Criptografia de encriptação de link de controle de CLUSTER HA do chassi
Conecte as portas de controle dedicadas no nó 0 e no nó 1. Conecte as portas fabricadas definidas pelo usuário em nós 0 e nó 1. Para configurar dois chassis no modo cluster, siga as etapas abaixo:
Habilite o modo cluster do chassi em ambos os nós, veja a visão geral da configuração de cluster do chassi da Série SRX.
- Depois de habilitar o cluster do chassi, no dispositivo 1, configure a criptografia do link HA conforme mostrado na configuração de amostra abaixo, comprometa e reinicialize. O dispositivo 1 precisa ser configurado com configuração de criptografia de enlace de ha node0 e nó1 antes de confirmar e reiniciar.
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system reboot - Para prosseguir ainda mais com a configuração e o compromisso do dispositivo 2, você precisa garantir que o dispositivo 1 e o dispositivo 2 não podem ser alcançados entre si. Uma maneira de conseguir isso é desligar o dispositivo 1 neste momento.
- Após a ativação do dispositivo 2, configure a criptografia do link HA conforme mostrado na configuração de amostra abaixo no dispositivo 2. O dispositivo 2 precisa ser configurado com configuração de criptografia de enlace de ha node0 e nó1. Comprometa-se no nó1 (dispositivo 2) e finalmente reinicialize o nó1 (dispositivo 2).
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system rebootNota: Para habilitar a criptografia de enlaces HA no nó1 na etapa 3, o outro nó precisa estar em estado perdido para que o compromisso seja adiante. Portanto, esse tempo precisa ser cuidado por você, a etapa 3 precisa ser refeito até que a criptografia de enlaces HA no nó1 commit passe.