{"id":230087,"date":"2014-07-16T17:49:03","date_gmt":"2014-07-16T13:49:03","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=230087"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=230087","title":{"rendered":"Juniper SRX: Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c pre-shared-key<\/span>"},"content":{"rendered":"
\t\u0412 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0438 \u0442\u0435\u043c\u044b<\/a> \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 Juniper SRX \u043f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u044e \u0432\u0430\u0448\u0435\u043c\u0443 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044e step-by-step \u0438\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0438\u044e \u043f\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c pre-shared-key. \u041e\u0431\u0440\u0430\u0449\u0430\u044e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 SRX’\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u043e\u0431\u043b\u0430\u0434\u0430\u0442\u044c \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0432\u043d\u0435\u0448\u043d\u0438\u043c IP \u0430\u0434\u0440\u0435\u0441\u043e\u043c.<\/p>\n

\u041d\u0430\u0447\u043d\u0435\u043c \u0441 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0445\u0435\u043c\u044b \u043d\u0430\u0448\u0435\u0439 \u0441\u0435\u0442\u0438:
<\/p>\n

\u0418\u0437 \u044d\u0442\u043e\u0439 \u0441\u0445\u0435\u043c\u044b \u0432\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u044b \u043a \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u0443 \u0447\u0435\u0440\u0435\u0437 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u044b ge-0\/0\/0 \u0438 \u0437\u0430 \u043a\u0430\u0436\u0434\u044b\u043c SRX’\u043e\u043c \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u0441\u0432\u043e\u044f \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0430\u044f \u0441\u0435\u0442\u044c (\u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u0430\u044f \u0432 ge-0\/0\/1). \u041d\u0430\u0448\u0430 \u0446\u0435\u043b\u044c \u2014 \u043f\u043e\u0441\u0442\u0440\u043e\u0438\u0442\u044c IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u0438 \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u0442\u0440\u0430\u0444\u0438\u043a \u043c\u0435\u0436\u0434\u0443 \u0441\u0435\u0442\u044f\u043c\u0438 172.16.1.0\/24 \u0438 172.16.2.0\/24.<\/p>\n

\u041f\u0440\u0435\u0434\u043f\u043e\u043b\u0430\u0433\u0430\u0435\u0442\u0441\u044f, \u0447\u0442\u043e \u0432\u043d\u0435\u0448\u043d\u0438\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e DHCP, \u0434\u043b\u044f \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438.<\/p>\n

\u0412\u0441\u0435\u0445 \u0437\u0430\u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043e\u0432\u0430\u0432\u0448\u0438\u0445\u0441\u044f \u043f\u0440\u043e\u0448\u0443 \u043f\u043e\u0434 \u043a\u0430\u0442.
<\/a><\/p>\n

\u041f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u044e \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u0432\u0437\u0433\u043b\u044f\u043d\u0443\u0442\u044c \u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043e\u0434\u043d\u043e\u0433\u043e \u0438\u0437 \u0440\u043e\u0443\u0442\u0435\u0440\u043e\u0432 \u0414\u041e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 IPSec, \u0447\u0442\u043e\u0431\u044b \u0431\u044b\u043b\u043e \u043e\u0442\u043a\u0443\u0434\u0430 \u043e\u0442\u0442\u0430\u043b\u043a\u0438\u0432\u0430\u0442\u044c\u0441\u044f: <\/p>\n

root@gw-jvsrx-a# show<\/b><\/p>\n
\n
version 12.1X46-D10.2; system {     host-name gw-jvsrx-a;     root-authentication {         encrypted-password "$1$XXX"; ## SECRET-DATA     }     services {         ssh {             protocol-version v2;             client-alive-count-max 5;             client-alive-interval 120;             connection-limit 5;             rate-limit 2;         }         dhcp {             default-lease-time 21600;             pool 172.16.1.0\/27 {                 address-range low 172.16.1.2 high 172.16.1.30;                 router {                     172.16.1.1;                 }                 propagate-settings ge-0\/0\/1.0;             }         }     }     ntp {         server 0.pool.ntp.org prefer;         server 1.pool.ntp.org;         server 2.pool.ntp.org;         server 3.pool.ntp.org;     } } interfaces {     ge-0\/0\/0 {         unit 0 {             family inet {                 dhcp;             }         }     }     ge-0\/0\/1 {         unit 0 {             family inet {                 address 