{"id":230597,"date":"2014-07-22T12:46:03","date_gmt":"2014-07-22T08:46:03","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=230597"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=230597","title":{"rendered":"<span class=\"post_title\">Juniper SRX: Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c SSL \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432<\/span>"},"content":{"rendered":"<div class=\"content html_format\">     \t\u0412 <a href=\"http:\/\/habrahabr.ru\/post\/230087\/\">\u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437<\/a> \u043c\u044b \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u043b\u0438 Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c pre-shared-key. \u0421\u0435\u0433\u043e\u0434\u043d\u044f \u043c\u044b \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u0438\u043c \u043f\u0440\u043e \u0442\u043e\u0442 \u0436\u0435 IPSec VPN, \u0442\u043e\u043b\u044c\u043a\u043e \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c SSL \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432.<\/p>\n<p>  \u041e\u0431\u0440\u0430\u0449\u0430\u044e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 SRX&#8217;\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u043e\u0431\u043b\u0430\u0434\u0430\u0442\u044c \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0432\u043d\u0435\u0448\u043d\u0438\u043c IP \u0430\u0434\u0440\u0435\u0441\u043e\u043c.<\/p>\n<p>  \u0421\u0445\u0435\u043c\u0430 \u0441\u0435\u0442\u0438 \u0431\u0443\u0434\u0435\u0442 \u0442\u0430 \u0436\u0435, \u0447\u0442\u043e \u0438 \u0432 \u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437:<br \/>  <img decoding=\"async\" src=\"http:\/\/habrastorage.org\/getpro\/habr\/post_images\/dda\/1a1\/9c3\/dda1a19c38976f11067224a0d57393b0.png\" alt=\"image\"\/><\/p>\n<p>  \u0421\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e OpenSSL, \u0442.\u043a. \u044d\u0442\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u0435\u0439 \u2014 CA \u043f\u043e\u0434 Windows Server 2012 R2 \u043f\u0440\u0438 \u0438\u043d\u0441\u0442\u0430\u043b\u043b\u044f\u0446\u0438\u0438 \u00abNext, Next, Next\u00bb \u0431\u0435\u0437 \u043f\u0440\u043e\u0431\u043b\u0435\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442 CSR \u0437\u0430\u043f\u0440\u043e\u0441\u044b, \u0441 OpenSSL \u043f\u0440\u0438\u0448\u043b\u043e\u0441\u044c \u0447\u0443\u0442\u044c \u0447\u0443\u0442\u044c \u043f\u043e\u0432\u043e\u0437\u0438\u0442\u044c\u0441\u044f.<\/p>\n<p>  \u0412\u0441\u0435\u0445 \u0437\u0430\u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043e\u0432\u0430\u0432\u0448\u0438\u0445\u0441\u044f \u043f\u0440\u043e\u0448\u0443 \u043f\u043e\u0434 \u043a\u0430\u0442.<br \/>  <a name=\"habracut\"><\/a><\/p>\n<p>  \u0412\u0441\u0435 \u043d\u0438\u0436\u0435\u043e\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0435 \u0434\u0435\u0441\u0442\u0432\u0438\u044f \u044f \u0431\u0443\u0434\u0443 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u044c \u043d\u0430 Oracle Enterprise Linux 6.5 x64 (default install) \u0438 JunOS 12.1X46-D20.5:  <\/p>\n<pre><code class=\"bash\">[root@localhost ~]# cat \/etc\/oracle-release  Oracle Linux Server release 6.5 [root@localhost ~]# uname -mrs Linux 3.8.13-35.el6uek.x86_64 x86_64 [root@localhost ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 <\/code><\/pre>\n<p>  <\/p>\n<pre><code class=\"bash\"> cartman@gw-jvsrx-1# run show version  Hostname: gw-jvsrx-1 Model: firefly-perimeter JUNOS Software Release [12.1X46-D20.5] <\/code><\/pre>\n<p>  \u0412\u0435\u0441\u044c \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0440\u0430\u0437\u043e\u0431\u044c\u0435\u043c \u043d\u0430 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0447\u0430\u0441\u0442\u0438:  <\/p>\n<ul>\n<li>\u0421\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447 \u0438 \u0437\u0430\u043f\u0440\u043e\u0441 \u043d\u0430 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0435 Juniper SRX<\/li>\n<li>\u041f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u0442\u044c Root CA<\/li>\n<li>\u041f\u043e\u0434\u043f\u0438\u0441\u0430\u0442\u044c CSR \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c Root CA<\/li>\n<li>\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0446\u0435\u043f\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 Juniper SRX<\/li>\n<li>\u0421\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c IPSec VPN<\/li>\n<li>\u041f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0442\u043e\u0441\u043f\u043e\u0441\u043e\u0431\u043d\u043e\u0441\u0442\u044c IPSec VPN<\/li>\n<\/ul>\n<h4>\u0421\u043e\u0437\u0434\u0430\u0435\u043c private key \u0438 CSR<\/h4>\n<p>  \u0422\u0443\u0442 \u0432\u0441\u0435 \u043f\u0440\u043e\u0441\u0442\u043e \u2014 \u043d\u0430 \u043a\u0430\u0436\u0434\u043e\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0435 \u043d\u0443\u0436\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b (\u043d\u0443\u0436\u043d\u043e \u043e\u0431\u0440\u0430\u0442\u0438\u0442\u044c \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043d\u0430 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b certificate-id, domain-name, ip-address \u0438 CN \u0437\u0430\u043f\u0438\u0441\u044c, \u0442.