将 IPsec 与第 3 层 VPN 结合使用
在 VPN 中配置 IPsec 时要记住的一些关键概念包括:
通过在层次结构级别包含
interface sp-fpc/pic/port
[edit routing-instances instance-name]
语句,将下一跃点样式服务集的内部服务接口添加到路由实例中。对于接口样式服务集,通过在层次结构级别包含
[edit routing-instances instance-name]
这两个接口来添加应用服务集的接口和服务接口。要在服务集中为本地网关定义路由实例,请在层次结构级别包括路由实例instance-name选项
[edit services service-set service-set-name ipsec-vpn-options local-gateway address]
。
以下提供商边缘 (PE) 路由器上的 AS PIC 配置演示了如何在 VPN 路由和转发 (VRF) 路由实例中使用带有 IKE 动态 SA 的下一跃点服务集。
[edit] interfaces { so-0/0/0 { description "Interface connected to the customer edge (CE) router"; unit 0 { family inet { address 10.6.6.6/32; } } } so-2/2/0 { description "Source IPsec tunnel interface to the network core"; unit 0 { family inet { address 10.10.1.1/30; } } } sp-3/1/0 { description "AS PIC interface"; unit 0 { family inet { address 10.7.7.7/32; } } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } } } policy-options { policy-statement vpn-export-policy { then { community add community-name; accept; } } policy-statement vpn-import-policy { term term-name { from community community-name; then accept; } } community community-name members target:100:20; } routing-instances { vrf { instance-type vrf; interface sp-3/1/0.1; # Inside sp interface. interface so-0/0/0.0; # Interface that connects to the CE router. route-distinguisher route-distinguisher; vrf-import vpn-import-policy; vrf-export vpn-export-policy; routing-options { static { route ip-address/prefix next-hop so-0/0/0.0; # Routes for the CE router. route ip-address/prefix next-hop sp-3/1/0.1; # Routes for IPsec. } } } } services { service-set service-set-name { next-hop-service { inside-service-interface sp-3/1/0.1; outside-service-interface sp-3/1/0.2; } ipsec-vpn-options { local-gateway 10.10.1.1; } ipsec-vpn-rules rule-name; } ipsec-vpn { rule rule-name { term term-name { from { source-address { source-ip-address; } } then { remote-gateway 10.10.1.2; dynamic { ike-policy ike-policy-name; } } } match-direction direction; } ike { policy ike-policy-name { pre-shared-key ascii-text preshared-key; } } } }
有关 VRF 路由实例的详细信息,请参阅 Junos VPN 配置指南。有关下一跃点服务集的详细信息,请参阅 Junos 服务接口配置指南。