ProHoster > ะ‘ะปะพะณ > แžšแžŠแŸ’แž‹แž”แžถแž› > แž€แžถแžšแž”แž„แŸ’แž€แžพแžแž•แŸ’แž›แžผแžœแžšแžผแž„แž€แŸ’แžšแŸ„แž˜แžŠแžธ IPSec GRE แžšแžœแžถแž„ Mikrotik hEX S แž“แžทแž„ Juniper SRX แžแžถแž˜แžšแž™แŸˆแž˜แŸ‰แžผแžŠแžนแž˜ USB

แž€แžถแžšแž”แž„แŸ’แž€แžพแžแž•แŸ’แž›แžผแžœแžšแžผแž„แž€แŸ’แžšแŸ„แž˜แžŠแžธ IPSec GRE แžšแžœแžถแž„ Mikrotik hEX S แž“แžทแž„ Juniper SRX แžแžถแž˜แžšแž™แŸˆแž˜แŸ‰แžผแžŠแžนแž˜ USB

แž‚แŸ„แž›แžŠแŸ…

แžœแžถแž…แžถแŸ†แž”แžถแž…แŸ‹แž€แŸ’แž“แžปแž„แž€แžถแžšแžšแŸ€แž”แž…แŸ† VPN Tunnel แžšแžœแžถแž„แžงแž”แž€แžšแžŽแŸแž–แžธแžšแžŠแžผแž…แž‡แžถ Mikrotik แž“แžทแž„ Juniper แž“แŸƒแž”แž“แŸ’แž‘แžถแžแŸ‹ SRX แŸ”

แžแžพแž™แžพแž„แž˜แžถแž“แžขแŸ’แžœแžธแžแŸ’แž›แŸ‡

แž€แŸ’แž“แžปแž„แž…แŸ†แžŽแŸ„แž˜ Mikrotiks แž™แžพแž„แž”แžถแž“แž‡แŸ’แžšแžพแžŸแžšแžพแžŸ Mikrotik wiki แž“แŸ…แž›แžพแž‚แŸแž แž‘แŸ†แž–แŸแžš แžŠแŸ‚แž›แž‡แžถแž‚แŸ†แžšแžผแžŠแŸ‚แž›แžขแžถแž…แž‚แžถแŸ†แž‘แŸ’แžšแž€แžถแžšแžขแŸŠแžทแž“แž‚แŸ’แžšแžธแž”แž•แŸ’แž“แŸ‚แž€แžšแžนแž„ IPSec แžแžถแž˜แž‚แŸ†แž“แžทแžแžšแž”แžŸแŸ‹แž™แžพแž„ แžœแžถแž”แŸ’แžšแŸ‚แž‘แŸ…แž‡แžถแžแžผแž… แž“แžทแž„แž˜แžถแž“แžแŸ†แž›แŸƒแžแŸ„แž€แž‚แžบ Mikrotik hEXS แŸ”

แž˜แŸ‰แžผแžŠแžนแž˜ USB แžแŸ’แžšแžผแžœแž”แžถแž“แž‘แžทแž‰แž–แžธแž”แŸ’แžšแžแžทแž”แžแŸ’แžแžทแž€แžšแž‘แžผแžšแžŸแŸแž–แŸ’แž‘แžŠแŸ‚แž›แž“แŸ…แž‡แžทแžแž”แŸ†แž•แžปแž แž˜แŸ‰แžผแžŠแŸ‚แž›แž‚แžบ Huawei E3370 แŸ” แž™แžพแž„โ€‹แž˜แžทแž“โ€‹แž”แžถแž“โ€‹แžขแž“แžปแžœแžแŸ’แžโ€‹แž”แŸ’แžšแžแžทแž”แžแŸ’แžแžทแž€แžถแžšโ€‹แžŽแžถโ€‹แž˜แžฝแž™โ€‹แžŠแžพแž˜แŸ’แž”แžธโ€‹แž”แŸ†แž”แŸ‚แž€โ€‹แž…แŸแž‰โ€‹แž–แžธโ€‹แž”แŸ’แžšแžแžทแž”แžแŸ’แžแžทแž€แžšโ€‹แž‘แŸแŸ” แžขแŸ’แžœแžธแž‚แŸ’แžšแž”แŸ‹แž™แŸ‰แžถแž„แž‚แžบแžŸแŸ’แžแž„แŸ‹แžŠแžถแžšแž“แžทแž„แžŠแŸแžšแžŠแŸ„แž™แž”แŸ’แžšแžแžทแž”แžแŸ’แžแžทแž€แžšแžแŸ’แž›แžฝแž“แžฏแž„แŸ”

