Juniper SSG5 route based site-to-site policy less VPN with VPN monitor::
site A : juniper SSG 140 ( két internetkapcsolattal )
site B : juniper SSG5 ( egy internetkapcsolattal )
site A:
——–
ISP1 10.10.10.1/30
set interface ethernet0/8 ip 10.10.10.1/30
set interface ethernet0/8 route
set route 0.0.0.0/0 interface ethernet0/8 gateway 10.10.10.2
ISP2 10.10.20.1/30
set interface ethernet0/9 ip 10.10.20.1/30
set interface ethernet0/9 route
set route 0.0.0.0/0 interface ethernet0/9 gateway 10.10.20.2 preference 40
LAN 10.1.2.0/24
set interface ethernet0/6 ip 10.1.2.1/24
set interface ethernet0/6 route
tunnel.1
set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip unnumbered interface ethernet0/6
set route 10.1.1.0/24 interface tunnel.1
tunnel.2
set interface "tunnel.2" zone "Trust"
set interface tunnel.2 ip unnumbered interface ethernet0/6
set route 10.1.1.0/24 interface tunnel.2 preference 40
VPN:
——
gateway1:
set ike gateway "VPN-MAIN" address 10.10.30.1 Main outgoing-interface "ethernet0/8" preshare "almaalma" proposal "pre-g2-3des-sha"
gateway2:
set ike gateway "VPN-BACKUP" address 10.10.30.1 Main outgoing-interface "ethernet0/9" preshare "kortekorte" proposal "pre-g2-3des-sha"
VPN1:
set vpn "VPN-MAIN" gateway "VPN-MAIN" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "VPN-MAIN" monitor source-interface ethernet0/6 destination-ip 10.1.1.1 optimized rekey
set vpn "VPN-MAIN" id 0x4 bind interface tunnel.1
VPN2:
set vpn "VPN-BACKUP" gateway "VPN-BACKUP" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "VPN-BACKUP-alma" id 0x5 bind interface tunnel.2
Policy:
——-
Alapból csak egy policy-t használok, és ez adja a dolog lényegét. Az össz policy trust->untrust és NAT-ot valósít meg!
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit
set policy id 4
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