172.16.1.1\/27;             }         }     }     lo0 {         unit 0 {             family inet {                 address 172.31.255.1\/32;             }         }     } } security {     nat {         source {             rule-set trust-to-untrust {                 from zone trust;                         to zone untrust;                 rule source-nat {                     match {                         source-address 0.0.0.0\/0;                     }                     then {                         source-nat {                             interface;                         }                     }                 }             }         }     }     policies {         from-zone trust to-zone untrust {             policy trust-to-untrust {                 match {                     source-address any;                     destination-address any;                     application any;                 }                 then {                     permit;                 }             }         }         from-zone trust to-zone trust {             policy trust-to-trust {                 match {                     source-address any;                     destination-address any;                     application any;                 }                 then {                     permit;                 }             }         }     }     zones {         security-zone untrust {             tcp-rst;             interfaces {                 ge-0\/0\/0.0 {                     host-inbound-traffic {                         system-services {                             dhcp;                             ping;                             ssh;                         }                     }                 }             }         }         security-zone trust {             interfaces {                 ge-0\/0\/1.0 {                                 host-inbound-traffic {                         system-services {                             all;                         }                         protocols {                             all;                         }                     }                 }                 lo0.0 {                     host-inbound-traffic {                         system-services {                             ping;                         }                     }                 }             }         }     } } <\/code><\/pre>\n<\/div>\n<\/div>\n
  \u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u0432\u0442\u043e\u0440\u043e\u0433\u043e \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u0430, \u0437\u0430 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435\u043c \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043a DHCP \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0438 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 lo0. \u041f\u0440\u0438 \u0442\u0430\u043a\u043e\u043c \u0440\u0430\u0441\u043a\u043b\u0430\u0434\u0435 \u043c\u044b \u0438\u043c\u0435\u0435\u043c \u0434\u0435\u043b\u043e \u0441 \u043e\u0431\u044b\u043a\u043d\u043e\u0432\u0435\u043d\u043d\u044b\u043c \u0440\u043e\u0443\u0442\u0435\u0440\u043e\u043c.<\/p>\n
  \u041f\u0440\u043e IPSec \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0447\u0438\u0442\u0430\u0442\u044c (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440) \u043d\u0430 \u0412\u0438\u043a\u0438\u043f\u0435\u0434\u0438\u0438<\/a>.<\/p>\n
  \u041f\u0440\u0438\u0441\u0442\u0443\u043f\u0438\u043c \u043a \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u0442\u0443\u043d\u043d\u0435\u043b\u044f.<\/p>\n
\u0422\u0443\u043d\u043d\u0435\u043b\u044c\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441<\/h4>\n
  \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u0443\u0434\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u043f\u043e\u0441\u0442\u0440\u043e\u0435\u043d\u0438\u044f \u0442\u0443\u043d\u043d\u0435\u043b\u044f:  <\/p>\n
set interfaces st0 unit 0 family inet address 172.16.0.1\/30 <\/code><\/pre>\n
  \u0422.\u043a. \u0441\u0442\u0440\u043e\u0438\u0442\u044c \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u0434\u0432\u0443\u0445 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432, \u0442\u043e \u043d\u0430\u043c \u0432\u043f\u043e\u043b\u043d\u0435 \u0445\u0432\u0430\u0442\u0438\u0442 \u0441\u0435\u0442\u0438 \/30.<\/p>\n
\u041f\u0435\u0440\u0432\u0430\u044f \u0444\u0430\u0437\u0430<\/h4>\n
  \u041d\u0430\u0441\u0442\u0440\u043e\u0438\u043c IKE \u043d\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u0433\u043e \u0440\u0435\u0436\u0438\u043c\u0430 IKE:  <\/p>\n
