配置 L2 HA 链路加密隧道
物理连接两台设备,并确保它们的型号相同。连接节点 0 和节点 1 上的专用控制端口。连接节点 0 和节点 1 上的用户定义的预制端口。要在群集模式下配置两个机箱,请执行以下步骤:
- 在 用于群集之前,请将两个 SRX 系列防火墙清零。如果设备已处于群集模式,请确保在清零过程之前禁用它们。有关如何禁用机箱群集的信息,请参阅 禁用机箱群集。
user@host> request system zeroize hypervisor
- 删除 Web 管理服务。
user@host# delete system services web-management
- 配置 FIPS 模式并在 FIPS 模式下启动设备。
[edit] user@host# set groups global system fips level 2 [edit] user@host# set groups global system root-authentication plain-textpassword New password: type password here Retype new password: retype password here [edit] user@host# commit user@host> request system reboot
- 使用标准群集命令将设备 1 配置为在群集模式下运行,作为具有控制端口配置的 node0。请参阅机箱群集控制平面接口。
[edit] user@host# set groups node0 system host-name node0-host-name user@host# set groups node0 system backup-router gateway-address user@host# set groups node0 system backup-router destination value user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address user@host# set groups node1 system host-name node1-host-name user@host# set groups node1 system backup-router gateway-address user@host# set groups node1 system backup-router destination value user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address user@host# set apply-groups global user@host# set apply-groups "$(node)" user@host# delete apply-groups re0 user@host# set system ports console log-out-on-disconnect user@host# set chassis cluster reth-count 5 user@host# set chassis cluster redundancy-group 0 node 0 priority 254 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# commit user@host> set chassis cluster cluster-id 1 node 0 reboot
- 设备 1 启动后,按照以下示例配置所示配置 HA 链路加密,提交并重新启动。在提交和重新启动之前,需要为设备 1 配置 node0 和节点 1 HA 链路加密配置。
[edit] user@host# set groups node0 security ike traceoptions file ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text (secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposal IPSEC_PROP_PSK user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text(secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups global interfaces fab0 fabric-options member-interfaces xe-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces xe-7/0/3 user@host# commit user@host> request system reboot
- 若要继续执行设备 2 配置和提交,需要确保设备 1 和设备 2 彼此无法访问。实现此目的的一种方法是此时关闭设备 1 的电源。
- 使用标准群集命令将设备 2 配置为在群集模式下操作,作为具有控制端口配置的节点 1。请参阅机箱群集控制平面接口。
[edit] user@host# set groups node0 system host-name node0-host-name user@host# set groups node0 system backup-router gateway-address user@host# set groups node0 system backup-router destination value user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address user@host# set groups node1 system host-name node1-host-name user@host# set groups node1 system backup-router gateway-address user@host# set groups node1 system backup-router destination value user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address user@host# set apply-groups global user@host# set apply-groups "$(node)" user@host# delete apply-groups re0 user@host# set system ports console log-out-on-disconnect user@host# set chassis cluster reth-count 5 user@host# set chassis cluster redundancy-group 0 node 0 priority 254 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# commit user@host> set chassis cluster cluster-id 1 node 1 reboot
- 设备 2 启动后,按照下面设备 2 上的示例配置所示配置 HA 链路加密。设备 2 需要同时配置节点 0 和节点 1 HA 链路加密配置。在节点 1(设备 2)上提交,最后重新启动节点 1(设备 2)。
[edit] user@host# set groups node0 security ike traceoptions file ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text (secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposal IPSEC_PROP_PSK user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text(secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups global interfaces fab0 fabric-options member-interfaces xe-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces xe-7/0/3 user@host# commit user@host> request system reboot