\u043a. \u043e\u043d\u0438 \u0431\u0443\u0434\u0443\u0442 \u043e\u0442\u043b\u0438\u0447\u0430\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u0438\u0437 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432). \u0414\u0430\u043b\u0435\u0435 (\u0432 \u0444\u0438\u043d\u0430\u043b\u044c\u043d\u043e\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0435 \u0442\u0443\u043d\u043d\u0435\u043b\u044f) \u044f \u0431\u0443\u0434\u0443 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c <i>domain-name<\/i>, \u043a\u0430\u043a local \u0438 remote identity, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u044d\u0442\u043e\u0442 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 <u>\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e<\/u> \u0434\u043e\u043b\u0436\u0435\u043d \u043f\u0440\u0438\u0441\u0443\u0442\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0432 \u0437\u0430\u043f\u0440\u043e\u0441\u0435 CSR. \u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c FQDN \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430.  <\/p>\n<pre><code class=\"bash\">run request security pki generate-key-pair certificate-id gw-jvsrx-1 size 2048 type rsa run request security pki generate-certificate-request certificate-id gw-jvsrx-1 digest sha-256 domain-name gw-jvsrx-1.home.local ip-address 192.168.136.137 subject &quot;DC=HOME.local,CN=gw-jvsrx-1.home.local,OU=IT,O=Home,L=Moscow,C=RU&quot; <\/code><\/pre>\n<p>  \u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0432 \u043a\u043e\u043d\u0441\u043e\u043b\u0438 \u043e\u0442\u043e\u0431\u0440\u0430\u0437\u0438\u0442\u0441\u044f CSR \u0437\u0430\u043f\u0440\u043e\u0441 \u0438 \u0435\u0433\u043e MD5 \u0438 SHA1 \u043e\u0442\u043f\u0435\u0447\u0430\u0442\u043a\u0438:  <\/p>\n<blockquote><p>Generated certificate request<br \/>  <b>&#8212;&#8212;BEGIN CERTIFICATE REQUEST&#8212;&#8212;<br \/>  MIIC9DCCAdwCAQAwdjEaMBgGCgmSJomT8ixkARkWCkhPTUUubG9jYWwxHjAcBgNV<br \/>  BAMTFWd3LWp2c3J4LTEuaG9tZS5sb2NhbDELMAkGA1UECxMCSVQxDTALBgNVBAoT<br \/>  BEhvbWUxDzANBgNVBAcTBk1vc2NvdzELMAkGA1UEBhMCUlUwggEiMA0GCSqGSIb3<br \/>  DQEBAQUAA4IBDwAwggEKAoIBAQDNz\/0WXjOYu0rMy9sv865BjH0QbYQSjyqehpfv<br \/>  U0cIzRcRvhASrLVunHUQbnQCjZtjCEPQj3cpumXaxM5KufpmNelo+3NXnIo70yn7<br \/>  oxD\/9SOd3UUV6wPrSVGnu8j1PlL08YAaSTIxtqchhQ+0JK8DJVPHRCH2sXSwPy9B<br \/>  RbmfAi4p7cfHHo28c7\/wECWPpK4GvEKZ7SzqLtAbZsPqB6ulk8Qy41Qk3Agi4qrf<br \/>  u3YxfynrxZQH2ZhsxCIdUollzKMe8BmlViL9mbv31+9UKogXdgsG1rRQWjJflghQ<br \/>  oGZ6NIDqwDV8g2Fc5SCQo0mSdmXHz44zYRkfzgQLUCQuqm0dAgMBAAGgOTA3Bgkq<br \/>  hkiG9w0BCQ4xKjAoMCYGA1UdEQQfMB2CFWd3LWp2c3J4LTEuaG9tZS5sb2NhbIcE<br \/>  wKiIiTANBgkqhkiG9w0BAQsFAAOCAQEAw6nvznXy60xzd69zKd4mWRdXBF+sw5Wo<br \/>  i5x9\/qhLG4OtBDi2byBMLirytnVyFv2QOGCSjX6\/O0uI7lPec2Qvt\/hB40QMifOk<br \/>  CIcF8nErseEwWyFJIHN3LVN0GrNb+wleZP8DiAVIHmDxefpaBMlB207fOu02jrkp<br \/>  AdFdb0UAGmvqLBi9dYLWFq9MIHpTKBygIwWvn1gFoToZHJhWSDuHZTeYpVGYMBWN<br \/>  MGTUNmo7h3Hp1IOghYVK9VsanK9mikWHebZN1aKUi6bDoRAi+UXnd2j1qBEPwc5q<br \/>  LWX0ytm+ykMmkEKcT5S+EeIP+wgw74mQ9k6+P2f53fecKPK13Q3ASg==<br \/>  &#8212;&#8212;END CERTIFICATE REQUEST&#8212;&#8212;<\/b><br \/>  Fingerprint:<br \/>  77:5a:8c:51:c1:29:3b:73:81:0d:52:a3:7f:56:06:21:17:42:8f:20 (sha1)<br \/>  d6:41:a6:b8:af:f9:e5:e0:2f:6c:0f:fa:3b:23:3d:76 (md5)<\/p><\/blockquote>\n<p>  \u0412\u044b\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0439 \u0436\u0438\u0440\u043d\u044b\u043c \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u043f\u0438\u0440\u0443\u0435\u043c \u0432 \u0431\u0443\u0444\u0435\u0440 \u0438 \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u043c \u0432 \u0432\u0438\u0434\u0435 \u0444\u0430\u0439\u043b\u0430 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435, \u0433\u0434\u0435 \u0431\u0443\u0434\u0435\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0442\u044c \u044d\u0442\u043e\u0442 \u0437\u0430\u043f\u0440\u043e\u0441:  <\/p>\n<pre><code class=\"bash\">[root@localhost ~]# cat gw-jvsrx-1.csr  -----BEGIN CERTIFICATE REQUEST----- MIIC9DCCAdwCAQAwdjEaMBgGCgmSJomT8ixkARkWCkhPTUUubG9jYWwxHjAcBgNV BAMTFWd3LWp2c3J4LTEuaG9tZS5sb2NhbDELMAkGA1UECxMCSVQxDTALBgNVBAoT BEhvbWUxDzANBgNVBAcTBk1vc2NvdzELMAkGA1UEBhMCUlUwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDNz\/0WXjOYu0rMy9sv865BjH0QbYQSjyqehpfv U0cIzRcRvhASrLVunHUQbnQCjZtjCEPQj3cpumXaxM5KufpmNelo+3NXnIo70yn7 oxD\/9SOd3UUV6wPrSVGnu8j1PlL08YAaSTIxtqchhQ+0JK8DJVPHRCH2sXSwPy9B RbmfAi4p7cfHHo28c7\/wECWPpK4GvEKZ7SzqLtAbZsPqB6ulk8Qy41Qk3Agi4qrf u3YxfynrxZQH2ZhsxCIdUollzKMe8BmlViL9mbv31+9UKogXdgsG1rRQWjJflghQ oGZ6NIDqwDV8g2Fc5SCQo0mSdmXHz44zYRkfzgQLUCQuqm0dAgMBAAGgOTA3Bgkq hkiG9w0BCQ4xKjAoMCYGA1UdEQQfMB2CFWd3LWp2c3J4LTEuaG9tZS5sb2NhbIcE wKiIiTANBgkqhkiG9w0BAQsFAAOCAQEAw6nvznXy60xzd69zKd4mWRdXBF+sw5Wo i5x9\/qhLG4OtBDi2byBMLirytnVyFv2QOGCSjX6\/O0uI7lPec2Qvt\/hB40QMifOk CIcF8nErseEwWyFJIHN3LVN0GrNb+wleZP8DiAVIHmDxefpaBMlB207fOu02jrkp AdFdb0UAGmvqLBi9dYLWFq9MIHpTKBygIwWvn1gFoToZHJhWSDuHZTeYpVGYMBWN MGTUNmo7h3Hp1IOghYVK9VsanK9mikWHebZN1aKUi6bDoRAi+UXnd2j1qBEPwc5q LWX0ytm+ykMmkEKcT5S+EeIP+wgw74mQ9k6+P2f53fecKPK13Q3ASg== -----END CERTIFICATE REQUEST----- [root@localhost ~]# cat gw-jvsrx-2.csr  -----BEGIN CERTIFICATE REQUEST----- MIIC9DCCAdwCAQAwdjEaMBgGCgmSJomT8ixkARkWCkhPTUUubG9jYWwxHjAcBgNV BAMTFWd3LWp2c3J4LTIuaG9tZS5sb2NhbDELMAkGA1UECxMCSVQxDTALBgNVBAoT