-interface st0.5;
df-bit copy;
vpn-monitor {
optimized;
source-interface st0.5;
destination-ip 172.31.152.1;
}
ike {
gateway gw-gretunnel;
no-anti-replay;
ipsec-policy vpn-policy0;
install-interval 10;
}
establish-tunnels immediately;
}
}
policies {
from-zone vpn to-zone vpn {
policy st-vpn-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone trust to-zone vpn {
policy st-trust-to-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone vpn to-zone trust {
policy st-vpn-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
zones {
security-zone trust {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone vpn {
interfaces {
st0.5 {
host-inbound-traffic {
protocols {
ospf;
}
}
}
gr-0/0/0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
}
}
}
vlans {
vlan-local {
vlan-id 5;
l3-interface vlan.1;
}Mikrotik hEX S konfiguraasje:
RouterOS software ferzje [6.44.3]
Mikrotik konfiguraasje
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
/interface gre
add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2
/ip ipsec policy group
add name=srx-gre
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s name=profile1
/ip ipsec peer
add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc,3des name=proposal1
/ip route
add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx
/ip ipsec identity
add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
Resultaat:
Juniper SRX Side
netscreen@srx240> ping 192.168.152.1
PING 192.168.152.1 (192.168.152.1): 56 data bytes
64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms
64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms
64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms
64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms
^C
--- 192.168.152.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 msFan Mikrotik side
net[admin@GW-LTE-] > ping 192.168.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.1.1 56 64 34ms
1 192.168.1.1 56 64 40ms
2 192.168.1.1 56 64 37ms
3 192.168.1.1 56 64 40ms
4 192.168.1.1 56 64 51ms
sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms befinings
Nei it dien wurk krigen wy in stabile VPN-tunnel, fan it eksterne netwurk hawwe wy tagong ta it heule netwurk dat efter juniper leit, en dus werom.
Ik riede net oan om IKE2 yn dit skema te brûken, d'r wie in situaasje dat nei it herstarten fan ien of oar apparaat IPSec net opstean.
Boarne: www.habr.com