Very simple.
Point to Point.
(Simple is an overstatement).
root@srx101# show
## Last changed: 2013-01-22 22:45:56 UTC
version 12.1R1.9;
system {
root-authentication {
encrypted-password "$1$FfXnmjya$RYPXZFcgPFjwa4b26sIFp/"; ## SECRET-DATA
}
}
interfaces {
fe-0/0/1 {
unit 0 {
family inet {
address 11.0.0.1/24; ##this is the WAN interface
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.0.1/24; ##this is out LAN interface
}
}
}
st0 {
unit 0 {
family inet {
address 15.15.15.2/24; ##this is the IP of the VPN interface
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface st0.0 {
interface-type p2p;
neighbor 15.15.15.1; ##I needed somehow to send the routes
} so OSPF is easier than static routes
interface fe-0/0/7.0; the OSPF is from each ST0.0 interface to the other
}
}
}
security {
ike {
proposal IKE_Proposal {
authentication-method pre-shared-keys; ##this is the IKE proposal
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy ike_policy {
mode main; ## Ike Policy which calls up proposal
proposals IKE_Proposal;
pre-shared-key ascii-text "$9$IQNceWLX-Vb2WL"; ## SECRET-DATA
}
gateway ike_gateway {
ike-policy ike_policy; ##IKE gateway which uses the policy and WAN
address 11.0.0.2;
dead-peer-detection {
interval 10;
threshold 3;
}
no-nat-traversal; ## since I don't have a NAT in my cloud I added this
external-interface fe-0/0/1.0;
}
}
ipsec {
proposal remote_ipsec { ##ipsec marriage proposal
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec_policy { ##Ipsec policy calls up the proposal
proposals remote_ipsec;
}
vpn remote_vpn { ##VPN setup
bind-interface st0.0;
ike {
gateway ike_gateway;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any; ##proxy identity is good if you are connecting to ASA
}
ipsec-policy ipsec_policy;
}
}
}
nat {
source {
rule-set nat { ##I set up a NAT for the ping to work from
from zone LAN; 192.168.0.0 range to 192.168.1.0
to zone VPN;
rule 1a {
match {
source-address 192.168.0.0/24;
destination-address 192.168.1.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone LAN to-zone VPN { ##security policy to allow traffic
policy remote-office {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone VPN to-zone LAN { ##security policy back
policy Remote_office {
match {
source-address 15.15.15.0/24;
destination-address 192.168.0.0/24;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone LAN {
address-book {
address 192.168.0.0/24 192.168.0.0/24;
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone WAN {
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
ike; ##important to allow IKE
ping;
}
}
}
}
}
security-zone VPN {
address-book {
address 15.15.15.0/24 15.15.15.0/24;
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ike;
}
protocols {
ospf; ## important to allow OSPF
}
}
}
}
}
}
}
No comments:
Post a Comment