BEhvbWUxDzANBgNVBAcTBk1vc2NvdzELMAkGA1UEBhMCUlUwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDGSfJvRWRGz8gRQAiTQaoVfgrLGv4l00xDBqat egRMJ4811d80auFz8JvBy6XLCliaDUdTthGOu+8S8FACzO7sQHPLa+r1rnURU7A4 j9UxTLCDJ\/5KR4FZHfIR+B\/2ni3P40qWuat\/KaYjJNW0Rb6cAZ9BRgbuTQU09i39 kPsZWLT3mazx1HP5hmAwRDHtx+AmZNV\/gf\/ho7JTNfbmRbh56CmJqGuLXDvKrGtN Us5K0BdFH6\/SlRO+k8sD\/mMJUOl909VT11WTj1li9C2EHzgVmrC3L78A9WWjLHDF FHpiYfP+8krMotek4n4BChMFnSBsGD6uBKtnNjvPRnvOI60HAgMBAAGgOTA3Bgkq hkiG9w0BCQ4xKjAoMCYGA1UdEQQfMB2CFWd3LWp2c3J4LTIuaG9tZS5sb2NhbIcE wKiIijANBgkqhkiG9w0BAQsFAAOCAQEAOc2zAMGMbo6SwvyBz+yJ8Ep1WL\/rLuN8 ZKhkytwdVJJT42NyAZMyg2NLTyv735fgfGo7lMTW\/18foVNhqG2gQwM\/OETgqhTu K2XblHOCD9A0WRD6bUfL1pST7brJNQjmpnXRo+WRqHnZuVxNgj\/gdbkCceYrVG70 BpA12SdJoWVMCbe\/qVQ+N7OSECmL8skUCHPTQiKxW\/lKQKvlbSReq7NnccdfcheK wZGa+uqb8EzZV3e0PwR75+VKIyw2Rf1IDU\/sQrShqCGKrIJcfU16XL9hvTdINXFW RGtfuBhERHw1HcWiQL+x56Htyc4qDdt8ffz+aV38jVtCcwN+FoqWxA== -----END CERTIFICATE REQUEST----- <\/code><\/pre>\n<h4>\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442<\/h4>\n<p>  \u0422\u0435\u043f\u0435\u0440\u044c \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u043c \u0444\u0430\u0439\u043b\u043e\u0432\u0443\u044e \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443 \u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043d\u0430\u0448\u0435\u0433\u043e CA Root:  <\/p>\n<pre><code class=\"bash\">[root@localhost ~]# mkdir -p ca_root\/{certs,conf,csr,newcerts,private} [root@localhost ~]# cd ca_root [root@localhost ca_root]# echo 1000 &gt; serial [root@localhost ca_root]# touch index.txt [root@localhost ca_root]# cp \/etc\/pki\/tls\/openssl.cnf conf\/ <\/code><\/pre>\n<p>  \u041d\u0435 \u0437\u0430\u0431\u0443\u0434\u0435\u043c \u043f\u0435\u0440\u0435\u043d\u0435\u0441\u0442\u0438 \u043d\u0430\u0448\u0438 CSR \u0432 \u00ab\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439\u00bb \u043a\u0430\u0442\u0430\u043b\u043e\u0433:  <\/p>\n<pre><code class=\"bash\">[root@localhost ~]# mv *.csr ca_root\/csr <\/code><\/pre>\n<p>  \u042f \u0431\u0443\u0434\u0443 \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u0431\u0435\u0437 \u043f\u043e\u043b\u044f ST \u0432 Subject (\u043c\u043e\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0438 \u0441 \u044d\u0442\u0438\u043c \u043f\u043e\u043b\u0435\u043c, \u043d\u043e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0439 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u0435\u043b\u0438\u043a\u043e\u0435 \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u043e \u0438 \u044f \u0440\u0435\u0448\u0438\u043b \u043e\u0441\u0432\u0435\u0442\u0438\u0442\u044c \u044d\u0442\u043e\u0442 \u043c\u043e\u043c\u0435\u043d\u0442), \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043d\u0443\u0436\u043d\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u044d\u0442\u043e\u0442 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0435 openssl.cnf, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# vi conf\/openssl.cnf ..... [ CA_default ] dir             = \/etc\/pki\/CA        \t&lt;========================== \u0417\u0430\u043c\u0435\u043d\u0438\u0442\u044c \/etc\/pki\/CA \u043d\u0430 . ..... [ policy_match ] countryName             = match stateOrProvinceName     = match\t\t&lt;========================== \u0417\u0430\u043c\u0435\u043d\u0438\u0442\u044c match \u043d\u0430 optional organizationName        = match organizationalUnitName  = optional commonName              = supplied emailAddress            = optional ..... <\/code><\/pre>\n<p>  JunOS \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0437\u0430\u043f\u0440\u043e\u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0443 (string mask) PRINTABLESTRING, \u0432 \u0442\u043e \u0432\u0440\u0435\u043c\u044f \u043a\u0430\u043a OpenSSL (\u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e) \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 UTF8ONLY. \u041f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u044d\u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0442\u0430\u043a:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# openssl asn1parse -in csr\/gw-jvsrx-1.csr | grep PRINTABLESTRING --color    50:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :gw-jvsrx-1.home.local    82:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT    95:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :Home   110:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Moscow   127:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :RU [root@localhost ca_root]# openssl asn1parse -in csr\/gw-jvsrx-2.csr | grep PRINTABLESTRING --color    50:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :gw-jvsrx-2.home.local    82:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT    95:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :Home   110:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Moscow   127:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :RU <\/code><\/pre>\n<p>  \u041f\u0440\u0438 \u043d\u0435\u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043e\u043a \u043c\u044b \u043d\u0435 \u0441\u043c\u043e\u0436\u0435\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u0430\u0442\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u0434\u043b\u044f \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432, \u0442.