ΡΠ΅Π»
ΠΠΎΡΡΠ΅Π±Π½ΠΎ Π΅ Π΄Π° ΡΠ΅ ΠΎΡΠ³Π°Π½ΠΈΠ·ΠΈΡΠ° VPN ΡΡΠ½Π΅Π» ΠΏΠΎΠΌΠ΅ΡΡ Π΄Π²Π° ΡΡΠ΅Π΄ΠΈ, ΠΊΠ°ΠΊΠΎ Mikrotik ΠΈ Juniper SRX Π»ΠΈΠ½ΠΈΡΠ°ΡΠ°.
Π¨ΡΠΎ ΠΈΠΌΠ°ΠΌΠ΅ Π½ΠΈΠ΅?
ΠΠ΄ ΠΠΈΠΊΡΠΎΡΠΈΠΊ, ΠΈΠ·Π±ΡΠ°Π²ΠΌΠ΅ ΠΌΠΎΠ΄Π΅Π» Π½Π° Π²ΠΈΠΊΠΈ-ΡΡΡΠ°Π½ΠΈΡΠ°ΡΠ° Π½Π° ΠΠΈΠΊΡΠΎΡΠΈΠΊ ΡΡΠΎ ΠΌΠΎΠΆΠ΅ Π΄Π° ΠΏΠΎΠ΄Π΄ΡΠΆΡΠ²Π° ΡΠΈΡΡΠΈΡΠ°ΡΠ΅ Π½Π° Ρ Π°ΡΠ΄Π²Π΅ΡΠΎΡ IPSec, ΡΠΏΠΎΡΠ΅Π΄ Π½Π°ΡΠ΅ ΠΌΠΈΡΠ»Π΅ΡΠ΅, ΡΠΎΡ ΡΠ΅ ΠΏΠΎΠΊΠ°ΠΆΠ° Π΄ΠΎΡΡΠ° ΠΊΠΎΠΌΠΏΠ°ΠΊΡΠ΅Π½ ΠΈ Π΅ΡΡΠΈΠ½, ΠΈΠΌΠ΅Π½ΠΎ Mikrotik hEXS.
Π£Π‘Π-ΠΌΠΎΠ΄Π΅ΠΌΠΎΡ Π΅ ΠΊΡΠΏΠ΅Π½ ΠΎΠ΄ Π½Π°ΡΠ±Π»ΠΈΡΠΊΠΈΠΎΡ ΠΌΠΎΠ±ΠΈΠ»Π΅Π½ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡ, ΠΌΠΎΠ΄Π΅Π»ΠΎΡ Π΅ Huawei E3370. ΠΠ΅ ΠΈΠ·Π²ΡΡΠΈΠ²ΠΌΠ΅ Π½ΠΈΠΊΠ°ΠΊΠ²ΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ Π·Π° ΠΈΡΠΊΠ»ΡΡΡΠ²Π°ΡΠ΅ ΠΎΠ΄ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡΠΎΡ. Π‘Π΅ Π΅ ΡΡΠ°Π½Π΄Π°ΡΠ΄Π½ΠΎ ΠΈ ΡΠΎΡΠΈΠ΅Π½ΠΎ ΠΎΠ΄ ΡΠ°ΠΌΠΈΠΎΡ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡ.
ΠΠ°Π΄ΡΠΎΡΠΎ ΡΠΎΠ΄ΡΠΆΠΈ ΡΠ΅Π½ΡΡΠ°Π»Π΅Π½ ΡΡΡΠ΅Ρ Juniper SRX240H.
Π¨ΡΠΎ ΡΠ΅ ΡΠ»ΡΡΠΈ
ΠΠ΅ΡΠ΅ ΠΌΠΎΠΆΠ½ΠΎ Π΄Π° ΡΠ΅ ΠΈΠΌΠΏΠ»Π΅ΠΌΠ΅Π½ΡΠΈΡΠ° ΡΠ°Π±ΠΎΡΠ½Π° ΡΠ΅ΠΌΠ° ΠΊΠΎΡΠ° Π²ΠΈ ΠΎΠ²ΠΎΠ·ΠΌΠΎΠΆΡΠ²Π° Π΄Π° ΠΊΡΠ΅ΠΈΡΠ°ΡΠ΅ IPsec ΠΊΠΎΠ½Π΅ΠΊΡΠΈΡΠ° ΠΏΡΠ΅ΠΊΡ ΠΌΠΎΠ±ΠΈΠ»Π΅Π½ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡ, Π±Π΅Π· ΡΡΠ°ΡΠΈΡΠ½Π° Π°Π΄ΡΠ΅ΡΠ°, ΠΊΠΎΡΠΈΡΡΠ΅ΡΡΠΈ ΠΌΠΎΠ΄Π΅ΠΌ, Π²ΠΎ ΠΊΠΎΡ Π΅ Π·Π°Π²ΠΈΡΠΊΠ°Π½ ΡΡΠ½Π΅Π»ΠΎΡ GRE.