set security ike proposal ike-proposal authentication-method pre-shared-keys set security ike proposal ike-proposal dh-group group14 set security ike proposal ike-proposal authentication-algorithm sha-256 set security ike proposal ike-proposal encryption-algorithm aes-128-cbc set security ike proposal ike-proposal lifetime-seconds 3600 set security ike policy ike-policy mode main set security ike policy ike-policy pre-shared-key ascii-text "YOUR_PRE_SHARED_KEY" set security ike policy ike-policy proposals ike-proposal set security ike gateway gw-jvsrx-b ike-policy ike-policy set security ike gateway gw-jvsrx-b address 20.20.20.20 set security ike gateway gw-jvsrx-b external-interface ge-0\/0\/0.0 <\/code><\/pre>\n
  \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e:
  authentication-method pre-shared-keys<\/b> \u2014 \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 pre-shared keys;
  dh-group group14<\/b> \u2014 \u043d\u0443\u0436\u0435\u043d \u0434\u043b\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 \u043e\u0431\u0449\u0435\u0433\u043e \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u043e\u0433\u043e \u043a\u043b\u044e\u0447\u0430 \u043f\u0440\u0438 \u043e\u0431\u043c\u0435\u043d\u0435 \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u043f\u043e \u043d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u043e\u043c\u0443 \u043a\u0430\u043d\u0430\u043b\u0443 (\u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043e\u043f\u0438\u0441\u0430\u043d\u043e \u0442\u0443\u0442<\/a>), \u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e 2048-\u0431\u0438\u0442\u043d\u044b\u0439 \u043c\u043e\u0434\u0443\u043b\u044c;
  authentication-algorithm sha-256<\/b> \u2014 \u0434\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c sha-256;
  encryption-algorithm aes-128-cbc<\/b> \u2014 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u043f\u0435\u0440\u0432\u043e\u0439 \u0444\u0430\u0437\u0435 \u0431\u0443\u0434\u0435\u043c aes-128-cbc;
  lifetime-seconds 3600<\/b> \u2014 \u0432\u0440\u0435\u043c\u044f \u0436\u0438\u0437\u043d\u0438 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u043e\u0433\u043e \u043a\u043b\u044e\u0447\u0430 (\u0431\u044b\u043b \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043d \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u043f\u0440\u0438 \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f) \u043f\u0435\u0440\u0432\u043e\u0439 \u0444\u0430\u0437\u044b;
  mode main<\/b> \u2014 \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u0439 \u0440\u0435\u0436\u0438\u043c 
  pre-shared-key ascii-text<\/b> \u2014 \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u0441\u0430\u043c \u043a\u043b\u044e\u0447 (\u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u044e \u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0435\u0433\u043e \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0431\u043e\u043b\u044c\u0448\u0438\u043c, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0442\u0430\u043a openssl rand -base64 32<\/i>)
  address 20.20.20.20<\/b> \u2014 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0439 \u0430\u0434\u0440\u0435\u0441 \u0432\u0442\u043e\u0440\u043e\u0433\u043e SRX’\u0430
  external-interface ge-0\/0\/0.0<\/b> \u2014 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441, \u0447\u0435\u0440\u0435\u0437 \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u0443\u0434\u0435\u0442 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442\u044c IPSec \u0442\u0440\u0430\u0444\u0438\u043a.<\/p>\n
\u0412\u0442\u043e\u0440\u0430\u044f \u0444\u0430\u0437\u0430<\/h4>\n
  \u041d\u0430 \u0434\u0430\u043d\u043d\u043e\u043c \u044d\u0442\u0430\u043f\u0435 \u0441\u043e\u0437\u0434\u0430\u0435\u0442\u0441\u044f \u0441\u0430\u043c IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044c.  <\/p>\n
set security ipsec proposal ipsec-proposal protocol esp set security ipsec proposal ipsec-proposal authentication-algorithm hmac-sha-256-128 set security ipsec proposal ipsec-proposal encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-proposal lifetime-seconds 7200 set security ipsec policy ipsec-policy perfect-forward-secrecy keys group14 set security ipsec policy ipsec-policy proposals ipsec-proposal set security ipsec vpn gw-jvsrx-b bind-interface st0.0 set security ipsec vpn gw-jvsrx-b ike gateway gw-jvsrx-b set security ipsec vpn gw-jvsrx-b ike ipsec-policy ipsec-policy set security ipsec vpn gw-jvsrx-b establish-tunnels immediately <\/code><\/pre>\n