\u043a. \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u043b\u0435\u0437\u0430\u0442\u044c \u043e\u0448\u0438\u0431\u043a\u0430 \u043e \u043d\u0435\u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0439 (\u0445\u043e\u0442\u044f \u0442\u0435\u043a\u0441\u0442\u0435 \u043e\u0448\u0438\u0431\u043a\u0435 \u0431\u0443\u0434\u0435\u0442 \u0443\u043a\u0430\u0437\u0430\u043d\u043e \u0447\u0442\u043e-\u0442\u043e \u0432\u0440\u043e\u0434\u0435 HOME &lt;&gt; HOME \u0438 \u0434\u043e\u0433\u0430\u0434\u0430\u0442\u044c\u0441\u044f \u0432 \u043a\u0430\u043a\u043e\u043c \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0438 \u043a\u043e\u043f\u0430\u0442\u044c \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430\u0442\u0438\u0447\u043d\u043e). \u0414\u0430\u0432\u0430\u0439\u0442\u0435 \u0441\u0434\u0435\u043b\u0430\u0435\u043c \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b OpenSSL \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b PRINTABLESTRING:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# vi conf\/openssl.cnf ..... string_mask = utf8only\t\t\t\t\t&lt;========================== \u0417\u0430\u043c\u0435\u043d\u0438\u0442\u044c utf8only \u043d\u0430 default ..... <\/code><\/pre>\n<p>  \u0422\u0435\u043f\u0435\u0440\u044c \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u043d\u0430\u0448\u0435\u0433\u043e Root CA (\u0431\u0443\u0434\u0435\u043c \u0434\u0435\u043b\u0430\u0442\u044c \u043d\u0430 10 \u043b\u0435\u0442):  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# openssl req -new -x509 -days 3650 -keyout private\/rootCA.key -out certs\/rootCA.crt -config conf\/openssl.cnf Generating a 2048 bit RSA private key .........+++ .........................................................................................+++ writing new private key to 'private\/rootCA.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:RU State or Province Name (full name) []: Locality Name (eg, city) [Default City]:Moscow Organization Name (eg, company) [Default Company Ltd]:Home Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:Internal Root CA Email Address []: <\/code><\/pre>\n<p>  \u041d\u0430 \u0432\u0441\u044f\u043a\u0438\u0439 \u0441\u043b\u0443\u0447\u0430\u0439 \u043d\u0430\u043f\u043e\u043c\u043d\u044e, \u0447\u0442\u043e <i>private\/rootCA.key<\/i> \u043d\u0443\u0436\u043d\u043e \u043e\u0445\u0440\u0430\u043d\u044f\u0442\u044c \u043a\u0430\u043a \u0437\u0435\u043d\u0438\u0446\u0443 \u043e\u043a\u0430, \u0442.\u043a. \u044d\u0442\u043e \u0437\u0430\u043a\u0440\u044b\u0442\u044b\u0439 \u043a\u043b\u044e\u0447 \u043d\u0430\u0448\u0435\u0433\u043e \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430. \u0422\u0430\u043a\u0436\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0438 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0438 \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 \u0432\u0432\u0435\u0441\u0442\u0438 \u043e\u0447\u0435\u043d\u044c \u0441\u043b\u043e\u0436\u043d\u044b\u0439 \u043f\u0430\u0440\u043e\u043b\u044c \u043d\u0430 \u043f\u0440\u0438\u0433\u043b\u0430\u0448\u0435\u043d\u0438\u0435 <i>Enter PEM pass phrase<\/i><\/p>\n<p>  \u041f\u0440\u043e\u0432\u0435\u0440\u0438\u043c, \u0447\u0442\u043e \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0430 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# openssl asn1parse -in certs\/rootCA.crt | grep PRINTABLESTRING --color    50:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :RU    63:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Moscow    80:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :Home    95:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT   108:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :Internal Root CA   169:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :RU   182:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Moscow   199:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :Home   214:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT   227:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :Internal Root CA <\/code><\/pre>\n<h4>\u041f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c CSR \u0437\u0430\u043f\u0440\u043e\u0441\u044b<\/h4>\n<p>  \u041f\u0440\u0438\u0441\u0442\u0443\u043f\u0438\u043c \u043a \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 \u0434\u043b\u044f \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432. \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0443\u0436\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c 2 \u0444\u0430\u0439\u043b\u0430, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u044b \u0437\u0430\u043f\u0438\u0448\u0435\u043c \u0430\u0442\u0442\u0440\u0438\u0431\u0443\u0442\u044b subjectAltName. \u0414\u043b\u044f \u043d\u0430\u0441 \u0441\u0430\u043c\u044b\u043c \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u043c \u0431\u0443\u0434\u0435\u0442 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 DNS (\u0442\u0435 \u0441\u0430\u043c\u044b\u0435 local \u0438 remote identity), IP \u043c\u043e\u0436\u043d\u043e \u043d\u0435 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c, \u043d\u043e \u043c\u044b \u0441\u0434\u0435\u043b\u0430\u0435\u043c \u0438 \u044d\u0442\u043e:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# cat conf\/gw-jvsrx-1.cnf extensions = extend [extend] subjectAltName = &quot;DNS:gw-jvsrx-1.home.local&quot;,&quot;IP:192.168.136.137&quot; [root@localhost ca_root]# cat conf\/gw-jvsrx-2.cnf extensions = extend [extend] subjectAltName = &quot;DNS:gw-jvsrx-2.home.local&quot;,&quot;IP:192.168.136.138&quot; <\/code><\/pre>\n<p>  \u0422\u0435\u043f\u0435\u0440\u044c \u043f\u043e\u0434\u043f\u0438\u0448\u0435\u043c \u043d\u0430\u0448\u0438 CSR \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043a\u043e\u0440\u043d\u0435\u0432\u044b\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# openssl ca -verbose -in csr\/gw-jvsrx-1.csr -out certs\/gw-jvsrx-1.crt -keyfile private\/rootCA.key -cert certs\/rootCA.crt -extfile conf\/gw-jvsrx-1.cnf -config conf\/openssl.cnf  [root@localhost ca_root]# openssl ca -verbose -in csr\/gw-jvsrx-2.csr -out certs\/gw-jvsrx-2.crt -keyfile private\/rootCA.key -cert certs\/rootCA.crt -extfile conf\/gw-jvsrx-2.cnf -config conf\/openssl.cnf <\/code><\/pre>\n<p>  \u041f\u0440\u043e\u0432\u0435\u0440\u0438\u043c, \u0447\u0442\u043e subjectAltName \u043f\u043e\u043f\u0430\u043b\u0438 \u0432 \u0438\u0442\u043e\u0433\u043e\u0432\u044b\u0435 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# openssl x509 -in certs\/gw-jvsrx-1.crt -text -noout | grep DNS                 DNS:gw-jvsrx-1.home.local, IP Address:192.168.136.137 [root@localhost ca_root]# openssl x509 -in certs\/gw-jvsrx-2.crt -text -noout | grep DNS                 DNS:gw-jvsrx-2.home.local, IP Address:192.168.136.138 <\/code><\/pre>\n<p>  (\u0417\u0430\u0431\u0430\u0432\u044b \u0440\u0430\u0434\u0438) \u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u043d\u0430 \u0432\u044b\u0434\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b:  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# cat index.txt V\t150721115632Z\t\t1000\tunknown\t\/C=RU\/O=Home\/OU=IT\/CN=gw-jvsrx-1.home.local V\t150721115943Z\t\t1001\tunknown\t\/C=RU\/O=Home\/OU=IT\/CN=gw-jvsrx-2.home.local <\/code><\/pre>\n<h4>\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043c \u0446\u0435\u043f\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430<\/h4>\n<p>  \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0443\u0436\u043d\u043e \u0441\u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u044b \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432 \u0438 \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 \u043d\u0430 \u043d\u0430\u0448\u0438 Juniper&#8217;\u044b (\u043c\u043e\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e scp \u0438\u043b\u0438 WinSCP).  <\/p>\n<pre><code class=\"bash\">[root@localhost ca_root]# scp certs\/gw-jvsrx-1.crt cartman@192.168.136.137:\/cf\/var\/home\/cartman\/gw-jvsrx-1.crt [root@localhost ca_root]# scp certs\/rootCA.crt cartman@192.168.136.137:\/cf\/var\/home\/cartman\/rootCA.crt [root@localhost ca_root]# scp certs\/gw-jvsrx-2.crt cartman@192.168.136.138:\/cf\/var\/home\/cartman\/gw-jvsrx-2.crt [root@localhost ca_root]# scp certs\/rootCA.crt cartman@192.168.136.138:\/cf\/var\/home\/cartman\/rootCA.crt <\/code><\/pre>\n<p>  \u0422\u0435\u043f\u0435\u0440\u044c \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e PKI (\u044d\u0442\u0430 \u0447\u0430\u0441\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0430 \u043e\u0434\u0438\u043d\u0430\u043a\u043e\u0432\u0430\u044f \u0434\u043b\u044f \u043e\u0431\u043e\u0438\u0445 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432):  <\/p>\n<pre><code class=\"bash\">set security pki ca-profile openssl_root_ca ca-identity openssl_root_ca set security pki ca-profile openssl_root_ca revocation-check disable <\/code><\/pre>\n<p>  \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043c \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430:  <\/p>\n<pre><code class=\"bash\">run request security pki ca-certificate load ca-profile openssl_root_ca filename rootCA.crt run request security pki local-certificate load certificate-id gw-jvsrx-1 filename gw-jvsrx-1.crt <\/code><\/pre>\n<p>  \u0422\u043e\u0436\u0435 \u0441\u0430\u043c\u043e\u0435 \u043d\u0443\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u043d\u0430 2-\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0435 (\u0442\u043e\u043b\u044c\u043a\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f gw-jvsrx-2).<\/p>\n<h4>\u041d\u0430\u0441\u0442\u0440\u043e\u0438\u043c IPSec VPN<\/h4>\n<p>  \u0417\u0434\u0435\u0441\u044c \u043d\u0438\u0447\u0435\u0433\u043e \u0441\u043b\u043e\u0436\u043d\u043e\u0433\u043e, \u0431\u043e\u043b\u044c\u0448\u0443\u044e \u0447\u0430\u0441\u0442\u044c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 \u044f \u043e\u043f\u0438\u0441\u0430\u043b \u0432 <a href=\"http:\/\/habrahabr.ru\/post\/230087\/\">\u044d\u0442\u043e\u0439<\/a> \u0441\u0442\u0430\u0442\u044c\u0435:  <\/p>\n<pre><code class=\"bash\">set interfaces st0 unit 0 point-to-point set interfaces st0 unit 0 family inet address 172.16.0.1\/30 set security ike respond-bad-spi 1 set security ike proposal ike-proposal-rsa authentication-method rsa-signatures set security ike proposal ike-proposal-rsa dh-group group14 set