แžŸแŸ’แž“แžผแž›แž˜แžถแž“แžšแŸ‰แŸ„แžแž‘แŸแžšแž€แžŽแŸ’แžแžถแž› Juniper SRX240H แŸ”

แžแžพแž˜แžถแž“แžขแŸ’แžœแžธแž€แžพแžแžกแžพแž„

แžœแžถแžขแžถแž…แž‘แŸ…แžšแžฝแž…แž€แŸ’แž“แžปแž„แž€แžถแžšแžขแž“แžปแžœแžแŸ’แžแž‚แŸ’แžšแŸ„แž„แž€แžถแžšแžŽแŸแž€แžถแžšแž„แžถแžšแžŠแŸ‚แž›แžขแž“แžปแž‰แŸ’แž‰แžถแžแžฑแŸ’แž™แž”แŸ’แžšแžพแž”แŸ’แžšแžแžทแž”แžแŸ’แžแžทแž€แžšแž€แŸ„แžŸแžทแž€แžถแžŠแŸ„แž™แž‚แŸ’แž˜แžถแž“แžขแžถแžŸแž™แžŠแŸ’แž‹แžถแž“แž‹แžทแžแžทแžœแž“แŸ’แž แžŠแŸ„แž™แž”แŸ’แžšแžพแž˜แŸ‰แžผแžŠแžนแž˜แžŠแžพแž˜แŸ’แž”แžธแž”แž„แŸ’แž€แžพแžแž€แžถแžšแžแž—แŸ’แž‡แžถแž”แŸ‹ IPsec แžŠแŸ‚แž› GRE Tunnel แžแŸ’แžšแžผแžœแž”แžถแž“แžšแžปแŸ†แŸ”

แž‚แŸ’แžšแŸ„แž„แž€แžถแžšแžŽแŸแž€แžถแžšแžแž—แŸ’แž‡แžถแž”แŸ‹แž“แŸแŸ‡แžแŸ’แžšแžผแžœแž”แžถแž“แž”แŸ’แžšแžพ แž“แžทแž„แžŠแŸ†แžŽแžพแžšแž€แžถแžšแž›แžพแž˜แŸ‰แžผแžŠแžนแž˜ Beeline แž“แžทแž„ Megafon USBแŸ”

แž€แžถแžšแž€แŸ†แžŽแžแŸ‹แžšแž…แž“แžถแžŸแž˜แŸ’แž–แŸแž“แŸ’แž’แž˜แžถแž“แžŠแžผแž…แžแžถแž„แž€แŸ’แžšแŸ„แž˜แŸ–

Juniper SRX240H แž”แžถแž“แžŠแŸ†แžกแžพแž„แž“แŸ…แž€แŸ’แž“แžปแž„แžแžบแžŽแŸ‚แž›แŸ”
แžขแžถแžŸแŸแž™แžŠแŸ’แž‹แžถแž“แž€แŸ’แž“แžปแž„แžŸแŸ’แžšแžปแž€แŸ– 192.168.1.1/24
แžขแžถแžŸแŸแž™แžŠแŸ’แž‹แžถแž“แžแžถแž„แž€แŸ’แžšแŸ…แŸ– 1.1.1.1/30
GW: 1.1.1.2

แž…แŸ†แžŽแžปแž…แžŠแžถแž…แŸ‹แžŸแŸ’แžšแž™แžถแž›แŸ”

