Tujuan
Anda perlu mengatur terowongan VPN antara dua perangkat, seperti garis Mikrotik dan Juniper SRX.
Apa yang kita miliki
Dari Mikrotik, mereka memilih wiki di situs web Mikrotik, model yang dapat mendukung enkripsi perangkat keras IPSec, menurut kami itu ternyata cukup kompak dan murah, yaitu HEXS Mikrotik.
Modem USB dibeli di operator seluler terdekat, modelnya adalah Huawei E3370. Kami tidak melakukan operasi apa pun untuk melepaskan ikatan operator. Semuanya dikelola dan di-flash oleh operator sendiri.
Pada intinya adalah router Juniper SRX240H pusat.
Apa yang berhasil
Dimungkinkan untuk mengimplementasikan skema kerja yang memungkinkan, melalui operator seluler, tanpa alamat statis, menggunakan modem untuk membuat koneksi IPsec ke mana GRE Tunnel dibungkus.
Skema koneksi ini digunakan dan berfungsi pada modem USB Beeline dan Megafon.
Konfigurasi adalah sebagai berikut:
Inti menginstal Juniper SRX240H
Alamat Lokal: 192.168.1.1/24
Alamat Eksternal: 1.1.1.1/30
GW: 1.1.1.2
Titik terpencil
Mikrotik hEX S
Alamat Lokal: 192.168.152.1/24
Alamat Eksternal: Dinamis
Diagram kecil untuk memahami pekerjaan:
Konfigurasi Juniper SRX240:
Versi Perangkat Lunak Rilis JUNOS Software [12.1X46-D82]
Konfigurasi Juniperinterfaces { ge-0/0/0 { description Internet-1; unit 0 { family inet { address 1.1.1.1/30; } } } gr-0/0/0 { unit 1 { description GRE-Tunnel; tunnel { source 172.31.152.2; destination 172.31.152.1; } family inet; vlan { unit 0 { family inet { address 192.168.1.1/24; } } st0 { unit 5 { description "Area - 192.168.152.0/24"; family inet { mtu 1400; } } routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.2; route 192.168.152.0/24 next-hop gr-0/0/0.1; route 172.31.152.0/30 next-hop st0.5; } router-id 192.168.1.1; } security { ike { traceoptions { file vpn.log size 256k files 5; flag all; } policy ike-gretunnel { mode aggressive; description area-192.168.152.0; proposal-set standard; pre-shared-key ascii-text "mysecret"; ## SECRET-DATA } gateway gw-gretunnel { ike-policy ike-gretunnel; dynamic inet 172.31.152.1; external-interface ge-0/0/0.0; version v2-only; } ipsec { } policy vpn-policy0 { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn vpn-gretunnel { bind-interface st0.5; df-bit copy; vpn-monitor { optimized; source-interface st0.5; destination-ip 172.31.152.1; } ike { gateway gw-gretunnel; no-anti-replay; ipsec-policy vpn-policy0; install-interval 10; } establish-tunnels immediately; } } policies { from-zone vpn to-zone vpn { policy st-vpn-vpn { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone trust to-zone vpn { policy st-trust-to-vpn { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone vpn to-zone trust { policy st-vpn-to-trust { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } zones { security-zone trust { vlan.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone vpn { interfaces { st0.5 { host-inbound-traffic { protocols { ospf; } } } gr-0/0/0.1 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; ssh; ike; } } } } } vlans { vlan-local { vlan-id 5; l3-interface vlan.1; }
Konfigurasi Mikrotik hEX S:
Versi Perangkat Lunak RouterOS [6.44.3]
Konfigurasi mikrotik /ip address add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0 add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0 /interface gre add comment=GRE-Tunnel-SRX-HQ !keepalive local-address=172.31.152.1 name=gre-srx remote-address=172.31.152.2 /ip ipsec policy group add name=srx-gre /ip ipsec profile add dh-group=modp1024 dpd-interval=10s name=profile1 /ip ipsec peer add address=1.1.1.1/32 comment=GRE-SRX exchange-mode=aggressive local-address=172.31.152.1 name=peer2 profile=profile1 /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des add enc-algorithms=aes-128-cbc,3des name=proposal1 /ip route add distance=10 dst-address=192.168.0.0/16 gateway=gre-srx /ip ipsec identity add comment=IPSec-GRE my-id=address:172.31.152.1 peer=peer2 policy-template-group=srx-gre secret=mysecret /ip ipsec policy set 0 disabled=yes add dst-address=0.0.0.0/0 proposal=proposal1 sa-dst-address=1.1.1.1 sa-src-address=172.31.152.1 src-address=172.31.152.0/30 tunnel=yes /ip address add address=172.31.152.1/24 comment=GRE-Tunnel interface=gre-srx network=172.31.152.0 add address=192.168.152.1/24 comment=Local-Area interface=bridge network=192.168.152.0
Hasil:
Oleh Juniper SRX
netscreen@srx240> ping 192.168.152.1 PING 192.168.152.1 (192.168.152.1): 56 data bytes 64 bytes from 192.168.152.1: icmp_seq=0 ttl=64 time=29.290 ms 64 bytes from 192.168.152.1: icmp_seq=1 ttl=64 time=28.126 ms 64 bytes from 192.168.152.1: icmp_seq=2 ttl=64 time=26.775 ms 64 bytes from 192.168.152.1: icmp_seq=3 ttl=64 time=25.401 ms ^C --- 192.168.152.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 25.401/27.398/29.290/1.457 ms
Dari Mikrotik
net[admin@GW-LTE-] > ping 192.168.1.1 SEQ HOST SIZE TTL TIME STATUS 0 192.168.1.1 56 64 34ms 1 192.168.1.1 56 64 40ms 2 192.168.1.1 56 64 37ms 3 192.168.1.1 56 64 40ms 4 192.168.1.1 56 64 51ms sent=5 received=5 packet-loss=0% min-rtt=34ms avg-rtt=40ms max-rtt=51ms
Kesimpulan
Setelah pekerjaan selesai, Mu menerima VPN Tunnel yang stabil, dari jaringan jarak jauh kita dapat mengakses seluruh jaringan yang terletak di belakang juniper, dan karenanya kembali.
Saya tidak merekomendasikan menggunakan IKE2 dalam skema ini, timbul situasi bahwa setelah me-reboot perangkat IPSec tidak naik.