Set routing-options static route 10.255.0.0/16 next-hop st0. Define a static route to the Perimeter 81 network. Set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ikeġ2. Set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services ike Not only the tunnel interface must have it, but also your public-facing interface. We must allow services destined to the firewall interfaces as well. Set security policies from-zone vpn to-zone trust policy vpn-internal then permitġ1. Set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-ssh Set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-icmp-all Set security policies from-zone vpn to-zone trust policy vpn-internal match destination-address any Set security policies from-zone vpn to-zone trust policy vpn-internal match source-address p81_internal In this example, we are allowing icmp and ssh from zone “vpn” with a source address of 10.255.0.0/16 to any address in zone “trust”. Otherwise, you'll need to adjust according to your network topology and particular use case. If you place the tunnel interface into your trust zone or a zone where everything is allowed, then this step can be omitted. Set security ipsec vpn p81-ipsec establish-tunnels on-traffic immediately Set security ipsec vpn p81-ipsec ike ipsec-policy ipsec-p81-policy Set security ipsec vpn p81-ipsec ike gateway p81-ike-gateway Set security ipsec vpn p81-ipsec bind-interface st0.0 If your Perimeter 81 network subnet is not 10.255.0.0/16 make sure to change the appropriate line. Bind your tunnel interface and apply configurations. Set security ipsec policy ipsec-p81-policy proposals p81-proposalĩ. Set security ipsec policy ipsec-p81-policy perfect-forward-secrecy keys group14 Perfect Forward Secrecy must be enabled and reference the previously defined proposal. Set security ipsec proposal p81-proposal lifetime-seconds 3600Ĩ. Set security ipsec proposal p81-proposal encryption-algorithm aes-256-cbc Set security ipsec proposal p81-proposal authentication-algorithm hmac-sha-256-128 Set security ipsec proposal p81-proposal protocol esp Set security ipsec proposal p81-proposal description Perimeter81 Set security ike gateway p81-ike-gateway version v1-only Set security ike gateway p81-ike-gateway external-interface ge-0/0/0 Set security ike gateway p81-ike-gateway local-identity inet LOCAL_ADDRESS Set security ike gateway p81-ike-gateway address P81_GW_ADDRESS Set security ike gateway p81-ike-gateway ike-policy p81-policy The external interface is the interface on which the above IP is configured (Local Identity Inet).
Replace P81_GW_ADDRESS with your Perimeter 81 gateway IP, LOCAL_ADDRESS with your local public IP. Set security ike policy p81-policy pre-shared-key ascii-text SHARED_SHARED_STRINGĦ. Set security ike policy p81-policy proposals p81 Replace SHARED_SHARED_STRING with the shared secret you generated at the Perimeter 81 platform. Set security ike proposal p81 lifetime-seconds 28800Ĥ. Set security ike proposal p81 encryption-algorithm aes-256-cbc Set security ike proposal p81 authentication-algorithm sha-256 Set security ike proposal p81 dh-group group14 Set security ike proposal p81 authentication-method pre-shared-keys Set security ike proposal p81 description Perimeter81-SRXTunnel Do not assign an IP address but make sure it’s enabled for layer 3 communication. Each step is accompanied by a command that needs to be executed at the JunOS interface.ġ. If you are more comfortable with a GUI, you can also generate the same configuration using the official Juniper VPN configuration generator. The following section contains step-by-step CLI configuration.
0 kommentar(er)