Mikrotik hEX S
แžขแžถแžŸแŸแž™แžŠแŸ’แž‹แžถแž“แž€แŸ’แž“แžปแž„แžŸแŸ’แžšแžปแž€แŸ– 192.168.152.1/24
แžขแžถแžŸแž™แžŠแŸ’แž‹แžถแž“แžแžถแž„แž€แŸ’แžšแŸ…แŸ– แžแžถแž˜แžœแž“แŸ’แž

แžŠแŸ’แž™แžถแž€แŸ’แžšแžถแž˜แžแžผแž…แž˜แžฝแž™แžŠแžพแž˜แŸ’แž”แžธแž™แž›แŸ‹แž–แžธแž€แžถแžšแž„แžถแžšแŸ–

แž€แžถแžšแž”แž„แŸ’แž€แžพแžแž•แŸ’แž›แžผแžœแžšแžผแž„แž€แŸ’แžšแŸ„แž˜แžŠแžธ IPSec GRE แžšแžœแžถแž„ Mikrotik hEX S แž“แžทแž„ Juniper SRX แžแžถแž˜แžšแž™แŸˆแž˜แŸ‰แžผแžŠแžนแž˜ USB

แž€แžถแžšแž€แŸ†แžŽแžแŸ‹แžšแž…แž“แžถแžŸแž˜แŸ’แž–แŸแž“แŸ’แž’ Juniper SRX240แŸ–

แž€แŸ†แžŽแŸ‚แž…แŸแž‰แž•แŸ’แžŸแžถแž™แž€แž˜แŸ’แž˜แžœแžทแž’แžธ JUNOS [12.1X46-D82]

แž€แžถแžšแž€แŸ†แžŽแžแŸ‹แžšแž…แž“แžถแžŸแž˜แŸ’แž–แŸแž“แŸ’แž’ Juniper

interfaces {
    ge-0/0/0 {
        description Internet-1;
        unit 0 {
            family inet {
                address 1.1.1.1/30;
            }
        }
    }
    gr-0/0/0 {
        unit 1 {
            description GRE-Tunnel;
            tunnel {
                source 172.31.152.2;
                destination 172.31.152.1;
            }
            family inet;    
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    st0 {
        unit 5 {
            description "Area - 192.168.152.0/24";
            family inet {
                mtu 1400;
            }
        }
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.2;
        route 192.168.152.0/24 next-hop gr-0/0/0.1;
        route 172.31.152.0/30 next-hop st0.5;
    }
    router-id 192.168.1.1;
}
security {
    ike {
        traceoptions {
            file vpn.log size 256k files 5;
            flag all;
        }
        policy ike-gretunnel {
            mode aggressive;
            description area-192.168.152.0;
            proposal-set standard;
            pre-shared-key ascii-text "mysecret"; ## SECRET-DATA
        }
        gateway gw-gretunnel {
            ike-policy ike-gretunnel;
            dynamic inet 172.31.152.1;
            external-interface ge-0/0/0.0;
            version v2-only;
        }
    ipsec {
        }
        policy vpn-policy0 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn vpn-gretunnel {
            bind-interface st0.5;
            df-bit copy;
            vpn-monitor {
                optimized;
                source-interface st0.5;
                destination-ip 172.31.152.1;
            }
            ike {
                gateway gw-gretunnel;
                no-anti-replay;
                ipsec-policy vpn-policy0;
                install-interval 10;
            }
            establish-tunnels immediately;
        }
    }
    policies {  
        from-zone vpn to-zone vpn {
            policy st-vpn-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;   
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy st-trust-to-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {                  
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy st-vpn-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    zones {                             
        security-zone trust {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
        security-zone vpn {
            interfaces {
                st0.5 {
                    host-inbound-traffic {
                        protocols {
                            ospf;
                        }
                    }
                }
                gr-0/0/0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;        
                        }
                    }
                }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            ike;
                        }
                    }
                }
            }
        }
vlans {                                 
    vlan-local {
        vlan-id 5;
        l3-interface vlan.1;
    }