security ike proposal ike-proposal-rsa authentication-algorithm sha-256 set security ike proposal ike-proposal-rsa encryption-algorithm aes-128-cbc set security ike proposal ike-proposal-rsa lifetime-seconds 3600 set security ike policy ike-policy-rsa mode main set security ike policy ike-policy-rsa proposals ike-proposal-rsa set security ike policy ike-policy-rsa certificate local-certificate gw-jvsrx-1 set security ike policy ike-policy-rsa certificate peer-certificate-type x509-signature set security ike gateway gw-jvsrx-2 ike-policy ike-policy-rsa set security ike gateway gw-jvsrx-2 address 192.168.136.138 set security ike gateway gw-jvsrx-2 dead-peer-detection always-send set security ike gateway gw-jvsrx-2 dead-peer-detection interval 10 set security ike gateway gw-jvsrx-2 local-identity hostname gw-jvsrx-1.home.local set security ike gateway gw-jvsrx-2 remote-identity hostname gw-jvsrx-2.home.local set security ike gateway gw-jvsrx-2 external-interface ge-0\/0\/0.0 set security ike gateway gw-jvsrx-2 version v2-only set security ipsec proposal ipsec-proposal-rsa protocol esp set security ipsec proposal ipsec-proposal-rsa authentication-algorithm hmac-sha-256-128 set security ipsec proposal ipsec-proposal-rsa encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-proposal-rsa lifetime-seconds 7200 set security ipsec policy ipsec-policy-rsa perfect-forward-secrecy keys group14 set security ipsec policy ipsec-policy-rsa proposals ipsec-proposal-rsa set security ipsec vpn gw-jvsrx-2 bind-interface st0.0 set security ipsec vpn gw-jvsrx-2 vpn-monitor source-interface ge-0\/0\/0.1 set security ipsec vpn gw-jvsrx-2 vpn-monitor destination-ip 172.16.0.2 set security ipsec vpn gw-jvsrx-2 ike gateway gw-jvsrx-2 set security ipsec vpn gw-jvsrx-2 ike ipsec-policy ipsec-policy-rsa set security ipsec vpn gw-jvsrx-2 establish-tunnels immediately <\/code><\/pre>\n<p>  \u0414\u043b\u044f \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043d\u043e\u0439\u0438 \u0442\u0443\u043d\u043d\u0435\u043b\u044c\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 st0.0 \u0437\u0430\u0441\u0443\u043d\u0435\u043c \u0432 \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u0443\u044e security-zone \u0441 \u0438\u043c\u0435\u043d\u0435\u043c vpn (\u0445\u043e\u0442\u044f \u043c\u043e\u0436\u043d\u043e \u0438 \u0432 \u0443\u0436\u0435 \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u0443\u044e trust), \u043d\u043e \u0442.\u043a. \u043f\u043e\u0441\u0442 \u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u043c \u0432\u0435\u0441\u044c \u0442\u0440\u0430\u0444\u0438\u043a \u043c\u0435\u0436\u0434\u0443 trust \u0438 vpn:  <\/p>\n<pre><code class=\"bash\">set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all <\/code><\/pre>\n<p>  \u041d\u0443 \u0438 \u043a\u043e\u043d\u0435\u0447\u043d\u043e \u0436\u0435 OSPF:  <\/p>\n<pre><code class=\"bash\">set protocols ospf area 0.0.0.0 interface ge-0\/0\/1.0 set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 10 set protocols ospf area 0.0.0.0 interface st0.0 flood-reduction set protocols ospf area 0.0.0.0 interface st0.0 neighbor 172.16.0.2 <\/code><\/pre>\n<h4>\u041f\u0440\u043e\u0432\u0435\u0440\u0438\u043c \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u043d\u0430\u0448\u0435\u0433\u043e \u0442\u0443\u043d\u043d\u0435\u043b\u044f<\/h4>\n<p>  \u0423\u0431\u0435\u0434\u0438\u043c\u0441\u044f, \u0447\u0442\u043e \u043f\u0435\u0440\u0432\u0430\u044f \u0444\u0430\u0437\u0430 IPSec \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u0443\u0435\u0442, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u043c \u043f\u043e\u043b\u0435 authentication method:  <\/p>\n<pre><code class=\"bash\">cartman@gw-jvsrx-1# run show security ike security-associations detail  IKE peer 192.168.136.138, Index 6745, Gateway Name: gw-jvsrx-2   Role: Initiator, State: UP   Initiator cookie: ce70b7c0d1c523a2, Responder cookie: be63393746194b61   Exchange type: IKEv2, Authentication method: RSA-signatures   Local: 192.168.136.137:500, Remote: 192.168.136.138:500   Lifetime: Expires in 900 seconds   Peer ike-id: gw-jvsrx-2.home.local   Xauth assigned IP: 0.0.0.0   Algorithms:    Authentication        : hmac-sha256-128     Encryption            : aes128-cbc    Pseudo random function: hmac-sha256    Diffie-Hellman group  : DH-group-14   Traffic statistics:    Input  bytes  :                42720    Output bytes  :                42720    Input  packets:                  534    Output packets:                  534   Flags: IKE SA is created    IPSec security associations: 0 created, 0 deleted   Phase 2 negotiations in progress: 0      Negotiation type: Quick mode, Role: Initiator, Message ID: 0     Local: 192.168.136.137:500, Remote: 192.168.136.138:500     Local identity: gw-jvsrx-1.home.local     Remote identity: gw-jvsrx-2.home.local     Flags: IKE SA is created <\/code><\/pre>\n<p>  \u041f\u0440\u043e\u0432\u0435\u0440\u0438\u043c \u0432\u0442\u043e\u0440\u0443\u044e \u0444\u0430\u0437\u0443:  <\/p>\n<pre><code class=\"bash\">cartman@gw-jvsrx-1# run show security ipsec security-associations detail     ID: 131073 Virtual-system: root, VPN Name: gw-jvsrx-2   Local Gateway: 192.168.136.137, Remote Gateway: 192.168.136.138   Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0\/0)   Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0\/0)   Version: IKEv2     DF-bit: clear     Bind-interface: st0.0    Port: 500, Nego#: 11, Fail#: 0, Def-Del#: 0 Flag: 0x600a29    Last Tunnel Down Reason: Lifetime expired     Direction: inbound, SPI: da9f6c4f, AUX-SPI: 0                               , VPN Monitoring: UP     Hard lifetime: Expires in 3880 seconds     Lifesize Remaining:  Unlimited     Soft lifetime: Expires in 3245 seconds     Mode: Tunnel(10 10), Type: dynamic, State: installed     Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits)     Anti-replay service: counter-based enabled, Replay window size: 64      Direction: outbound, SPI: cb42bcf5, AUX-SPI: 0                               , VPN Monitoring: UP     Hard lifetime: Expires in 3880 seconds     Lifesize Remaining:  Unlimited     Soft lifetime: Expires in 3245 seconds     Mode: Tunnel(10 10), Type: dynamic, State: installed     Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits)     Anti-replay service: counter-based enabled, Replay window size: 64 <\/code><\/pre>\n<p>  \u041d\u0435\u043f\u043b\u043e\u0445\u043e \u0431\u044b \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u043a\u0430\u043a \u0442\u0430\u043c \u043e\u0442\u0440\u0430\u0431\u043e\u0442\u0430\u043b OSPF:  <\/p>\n<pre><code class=\"bash\">cartman@gw-jvsrx-1# run show ospf route  Topology default Route Table:  Prefix             Path  Route      NH       Metric NextHop       Nexthop                          Type  Type       Type            Interface     Address\/LSP 172.31.255.2       Intra Router     IP            1 st0.0 172.16.0.0\/30      Intra Network    IP            1 st0.0 172.16.1.0\/27      Intra Network    IP            1 ge-0\/0\/1.0 172.16.2.0\/27      Intra Network    IP            2 st0.0 <\/code><\/pre>\n<p>  \u2026 \u0418 \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0430\u0434\u0440\u0435\u0441\u043e\u0432 \u00ab\u043f\u043e \u0442\u0443 \u0441\u0442\u043e\u0440\u043e\u043d\u0443\u00bb:  <\/p>\n<pre><code class=\"bash\">cartman@gw-jvsrx-1# run ping inet 172.16.0.2 interface ge-0\/0\/1.0 count 5  PING 172.16.0.2 (172.16.0.2): 56 data bytes 64 bytes from 172.16.0.2: icmp_seq=0 ttl=64 time=15.802 ms 64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=5.458 ms 64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=10.438 ms 64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=10.476 ms 64 bytes from 172.16.0.2: icmp_seq=4 ttl=64 time=5.445 ms  --- 172.16.0.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min\/avg\/max\/stddev = 5.445\/9.524\/15.802\/3.856 ms  cartman@gw-jvsrx-1# run ping inet 172.16.2.1 interface ge-0\/0\/1.0 count 5     PING 172.16.2.1 (172.16.2.1): 56 data bytes 64 bytes from 172.16.2.1: icmp_seq=0 ttl=64 time=11.051 ms 64 bytes from 172.16.2.1: icmp_seq=1 ttl=64 time=5.441 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=64 time=4.553 ms 64 bytes from 172.16.2.1: icmp_seq=3 ttl=64 time=5.447 ms 64 bytes from 172.16.2.1: icmp_seq=4 ttl=64 time=5.542 ms  --- 172.16.2.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min\/avg\/max\/stddev = 4.553\/6.407\/11.051\/2.350 ms <\/code><\/pre>\n<p>  \u0422\u0443\u043d\u043d\u0435\u043b\u044c \u043f\u043e\u0434\u043d\u044f\u0442 \u0438 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u0443\u0435\u0442. \u0423\u0440\u0430!<\/p>\n<p>  \u041d\u0430 \u0432\u0441\u044f\u043a\u0438\u0439 \u0441\u043b\u0443\u0447\u0430\u0439 \u043f\u0440\u0438\u0432\u043e\u0436\u0443 \u043f\u043e\u043b\u043d\u0443\u044e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">cartman@gw-jvsrx-1# show<\/b><\/p>\n<div class=\"spoiler_text\">cartman@gw-jvsrx-1# show <br \/>  system {<br \/>   host-name gw-jvsrx-1;<br \/>   time-zone Europe\/Moscow;<br \/>   root-authentication {<br \/>   encrypted-password \u00abYOUR_SECRET_ROOT_PASSWORD_HASH\u00bb; ## SECRET-DATA<br \/>   }<br \/>   name-resolution {<br \/>   no-resolve-on-input;<br \/>   }<br \/>   login {<br \/>   user cartman {<br \/>   full-name \u00abFIRST_NAME LAST_NAME\u00bb;<br \/>   uid 2000;<br \/>   class super-user;<br \/>   authentication {<br \/>   ssh-rsa \u00abssh-rsa YOUR_PUBLIC_RSA_KEY cartman@gw-jvsrx-1\u00bb; ## SECRET-DATA<br \/>   }<br \/>   }<br \/>   }<br \/>   services {<br \/>   ssh {<br \/>   root-login deny;<br \/>   protocol-version v2;<br \/>   client-alive-count-max 5;<br \/>   client-alive-interval 120;<br \/>   connection-limit 5;<br \/>   rate-limit 2;<br \/>   }<br \/>   dhcp {<br \/>   default-lease-time 21600;<br \/>   pool 172.16.1.0\/27 {<br \/>   address-range low 172.16.1.2 high 172.16.1.30;<br \/>   router {<br \/>   172.16.1.1;<br \/>   }<br \/>   propagate-settings ge-0\/0\/1.0;<br \/>   }<br \/>   }<br \/>   }<br \/>   ntp {<br \/>   server 0.pool.ntp.org prefer;<br \/>   server 1.pool.ntp.org;<br \/>   server 2.pool.ntp.org;<br \/>   server 3.pool.ntp.org;<br \/>   }<br \/>  }<br \/>  interfaces {<br \/>   ge-0\/0\/0 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   dhcp;<br \/>   }<br \/>   }<br \/>   }<br \/>   ge-0\/0\/1 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   address 172.16.1.1\/27;<br \/>   } <br \/>   }<br \/>   }<br \/>   lo0 