  \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e:
  protocol esp<\/b> \u2014 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c ESP (Encapsulated Security Payload header) (\u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043e\u043f\u0438\u0441\u0430\u043d\u043e \u0442\u0443\u0442<\/a>);
  authentication-algorithm hmac-sha-256-128<\/b> \u2014 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 IPSec;
  encryption-algorithm aes-128-cbc<\/b> \u2014 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f;
  lifetime-seconds 7200<\/b> \u2014 \u0432\u0440\u0435\u043c\u044f \u0436\u0438\u0437\u043d\u0438 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u043e\u0433\u043e \u043a\u043b\u044e\u0447\u0430 (\u0431\u044b\u043b \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043d \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u043f\u0440\u0438 \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f) \u0432\u0442\u043e\u0440\u043e\u0439 \u0444\u0430\u0437\u044b;
  perfect-forward-secrecy keys group14<\/b> \u2014 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e dh-group;
  bind-interface st0.0<\/b> \u2014 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0434\u043b\u044f \u043f\u043e\u0441\u0442\u0440\u043e\u0435\u043d\u0438\u044f IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044f;
  establish-tunnels immediately<\/b> \u2014 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u043f\u0440\u044f\u043c\u043e \u0441\u0435\u0439\u0447\u0430\u0441.<\/p>\n
  \u0410\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u044b\u0435 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u043d\u0443\u0436\u043d\u043e \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u0442\u044c \u0438 \u043d\u0430 \u0432\u0442\u043e\u0440\u043e\u043c \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u0435 (\u0437\u0430\u043c\u0435\u043d\u0438\u0432 IP \u0430\u0434\u0440\u0435\u0441 \u043d\u0430 st0.0 \u0438 ike gateway).<\/p>\n
\u0424\u0438\u043d\u0438\u0448\u043d\u0430\u044f \u043f\u0440\u044f\u043c\u0430\u044f<\/h4>\n
  \u041d\u0430 \u044d\u0442\u043e\u043c \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u0441\u0430\u043c\u043e\u0433\u043e IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044f \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0430, \u043d\u043e \u0442.\u043a. \u0441\u0435\u0440\u0438\u044f SRX \u044d\u0442\u043e \u0435\u0449\u0435 \u0438 firewall, \u0442\u043e \u043f\u0440\u0438 \u0442\u0430\u043a\u0438\u0445 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u0445 \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u043d\u0435 \u043f\u043e\u0434\u043d\u0438\u043c\u0435\u0442\u0441\u044f \u2014 firewall \u0431\u0443\u0434\u0435\u0442 \u043e\u0442\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0442\u044c \u0432\u0441\u0435 \u043f\u0430\u043a\u0435\u0442\u044b \u0441 \u043f\u043e\u043f\u044b\u0442\u043a\u043e\u0439 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0442\u0443\u043d\u043d\u0435\u043b\u044f. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u0432\u043d\u0435\u0441\u0435\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 firewall \u0447\u0430\u0441\u0442\u0438:  <\/p>\n
set security zones security-zone untrust interfaces ge-0\/0\/0.0 host-inbound-traffic system-services ike set security zones security-zone trust interfaces st0.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces st0.0 host-inbound-traffic protocols all <\/code><\/pre>\n
  \u041f\u0435\u0440\u0432\u0430\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u0442 IKE \u0442\u0440\u0430\u0444\u0438\u043a \u043d\u0430 \u043d\u0430\u0448\u0435\u043c \u0432\u043d\u0435\u0448\u043d\u0435\u043c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0435 (\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0441\u043c\u043e\u0442\u0440\u0438\u0442 \u0432 \u0441\u0442\u043e\u0440\u043e\u043d\u0443 \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u0430); \u0432\u0442\u043e\u0440\u0430\u044f \u0438 \u0442\u0440\u0435\u0442\u044c\u044f \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0442 \u043f\u0440\u043e\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u0435 \u0432\u0441\u0435\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430 \u0432\u043d\u0443\u0442\u0440\u0438 IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044f.<\/p>\n
  \u0422\u0435\u043f\u0435\u0440\u044c \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u0434\u043e\u043b\u0436\u0435\u043d \u043f\u043e\u0434\u043d\u044f\u0442\u044c\u0441\u044f, \u0434\u0430\u0432\u0430\u0439\u0442\u0435 \u044d\u0442\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u043c:  <\/p>\n
