示例:动态端点隧道配置
图 1:IPSec 动态端点隧道拓扑图
图 1 显示了位于安全网关 SG-1 后面的本地网络 N-1。SG-1 是瞻博网络路由器,用于终止动态对等端点。SG-1 上的隧道终止地址为 10.7.7.2,本地网络地址为 172.16.1.0/24。
远程对等路由器从 ISP 池中获取地址并运行符合 RFC 标准的 IKE。远程网络 N-2 的地址为 172.16.2.0/24 ,位于安全网关 SG-2 后面,隧道终止地址为 10.7.7.1。
在路由器 SG-1 上,配置 IKE 访问配置文件以接受来自 SG-2 的建议。将访问配置文件中的接口标识符应用到内部服务接口,并将 IKE 访问配置文件本身应用于 IPSec 下一跃点样式服务集。
路由器 SG-1
[edit] access { profile ike_access { client * { # Accepts proposals from specified peers that use the preshared key. ike { allowed-proxy-pair local 10.255.14.63/32 remote 10.255.14.64/32; pre-shared-key ascii-text "$ABC123"; # SECRET-DATA interface-id test_id; # Apply this ID to the inside services interfaces. } } } } interfaces { fe-0/0/0 { description "Connection to the local network"; unit 0 { family inet { address 172.16.1.1/24; } } } so-1/0/0 { description "Connection to SG-2"; no-keepalives; encapsulation cisco-hdlc; unit 0 { family inet { address 10.7.7.2/30; } } } sp-3/3/0 { unit 0 { family inet; } unit 3 { dial-options { ipsec-interface-id test_id; # Accepts dynamic endpoint tunnels. shared; } service-domain inside; } unit 4 { family inet; service-domain outside; } } } services { service-set dynamic_nh_ss { # Create a next-hop service set next-hop-service { # for the dynamic endpoint tunnels. inside-service-interface sp-3/3/0.3; outside-service-interface sp-3/3/0.4; } ipsec-vpn-options { local-gateway 10.7.7.2; ike-access-profile ike_access; # Apply the IKE access profile here. } } }
验证您的工作
要验证在 AS PIC 上配置的动态端点隧道的正常运行,请使用以下命令:
show services ipsec-vpn ipsec security-associations (detail)
以下部分显示了与配置示例一起使用的此命令的输出。动态创建的规则 _junos_ 以及动态创建的入站和出站隧道的建立显示在输出中。
user@router> show services ipsec-vpn ipsec security-associations detail Service set: dynamic_nh_ss Rule: _junos_ , Term: tunnel4, Tunnel index: 4 Local gateway: 10.7.7.2, Remote gateway: 10.7.7.1 Local identity: ipv4(any:0,[0..3]=10.255.14.63) Remote identity: ipv4(any:0,[0..3]=10.255.14.64) Direction: inbound , SPI: 428111023, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 27660 seconds Hard lifetime: Expires in 27750 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound , SPI: 4035429231, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 27660 seconds Hard lifetime: Expires in 27750 seconds Anti-replay service: Enabled, Replay window size: 64