ΠΠ²ΠΎΡ Π΄ΠΈΡΠ°Π³ΡΠ°ΠΌ Π·Π° ΠΏΠΎΠ²ΡΠ·ΡΠ²Π°ΡΠ΅ ΡΠ΅ ΠΊΠΎΡΠΈΡΡΠΈ ΠΈ ΡΠ°Π±ΠΎΡΠΈ Π½Π° Beeline ΠΈ Megafon USB ΠΌΠΎΠ΄Π΅ΠΌΠΈ.
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡΠ°ΡΠ° Π΅ ΠΊΠ°ΠΊΠΎ ΡΡΠΎ ΡΠ»Π΅Π΄ΡΠ²Π°:
ΠΡΠ½ΠΈΠΏΠ΅Ρ SRX240H ΠΈΠ½ΡΡΠ°Π»ΠΈΡΠ°Π½ Π²ΠΎ ΡΠ°Π΄ΡΠΎΡΠΎ
ΠΠΎΠΊΠ°Π»Π½Π° Π°Π΄ΡΠ΅ΡΠ°: 192.168.1.1/24
ΠΠ°Π΄Π²ΠΎΡΠ΅ΡΠ½Π° Π°Π΄ΡΠ΅ΡΠ°: 1.1.1.1/30
GW: 1.1.1.2
ΠΠ΄Π΄Π°Π»Π΅ΡΠ΅Π½Π° ΡΠΎΡΠΊΠ°
Mikrotik hEX S
ΠΠΎΠΊΠ°Π»Π½Π° Π°Π΄ΡΠ΅ΡΠ°: 192.168.152.1/24
ΠΠ°Π΄Π²ΠΎΡΠ΅ΡΠ½Π° Π°Π΄ΡΠ΅ΡΠ°: ΠΠΈΠ½Π°ΠΌΠΈΡΠ½Π°
ΠΠ°Π» Π΄ΠΈΡΠ°Π³ΡΠ°ΠΌ ΠΊΠΎΡ ΡΠ΅ Π²ΠΈ ΠΏΠΎΠΌΠΎΠ³Π½Π΅ Π΄Π° ΡΠ°Π·Π±Π΅ΡΠ΅ΡΠ΅ ΠΊΠ°ΠΊΠΎ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΠ°:
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡΠ° Juniper SRX240:
ΠΠ·Π΄Π°Π½ΠΈΠ΅ Π½Π° ΡΠΎΡΡΠ²Π΅Ρ JUNOS [12.1X46-D82]
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡΠ° Π½Π° ΡΠΌΡΠ΅ΠΊΠ°
interfaces {
ge-0/0/0 {
description Internet-1;
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
gr-0/0/0 {
unit 1 {
description GRE-Tunnel;
tunnel {
source 172.31.152.2;
destination 172.31.152.1;
}
family inet;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
st0 {
unit 5 {
description "Area - 192.168.152.0/24";
family inet {
mtu 1400;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
route 192.168.152.0/24 next-hop gr-0/0/0.1;
route 172.31.152.0/30 next-hop st0.5;
}
router-id 192.168.1.1;
}
security {
ike {
traceoptions {
file vpn.log size 256k files 5;
flag all;
}
policy ike-gretunnel {
mode aggressive;
description area-192.168.152.0;
proposal-set standard;
pre-shared-key ascii-text "mysecret"; ## SECRET-DATA
}
gateway gw-gretunnel {
ike-policy ike-gretunnel;
dynamic inet 172.31.152.1;
external-interface ge-0/0/0.0;
version v2-only;
}
ipsec {
}
policy vpn-policy0 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn vpn-gretunnel {
bind-interface st0.5;
df-bit copy;
vpn-monitor {
optimized;
source-interface st0.5;
destination-ip 172.31.152.1;
}
ike {
gateway gw-gretunnel;
no-anti-replay;
ipsec-policy vpn-policy0;
install-interval 10;
}
establish-tunnels immediately;
}
}
policies {
from-zone vpn to-zone vpn {
policy st-vpn-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone trust to-zone vpn {
policy st-trust-to-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone vpn to-zone trust {