root@gw-jvsrx-a# run show security ike security-associations detail  IKE peer 20.20.20.20, Index 2116322, Gateway Name: gw-jvsrx-b   Role: Responder, State: UP   Initiator cookie: 1fa7a8730c817511, Responder cookie: 2a3e1f8c554ddb85   Exchange type: Main, Authentication method: Pre-shared-keys   Local: 10.10.10.10:500, Remote: 20.20.20.20:500   Lifetime: Expires in 2291 seconds   Peer ike-id: 20.20.20.20   Xauth assigned IP: 0.0.0.0   Algorithms:    Authentication        : hmac-sha256-128     Encryption            : aes128-cbc    Pseudo random function: hmac-sha256    Diffie-Hellman group  : DH-group-14   Traffic statistics:    Input  bytes  :                 1244    Output bytes  :                  948    Input  packets:                    6    Output packets:                    4   Flags: IKE SA is created    IPSec security associations: 1 created, 1 deleted   Phase 2 negotiations in progress: 0      Negotiation type: Quick mode, Role: Responder, Message ID: 0     Local: 10.10.10.10:500, Remote: 20.20.20.20:500     Local identity: 10.10.10.10     Remote identity: 20.20.20.20     Flags: IKE SA is created  root@gw-jvsrx-a# run show security ipsec security-associations detail     ID: 131073 Virtual-system: root, VPN Name: gw-jvsrx-b   Local Gateway: 10.10.10.10, Remote Gateway: 20.20.20.20   Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0\/0)   Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0\/0)   Version: IKEv1     DF-bit: clear     Bind-interface: st0.0    Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29    Last Tunnel Down Reason: Delete payload received     Direction: inbound, SPI: ea287d13, AUX-SPI: 0                               , VPN Monitoring: -     Hard lifetime: Expires in 5884 seconds     Lifesize Remaining:  Unlimited     Soft lifetime: Expires in 5295 seconds     Mode: Tunnel(0 0), Type: dynamic, State: installed     Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits)     Anti-replay service: counter-based enabled, Replay window size: 64      Direction: outbound, SPI: 14a16181, AUX-SPI: 0                               , VPN Monitoring: -     Hard lifetime: Expires in 5884 seconds     Lifesize Remaining:  Unlimited     Soft lifetime: Expires in 5295 seconds     Mode: Tunnel(0 0), Type: dynamic, State: installed     Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits)     Anti-replay service: counter-based enabled, Replay window size: 64 <\/code><\/pre>\n
  \u041c\u043e\u0436\u043d\u043e \u0435\u0449\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0441\u0442\u0430\u0440\u044b\u043c-\u0434\u043e\u0431\u0440\u044b\u043c \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c:  <\/p>\n
root@gw-jvsrx-a# run ping 172.16.0.2 count 5 interface st0.0  PING 172.16.0.2 (172.16.0.2): 56 data bytes 64 bytes from 172.16.0.2: icmp_seq=0 ttl=64 time=14.274 ms 64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=10.420 ms 64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=10.448 ms 64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=10.448 ms 64 bytes from 172.16.0.2: icmp_seq=4 ttl=64 time=10.439 ms  --- 172.16.0.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min\/avg\/max\/stddev = 10.420\/11.206\/14.274\/1.534 ms <\/code><\/pre>\n
  \u0421\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0443 \u043f\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044e \u0442\u0443\u043d\u043d\u0435\u043b\u044f \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0442\u0430\u043a:  <\/p>\n
root@gw-jvsrx-a# run show security ipsec statistics        ESP Statistics:   Encrypted bytes:            85052   Decrypted bytes:            41088   Encrypted packets:            553   Decrypted packets:            512 AH Statistics:   Input bytes:                    0   Output bytes:                   0   Input packets:                  0   Output packets:                 0 Errors:   AH authentication failures: 0, Replay errors: 0   ESP authentication failures: 0, ESP decryption failures: 0   Bad headers: 0, Bad trailers: 0 <\/code><\/pre>\n
