机箱群集 HA 控制链路加密
连接节点 0 和节点 1 上的专用控制端口。连接节点 0 和节点 1 上的用户定义的预制端口。要在群集模式下配置两个机箱,请执行以下步骤:
在两个节点上启用机箱群集模式,请参阅 SRX 系列机箱群集配置概述。
- 启用机箱群集后,在设备 1 中配置 HA 链路加密(如以下示例配置所示),提交并重新启动。在提交和重新启动之前,需要为设备 1 配置 node0 和节点 1 HA 链路加密配置。
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system reboot
- 若要继续执行设备 2 配置和提交,需要确保设备 1 和设备 2 彼此无法访问。实现此目的的一种方法是此时关闭设备 1 的电源。
- 设备 2 启动后,按照下面设备 2 上的示例配置所示配置 HA 链路加密。设备 2 需要同时配置节点 0 和节点 1 HA 链路加密配置。在节点 1(设备 2)上提交,最后重新启动节点 1(设备 2)。
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system reboot
注: 要在步骤 3 中的节点 1 上启用 HA 链路加密,另一个节点需要处于丢失状态才能完成提交。因此,您需要注意此时间,否则需要重做步骤 3,直到在节点 1 提交时启用 HA 链路加密为止。