policy st-vpn-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
zones {
security-zone trust {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone vpn {
interfaces {
st0.5 {
host-inbound-traffic {
protocols {
ospf;
}
}
}
gr-0/0/0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
}
}
}
vlans {
vlan-local {
vlan-id 5;
l3-interface vlan.1;
}ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡΠ° Π½Π° Mikrotik hEX S:
ΠΠ΅ΡΠ·ΠΈΡΠ° Π½Π° ΡΠΎΡΡΠ²Π΅ΡΠΎΡ RouterOS [6.44.3]
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡΠ° Π½Π° Mikrotik
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
/interface gre
add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2
/ip ipsec policy group
add name=srx-gre
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s name=profile1
/ip ipsec peer
add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc,3des name=proposal1
/ip route
add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx
/ip ipsec identity
add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes
/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
Π Π΅Π·ΡΠ»ΡΠ°ΡΠΎΡ Π΅:
ΠΠ΄ ΡΡΡΠ°Π½Π°ΡΠ° Juniper SRX
netscreen@srx240> ping 192.168.152.1
PING 192.168.152.1 (192.168.152.1): 56 data bytes
64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms
64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms
64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms
64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms
^C
--- 192.168.152.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 msΠΠ΄ ΠΠΈΠΊΡΠΎΡΠΈΠΊ
net[admin@GW-LTE-] > ping 192.168.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.1.1 56 64 34ms
1 192.168.1.1 56 64 40ms
2 192.168.1.1 56 64 37ms
3 192.168.1.1 56 64 40ms
4 192.168.1.1 56 64 51ms
sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms ΠΠ°ΠΎΠ΄ΠΈ
ΠΠΎ Π·Π°Π²ΡΡΠ΅Π½Π°ΡΠ° ΡΠ°Π±ΠΎΡΠ°, Π΄ΠΎΠ±ΠΈΠ²ΠΌΠ΅ ΡΡΠ°Π±ΠΈΠ»Π΅Π½ VPN ΡΡΠ½Π΅Π», ΠΎΠ΄ Π΄Π°Π»Π΅ΡΠΈΠ½ΡΠΊΠ°ΡΠ° ΠΌΡΠ΅ΠΆΠ° ΠΌΠΎΠΆΠ΅ΠΌΠ΅ Π΄Π° ΠΏΡΠΈΡΡΠ°ΠΏΠΈΠΌΠ΅ Π΄ΠΎ ΡΠ΅Π»Π°ΡΠ° ΠΌΡΠ΅ΠΆΠ° ΡΡΠΎ ΡΠ΅ Π½Π°ΠΎΡΠ° Π·Π°Π΄ ΡΠΌΡΠ΅ΠΊΠ°ΡΠ° ΠΈ, ΡΠΎΠΎΠ΄Π²Π΅ΡΠ½ΠΎ, Π½Π°Π·Π°Π΄.
ΠΠ΅ ΠΏΡΠ΅ΠΏΠΎΡΠ°ΡΡΠ²Π°ΠΌ Π΄Π° ΠΊΠΎΡΠΈΡΡΠΈΡΠ΅ IKE2 Π²ΠΎ ΠΎΠ²Π°Π° ΡΠ΅ΠΌΠ°, ΡΠ΅ ΠΏΠΎΡΠ°Π²ΠΈ ΡΠΈΡΡΠ°ΡΠΈΡΠ° Π΄Π΅ΠΊΠ° ΠΏΠΎ ΡΠ΅ΡΡΠ°ΡΡΠΈΡΠ°ΡΠ΅ΡΠΎ Π½Π° ΠΎΠ΄ΡΠ΅Π΄Π΅Π½ ΡΡΠ΅Π΄, IPSec Π½Π΅ ΡΠ΅ Π·Π³ΠΎΠ»Π΅ΠΌΠΈ.
ΠΠ·Π²ΠΎΡ: www.habr.com