L2 HA リンク暗号化トンネルの設定
2台のデバイスを物理的に接続し、それらが同じモデルであることを確認します。ノード0とノード1の専用制御ポートを接続します。ユーザー定義の製造ポートをノード0とノード1に接続します。クラスタ モードで 2 つのシャーシを設定するには、次の手順に従います。
- クラスターに使用する前に、両方のSRXシリーズファイアウォールをゼロにします。デバイスがすでにクラスタモードになっている場合は、ゼロ化プロセスの前に必ず無効にしてください。シャーシ クラスタを無効にする方法については、シャーシ クラスタの無効化を参照してください。
user@host> request system zeroize
- Web 管理サービスを削除します。
user@host# delete system services web-management
- FIPS モードを設定し、デバイスを FIPS モードで起動します。
[edit] user@host# set groups global system fips level 2 [edit] user@host# set groups global system root-authentication plain-textpassword New password: type password here Retype new password: retype password here [edit] user@host# commit user@host> request system reboot
- 制御ポート設定でノード0としてクラスタモードで動作するための標準クラスタコマンドを使用して、デバイス1を設定します。シャーシ クラスタ コントロール プレーン インターフェイスを参照してください。
[edit] user@host# set groups node0 system host-name node0-host-name user@host# set groups node0 system backup-router gateway-address user@host# set groups node0 system backup-router destination value user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ipaddress user@host# set groups node1 system host-name node1-host-name user@host# set groups node1 system backup-router gateway-address user@host# set groups node1 system backup-router destination value user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ipaddress user@host# set apply-groups global user@host# set apply-groups "$(node)" user@host# delete apply-groups re0 user@host# set system ports console log-out-on-disconnect user@host# set chassis cluster reth-count 5 user@host# set chassis cluster redundancy-group 0 node 0 priority 254 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# commit user@host> set chassis cluster cluster-id 1 node 0 reboot
- デバイス 1 が起動したら、以下の設定例に示すように HA リンク暗号化を設定し、コミットして再起動します。コミットと再起動の前に、デバイス 1 にノード 0 とノード 1 の両方の HA リンク暗号化設定を設定する必要があります。
[edit] user@host# set groups node0 security ike traceoptionsfile ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text (secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposal IPSEC_PROP_PSK user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text(secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3 user@host# commit user@host> request system reboot
- デバイス 2 の設定とコミットをさらに進めるには、デバイス 1 とデバイス 2 が相互に到達できないようにする必要があります。これを実現する 1 つの方法は、この時点でデバイス 1 の電源をオフにすることです。
- 制御ポート設定でノード1としてクラスタモードで動作するための標準クラスタコマンドでデバイス2を設定します。シャーシ クラスタ コントロール プレーン インターフェイスを参照してください。
[edit] user@host# set groups node0 system host-name node0-host-name user@host# set groups node0 system backup-router gateway-address user@host# set groups node0 system backup-router destination value user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address user@host# set groups node1 system host-name node1-host-name user@host# set groups node1 system backup-router gateway-address user@host# set groups node1 system backup-router destination value user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address user@host# set apply-groups global user@host# set apply-groups "$(node)" user@host# delete apply-groups re0 user@host# set system ports console log-out-on-disconnect user@host# set chassis cluster reth-count 5 user@host# set chassis cluster redundancy-group 0 node 0 priority 254 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# commit user@host> set chassis cluster cluster-id 1 node 1 reboot
- デバイス 2 が起動したら、デバイス 2 で以下の構成例に示すように HA リンク暗号化を設定します。デバイス 2 は、ノード 0 とノード 1 の両方の HA リンク暗号化設定で設定する必要があります。ノード1(デバイス2)でコミットし、最後にノード1(デバイス2)を再起動します。
[edit] user@host# set groups node0 security ike traceoptions file ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text (secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposal IPSEC_PROP_PSK user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method preshared- keys user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256- cbc user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text New ascii-text(secret): juniper Retype new ascii-text (secret): juniper user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3 user@host# commit user@host> request system reboot