Cifrado del vínculo de control de alta disponibilidad del clúster de chasis
Conecte los puertos de control dedicados en el nodo 0 y el nodo 1. Conecte los puertos fabricados definidos por el usuario en el nodo 0 y el nodo 1. Para configurar dos chasis en modo de clúster, siga estos pasos:
Habilite el modo de clúster de chasis en ambos nodos, consulte Descripción general de la configuración del clúster de chasis de la serie SRX.
- Después de habilitar el clúster de chasis, en el dispositivo 1, configure el cifrado de vínculo de alta disponibilidad como se muestra en la configuración de ejemplo a continuación, confirme y reinicie. El dispositivo 1 debe configurarse con la configuración de cifrado de vínculo HA node0 y node1 antes de confirmar y reiniciar.
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system reboot
- Para continuar con la configuración y la confirmación del dispositivo 2, debe asegurarse de que el dispositivo 1 y el dispositivo 2 no estén disponibles entre sí. Una forma de lograr esto es apagar el dispositivo 1 en este punto.
- Una vez que el dispositivo 2 esté activo, configure el cifrado de vínculo de alta disponibilidad como se muestra en la configuración de ejemplo a continuación en el dispositivo 2. El dispositivo 2 debe configurarse con la configuración de cifrado de vínculo HA node0 y node1. Confirme en el nodo 1 (dispositivo 2) y, finalmente, reinicie el nodo 1 (dispositivo 2).
[edit] user@host# set groups node0 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node0 security ike proposal HA dh-group group20 user@host# set groups node0 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node0 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ike policy HA proposals HA user@host# prompt groups node0 security ike policy HA pre-shared-key ascii-text This Should Be A Strong And Secure Key Retype This Should Be A Strong And Secure Key user@host# set groups node0 security ike gateway HA ike-policy HA user@host# set groups node0 security ike gateway HA version v2-only user@host# set groups node0 security ipsec proposal HA protocol esp user@host# set groups node0 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node0 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy HA proposal HA user@host# set groups node0 security ipsec vpn HA ha-link-encryption user@host# set groups node0 security ipsec vpn HA ike gateway HA user@host# set groups node0 security ipsec vpn HA ike ipsec-policy HA user@host# set groups node1 security ike proposal HA authentication-method pre-shared-keys user@host# set groups node1 security ike proposal HA dh-group group20 user@host# set groups node1 security ike proposal HA authentication-algorithm sha-256 user@host# set groups node1 security ike proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ike policy HA proposals HA user@host# prompt groups node1 security ike policy HA pre-shared-key ascii-text New ascii-text(secret): juniper Retype This Should Be A Strong And Secure Key user@host# set groups node1 security ike gateway HA ike-policy HA user@host# set groups node1 security ike gateway HA version v2-only user@host# set groups node1 security ipsec proposal HA protocol esp user@host# set groups node1 security ipsec proposal HA authentication-algorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal HA encryption-algorithm aes-256-cbc user@host# set groups node1 security ipsec policy HA perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy HA proposals HA user@host# set groups node1 security ipsec vpn HA ha-link-encryption user@host# set groups node1 security ipsec vpn HA ike gateway HA user@host# set groups node1 security ipsec vpn HA ike ipsec-policy HA user@host# commit user@host> request system reboot
Nota: Para habilitar el cifrado de vínculos de alta disponibilidad en el nodo 1 en el paso 3, el otro nodo debe estar en estado perdido para que se realice la confirmación. Por lo tanto, usted debe ocuparse de este tiempo, de lo contrario, el paso 3 debe rehacerse hasta que se habilite el cifrado de enlace HA en la confirmación del nodo 1.