  \u041d\u043e \u0438 \u044d\u0442\u043e \u0435\u0449\u0435 \u043d\u0435 \u0432\u0441\u0435! \u041d\u0430\u043c \u0432\u0435\u0434\u044c \u043d\u0443\u0436\u043d\u043e \u043f\u0440\u043e\u043f\u0438\u0441\u0430\u0442\u044c \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u044b \u0434\u043e \u0441\u0435\u0442\u0438 \u00ab\u0437\u0430 \u0434\u0440\u0443\u0433\u0438\u043c \u0440\u043e\u0443\u0442\u0435\u0440\u043e\u043c\u00bb, \u0430 \u0442.\u043a. \u043c\u044b \u043b\u0435\u043d\u0438\u0432\u044b \u0438 \u043d\u0435 \u043b\u044e\u0431\u0438\u043c \u0438\u0437\u043b\u0438\u0448\u043d\u0435\u0439 \u0440\u0430\u0431\u043e\u0442\u044b (\u0432\u0435\u0434\u044c \u0442\u0430\u043a?), \u0442\u043e \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c OSPF:  <\/p>\n
set protocols ospf area 0.0.0.0 interface ge-0\/0\/1.0 set protocols ospf area 0.0.0.0 interface st0.0 <\/code><\/pre>\n
  \u041a\u0430\u043a \u0432\u0441\u0435\u0433\u0434\u0430, \u043d\u0435 \u0437\u0430\u0431\u044b\u0432\u0430\u0435\u043c \u0441\u0434\u0435\u043b\u0430\u0442\u044c commit (\u0438 \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u0442\u044c \u0441\u0438\u043c\u043c\u0435\u0442\u0440\u0438\u0447\u043d\u044b\u0435 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u043d\u0430 \u0434\u0440\u0443\u0433\u043e\u043c \u043a\u043e\u043d\u0446\u0435 \u0442\u0443\u043d\u043d\u0435\u043b\u044f), \u0430 \u0442\u043e \u043d\u0438\u0447\u0435\u0433\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u043d\u0435 \u0431\u0443\u0434\u0435\u0442:  <\/p>\n
root@gw-jvsrx-a# commit check  configuration check succeeds  root@gw-jvsrx-a# commit  commit complete <\/code><\/pre>\n
<\/div>\n<\/p><\/div>\n
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  http:\/\/habrahabr.ru\/post\/230087\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
     \t\u0412 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0438 \u0442\u0435\u043c\u044b<\/a> \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 Juniper SRX \u043f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u044e \u0432\u0430\u0448\u0435\u043c\u0443 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044e step-by-step \u0438\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0438\u044e \u043f\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c pre-shared-key. \u041e\u0431\u0440\u0430\u0449\u0430\u044e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 SRX’\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u043e\u0431\u043b\u0430\u0434\u0430\u0442\u044c \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0432\u043d\u0435\u0448\u043d\u0438\u043c IP \u0430\u0434\u0440\u0435\u0441\u043e\u043c.<\/p>\n
  \u041d\u0430\u0447\u043d\u0435\u043c \u0441 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0445\u0435\u043c\u044b \u043d\u0430\u0448\u0435\u0439 \u0441\u0435\u0442\u0438:
  <\/p>\n
  \u0418\u0437 \u044d\u0442\u043e\u0439 \u0441\u0445\u0435\u043c\u044b \u0432\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u044b \u043a \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u0443 \u0447\u0435\u0440\u0435\u0437 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u044b ge-0\/0\/0 \u0438 \u0437\u0430 \u043a\u0430\u0436\u0434\u044b\u043c SRX’\u043e\u043c \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u0441\u0432\u043e\u044f \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0430\u044f \u0441\u0435\u0442\u044c (\u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u0430\u044f \u0432 ge-0\/0\/1). \u041d\u0430\u0448\u0430 \u0446\u0435\u043b\u044c \u2014 \u043f\u043e\u0441\u0442\u0440\u043e\u0438\u0442\u044c IPSec \u0442\u0443\u043d\u043d\u0435\u043b\u044c \u0438 \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u0442\u0440\u0430\u0444\u0438\u043a \u043c\u0435\u0436\u0434\u0443 \u0441\u0435\u0442\u044f\u043c\u0438 172.16.1.0\/24 \u0438 172.16.2.0\/24.<\/p>\n
  \u041f\u0440\u0435\u0434\u043f\u043e\u043b\u0430\u0433\u0430\u0435\u0442\u0441\u044f, \u0447\u0442\u043e \u0432\u043d\u0435\u0448\u043d\u0438\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e DHCP, \u0434\u043b\u044f \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438.<\/p>\n
  \u0412\u0441\u0435\u0445 \u0437\u0430\u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043e\u0432\u0430\u0432\u0448\u0438\u0445\u0441\u044f \u043f\u0440\u043e\u0448\u0443 \u043f\u043e\u0434 \u043a\u0430\u0442.  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-230087","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/230087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=230087"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/230087\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=230087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=230087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=230087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}