Схема подключения:
На сервере устанавливаем Openswan и делаем его стартуемым при запуске системы:
apt-get install openswan
chkconfig ipsec onЗапрещаем отправку редиректов:
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirectsБудем использовать Pre-shared key,
1-я фаза с шифрованием AES256, с хешированием SHA и таймером на сутки,
2-я фаза с шифрованием AES256 и таймером на час:
Правим конфиг туннеля в /etc/ipsec.conf:
config setup
interfaces=%defaultroute
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
conn IPSec1
auto=start
type=tunnel
left=10.10.10.10
leftnexthop=%defaultroute
leftsubnet=10.10.10.10/32
leftsourceip=10.10.10.10
leftid=5.180.180.180
right=150.50.50.50
rightsubnet=10.20.20.0/24
keyexchange=ike
ike=aes256-sha1-modp1024
ikelifetime=86400s
authby=secret
rekey=yes
forceencaps=yes
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
phase2=esp
phase2alg=aes256-sha1;modp1024
salifetime=3600s
pfs=yesПрописываем предварительный ключ в файле /etc/ipsec.secrets:
5.180.180.180 150.50.50.50 : PSK "3P123445667788899SSD"И перезагружаем демон:
/etc/init.d/ipsec restartНастройки туннеля на Juniper:
Для 1-й фазы:
set interfaces st0 unit 10 description VPN-to-UBUNTU
set interfaces st0 unit 10 family inet
set security ike proposal oneday authentication-method pre-shared-keys
set security ike proposal oneday dh-group group2
set security ike proposal oneday authentication-algorithm sha1
set security ike proposal oneday encryption-algorithm aes-256-cbc
set security ike proposal oneday lifetime-seconds 86400
set security ike policy OPENSWAN mode main
set security ike policy OPENSWAN proposals oneday
set security ike policy OPENSWAN pre-shared-key ascii-text "3P123445667788899SSD"
set security ike gateway OPENSWAN ike-policy OPENSWAN
set security ike gateway OPENSWAN address 5.180.180.180
set security ike gateway OPENSWAN dead-peer-detection
set security ike gateway OPENSWAN local-identity inet 150.50.50.50
set security ike gateway OPENSWAN remote-identity inet 10.10.10.10
set security ike gateway OPENSWAN external-interface lo0.0Для 2-й:
set security ipsec proposal OPENSWAN-PS protocol esp
set security ipsec proposal OPENSWAN-PS authentication-algorithm hmac-sha1-96
set security ipsec proposal OPENSWAN-PS encryption-algorithm aes-256-cbc
set security ipsec proposal OPENSWAN-PS lifetime-seconds 3600
set security ipsec policy OPENSWAN perfect-forward-secrecy keys group2
set security ipsec policy OPENSWAN proposals OPENSWAN-PS
set security ipsec vpn OPENSWAN bind-interface st0.10
set security ipsec vpn OPENSWAN ike gateway OPENSWAN
set security ipsec vpn OPENSWAN ike proxy-identity local 10.20.20.0/24
set security ipsec vpn OPENSWAN ike proxy-identity remote 10.10.10.10/32
set security ipsec vpn OPENSWAN ike proxy-identity service any
set security ipsec vpn OPENSWAN ike ipsec-policy OPENSWAN
set security ipsec vpn OPENSWAN establish-tunnels immediatelyДальше необходимо поместь созданный интерфейс st0.10 в нужную вам зону и прописать политики для траффика.
Проверяем что туннель поднялся:
dshrainer@SRX> show security ipsec security-associations | match 5.180.180.180
<131594 ESP:aes-cbc-256/sha1 83e22525 2359/ unlim - root 4500 5.180.180.180
>131594 ESP:aes-cbc-256/sha1 c1059af2 2359/ unlim - root 4500 5.180.180.180 
Комментариев нет:
Отправить комментарий