แž€แžถแžšแž€แŸ†แžŽแžแŸ‹แžšแž…แž“แžถแžŸแž˜แŸ’แž–แŸแž“แŸ’แž’ Mikrotik hEX SแŸ–

แž€แŸ†แžŽแŸ‚แž€แž˜แŸ’แž˜แžœแžทแž’แžธ RouterOS [6.44.3]

แž€แžถแžšแž€แŸ†แžŽแžแŸ‹แžšแž…แž“แžถแžŸแž˜แŸ’แž–แŸแž“แŸ’แž’ Mikrotik

/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0

/interface gre
add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2

/ip ipsec policy group
add name=srx-gre

/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s name=profile1

/ip ipsec peer
add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc,3des name=proposal1

/ip route
add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx

/ip ipsec identity
add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret

/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes

/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0

แž›แž‘แŸ’แž’แž•แž›:
Juniper SRX Side

netscreen@srx240> ping 192.168.152.1  
PING 192.168.152.1 (192.168.152.1): 56 data bytes
64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms
64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms
64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms
64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms
^C
--- 192.168.152.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 ms

แž–แžธแžแžถแž„ Mikrotik

net[admin@GW-LTE-] > ping 192.168.1.1 
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                               
    0 192.168.1.1                                56  64 34ms 
    1 192.168.1.1                                56  64 40ms 
    2 192.168.1.1                                56  64 37ms 
    3 192.168.1.1                                56  64 40ms 
    4 192.168.1.1                                56  64 51ms 
    sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms

แž€แžถแžšแžšแž€แžƒแžพแž‰

แž”แž“แŸ’แž‘แžถแž”แŸ‹แž–แžธแž€แžถแžšแž„แžถแžšแž”แžถแž“แž”แž‰แŸ’แž…แž”แŸ‹ แž™แžพแž„แž”แžถแž“แž‘แž‘แžฝแž› VPN Tunnel แžŠแŸ‚แž›แž˜แžถแž“แžŸแŸ’แžแŸแžšแž—แžถแž– แž–แžธแž”แžŽแŸ’แžแžถแž‰แž–แžธแž…แž˜แŸ’แž„แžถแž™ แž™แžพแž„แžขแžถแž…แž…แžผแž›แž‘แŸ…แž€แžถแž“แŸ‹แž”แžŽแŸ’แžแžถแž‰แž‘แžถแŸ†แž„แž˜แžผแž›แžŠแŸ‚แž›แž˜แžถแž“แž‘แžธแžแžถแŸ†แž„แž“แŸ…แžแžถแž„แž€แŸ’แžšแŸ„แž™ juniper แž แžพแž™แžแžถแž˜แž“แŸ„แŸ‡แžแŸ’แžšแžกแž”แŸ‹แž˜แž€แžœแžทแž‰แŸ”

แžแŸ’แž‰แžปแŸ†แž˜แžทแž“แžŽแŸ‚แž“แžถแŸ†แžฑแŸ’แž™แž”แŸ’แžšแžพ IKE2 แž“แŸ…แž€แŸ’แž“แžปแž„แž‚แŸ’แžšแŸ„แž„แž€แžถแžšแžŽแŸแž“แŸแŸ‡แž‘แŸ แž˜แžถแž“แžŸแŸ’แžแžถแž“แž—แžถแž–แž˜แžฝแž™แžŠแŸ‚แž›แž”แž“แŸ’แž‘แžถแž”แŸ‹แž–แžธแž€แžถแžšแž…แžถแž”แŸ‹แž•แŸ’แžŠแžพแž˜แžงแž”แž€แžšแžŽแŸแž˜แžฝแž™ แžฌแžงแž”แž€แžšแžŽแŸแž•แŸ’แžŸแŸแž„แž‘แŸ€แžแžกแžพแž„แžœแžทแž‰ IPSec แž˜แžทแž“แž€แžพแž“แžกแžพแž„แž‘แŸแŸ”

แž”แŸ’แžšแž—แž–: www.habr.com

แž”แž“แŸ’แžแŸ‚แž˜แž˜แžแžทแž™แŸ„แž”แž›แŸ‹