Ṣiṣẹda oju eefin IPSec GRE laarin Mikrotik hEX S ati Juniper SRX nipasẹ Modẹmu USB

Ero

O jẹ dandan lati ṣeto eefin VPN laarin awọn ẹrọ meji, bii Mikrotik ati Juniper SRX laini.

Kini a ni?

Lati Mikrotik, a yan awoṣe kan lori oju opo wẹẹbu Mikrotik wiki ti o le ṣe atilẹyin fifi ẹnọ kọ nkan ohun elo IPSec; ninu ero wa, o jẹ iwapọ pupọ ati ilamẹjọ, eyun Mikrotik hEXS.

Modẹmu USB ti ra lati ọdọ oniṣẹ alagbeka to sunmọ; awoṣe jẹ Huawei E3370. A ko ṣe awọn iṣẹ kankan lati ge asopọ lati ọdọ oniṣẹ. Ohun gbogbo jẹ boṣewa ati stipped nipasẹ oniṣẹ funrararẹ.

Awọn mojuto ni o ni a Juniper SRX240H aringbungbun olulana.

Kini o ti ṣẹlẹ

O ṣee ṣe lati ṣe imuse ero iṣẹ kan ti o fun ọ laaye lati ṣẹda asopọ IPsec nipasẹ oniṣẹ ẹrọ alagbeka kan, laisi nini adiresi aimi kan, ni lilo modẹmu kan, ninu eyiti GRE Tunnel ti wa ni we.

Aworan asopọ yii ti lo ati ṣiṣẹ lori awọn modems USB Beeline ati Megafon.

Iṣeto ni bi wọnyi:

Juniper SRX240H fi sori ẹrọ ni mojuto
Adirẹsi agbegbe: 192.168.1.1/24
Ita adirẹsi: 1.1.1.1/30
GW: 1.1.1.2

Aaye jijin

Mikrotik hEX S
Adirẹsi agbegbe: 192.168.152.1/24
Adirẹsi ita: Yiyi

Aworan kekere kan lati ṣe iranlọwọ fun ọ ni oye bi o ṣe n ṣiṣẹ:

Ṣiṣẹda oju eefin IPSec GRE laarin Mikrotik hEX S ati Juniper SRX nipasẹ Modẹmu USB

Juniper SRX240 iṣeto ni:

Itusilẹ sọfitiwia JUNOS [12.1X46-D82]

Juniper iṣeto ni

interfaces {
    ge-0/0/0 {
        description Internet-1;
        unit 0 {
            family inet {
                address 1.1.1.1/30;
            }
        }
    }
    gr-0/0/0 {
        unit 1 {
            description GRE-Tunnel;
            tunnel {
                source 172.31.152.2;
                destination 172.31.152.1;
            }
            family inet;    
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    st0 {
        unit 5 {
            description "Area - 192.168.152.0/24";
            family inet {
                mtu 1400;
            }
        }
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.2;
        route 192.168.152.0/24 next-hop gr-0/0/0.1;
        route 172.31.152.0/30 next-hop st0.5;
    }
    router-id 192.168.1.1;
}
security {
    ike {
        traceoptions {
            file vpn.log size 256k files 5;
            flag all;
        }
        policy ike-gretunnel {
            mode aggressive;
            description area-192.168.152.0;
            proposal-set standard;
            pre-shared-key ascii-text "mysecret"; ## SECRET-DATA
        }
        gateway gw-gretunnel {
            ike-policy ike-gretunnel;
            dynamic inet 172.31.152.1;
            external-interface ge-0/0/0.0;
            version v2-only;
        }
    ipsec {
        }
        policy vpn-policy0 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn vpn-gretunnel {
            bind-interface st0.5;
            df-bit copy;
            vpn-monitor {
                optimized;
                source-interface st0.5;
                destination-ip 172.31.152.1;
            }
            ike {
                gateway gw-gretunnel;
                no-anti-replay;
                ipsec-policy vpn-policy0;
                install-interval 10;
            }
            establish-tunnels immediately;
        }
    }
    policies {  
        from-zone vpn to-zone vpn {
            policy st-vpn-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;   
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy st-trust-to-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {                  
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy st-vpn-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    zones {                             
        security-zone trust {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
        security-zone vpn {
            interfaces {
                st0.5 {
                    host-inbound-traffic {
                        protocols {
                            ospf;
                        }
                    }
                }
                gr-0/0/0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;        
                        }
                    }
                }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            ike;
                        }
                    }
                }
            }
        }
vlans {                                 
    vlan-local {
        vlan-id 5;
        l3-interface vlan.1;
    }

Mikrotik hEX S iṣeto ni:

Ẹya sọfitiwia RouterOS [6.44.3]

Mikrotik iṣeto ni

/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0

/interface gre
add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2

/ip ipsec policy group
add name=srx-gre

/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s name=profile1

/ip ipsec peer
add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc,3des name=proposal1

/ip route
add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx

/ip ipsec identity
add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret

/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes

/ip address
add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0
add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0

Esi:
Lati Juniper SRX ẹgbẹ

netscreen@srx240> ping 192.168.152.1  
PING 192.168.152.1 (192.168.152.1): 56 data bytes
64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms
64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms
64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms
64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms
^C
--- 192.168.152.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 ms

Lati Mikrotik

net[admin@GW-LTE-] > ping 192.168.1.1 
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                               
    0 192.168.1.1                                56  64 34ms 
    1 192.168.1.1                                56  64 40ms 
    2 192.168.1.1                                56  64 37ms 
    3 192.168.1.1                                56  64 40ms 
    4 192.168.1.1                                56  64 51ms 
    sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms 

awari

Lẹhin iṣẹ ti a ṣe, a gba eefin VPN iduroṣinṣin, lati nẹtiwọọki latọna jijin a le wọle si gbogbo nẹtiwọọki ti o wa lẹhin juniper, ati, ni ibamu, pada.

Emi ko ṣeduro lilo IKE2 ninu ero yii; ipo kan dide pe lẹhin atunbere ẹrọ kan pato, IPSec ko dide.

orisun: www.habr.com

Fi ọrọìwòye kun