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   address 172.31.255.1\/32;<br \/>   }<br \/>   }<br \/>   }<br \/>   st0 {<br \/>   unit 0 {<br \/>   point-to-point;<br \/>   family inet {<br \/>   address 172.16.0.1\/30;<br \/>   }<br \/>   }<br \/>   }<br \/>  }<br \/>  routing-options {<br \/>   router-id 172.31.255.1;<br \/>  }<br \/>  protocols {<br \/>   ospf {<br \/>   area 0.0.0.0 {<br \/>   interface ge-0\/0\/1.0;<br \/>   interface st0.0 {<br \/>   interface-type p2p;<br \/>   hello-interval 10;<br \/>   flood-reduction;<br \/>   neighbor 172.16.0.2;<br \/>   }<br \/>   }<br \/>   }<br \/>  }<br \/>  security {<br \/>   pki {<br \/>   ca-profile openssl_root_ca {<br \/>   ca-identity openssl_root_ca;<br \/>   revocation-check {<br \/>   disable;<br \/>   }<br \/>   }<br \/>   }<br \/>   ike {<br \/>   respond-bad-spi 1;<br \/>   proposal ike-proposal-rsa {<br \/>   authentication-method rsa-signatures;<br \/>   dh-group group14;<br \/>   authentication-algorithm sha-256;<br \/>   encryption-algorithm aes-128-cbc;<br \/>   lifetime-seconds 3600;<br \/>   }<br \/>   policy ike-policy-rsa {<br \/>   mode main;<br \/>   proposals ike-proposal-rsa;<br \/>   certificate {<br \/>   local-certificate gw-jvsrx-1;<br \/>   peer-certificate-type x509-signature;<br \/>   }<br \/>   }<br \/>   gateway gw-jvsrx-2 { <br \/>   ike-policy ike-policy-rsa;<br \/>   address 192.168.136.138;<br \/>   dead-peer-detection {<br \/>   always-send;<br \/>   interval 10;<br \/>   }<br \/>   local-identity hostname gw-jvsrx-1.home.local;<br \/>   remote-identity hostname gw-jvsrx-2.home.local;<br \/>   external-interface ge-0\/0\/0.0;<br \/>   version v2-only;<br \/>   }<br \/>   }<br \/>   ipsec {<br \/>   proposal ipsec-proposal-rsa {<br \/>   protocol esp;<br \/>   authentication-algorithm hmac-sha-256-128;<br \/>   encryption-algorithm aes-128-cbc;<br \/>   lifetime-seconds 7200;<br \/>   }<br \/>   policy ipsec-policy-rsa {<br \/>   perfect-forward-secrecy {<br \/>   keys group14;<br \/>   }<br \/>   proposals ipsec-proposal-rsa;<br \/>   }<br \/>   vpn gw-jvsrx-2 {<br \/>   bind-interface st0.0;<br \/>   vpn-monitor {<br \/>   source-interface ge-0\/0\/0.1;<br \/>   destination-ip 172.16.0.2;<br \/>   }<br \/>   ike {<br \/>   gateway gw-jvsrx-2;<br \/>   ipsec-policy ipsec-policy-rsa;<br \/>   }<br \/>   establish-tunnels immediately;<br \/>   }<br \/>   }<br \/>   nat {<br \/>   source {<br \/>   rule-set trust-to-untrust {<br \/>   from zone trust;<br \/>   to zone untrust;<br \/>   rule source-nat {<br \/>   match {<br \/>   source-address 0.0.0.0\/0;<br \/>   }<br \/>   then {<br \/>   source-nat {<br \/>   interface;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   policies {<br \/>   from-zone trust to-zone untrust {<br \/>   policy trust-to-untrust {<br \/>   match {<br \/>   source-address any; <br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone trust to-zone trust {<br \/>   policy trust-to-trust {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone vpn to-zone trust {<br \/>   policy vpn-to-trust {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone trust to-zone vpn {<br \/>   policy trust-to-vpn {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   zones {<br \/>   security-zone untrust {<br \/>   interfaces {<br \/>   ge-0\/0\/0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   ssh;<br \/>   ping;<br \/>   dhcp;<br \/>   ike;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   security-zone trust { <br \/>   interfaces {<br \/>   ge-0\/0\/1.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   all;<br \/>   }<br \/>   protocols {<br \/>   all;<br \/>   }<br \/>   }<br \/>   }<br \/>   lo0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   ping;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   security-zone vpn {<br \/>   interfaces {<br \/>   st0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   all;<br \/>   }<br \/>   protocols {<br \/>   all;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>  }<\/div>\n<\/div>\n<p>  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">cartman@gw-jvsrx-2# show<\/b><\/p>\n<div class=\"spoiler_text\">cartman@gw-jvsrx-2# show <br \/>  system {<br \/>   host-name gw-jvsrx-2;<br \/>   time-zone Europe\/Moscow;<br \/>   root-authentication {<br \/>   encrypted-password \u00abYOUR_SECRET_ROOT_PASSWORD_HASH\u00bb; ## SECRET-DATA<br \/>   }<br \/>   name-resolution {<br \/>   no-resolve-on-input;<br \/>   }<br \/>   login {<br \/>   user cartman {<br \/>   full-name \u00abFIRST_NAME LAST_NAME\u00bb;<br \/>   uid 2000;<br \/>   class super-user;<br \/>   authentication {<br \/>   ssh-rsa \u00abssh-rsa YOUR_PUBLIC_RSA_KEY cartman@gw-jvsrx-2\u00bb; ## SECRET-DATA<br \/>   }<br \/>   }<br \/>   }<br \/>   services {<br \/>   ssh {<br \/>   root-login deny;<br \/>   protocol-version v2;<br \/>   client-alive-count-max 5;<br \/>   client-alive-interval 120;<br \/>   connection-limit 5;<br \/>   rate-limit 2;<br \/>   }<br \/>   dhcp {<br \/>   default-lease-time 21600;<br \/>   pool 172.16.2.0\/27 {<br \/>   address-range low 172.16.2.2 high 172.16.2.30;<br \/>   router {<br \/>   172.16.2.1;<br \/>   }<br \/>   propagate-settings ge-0\/0\/1.0;<br \/>   }<br \/>   }<br \/>   }<br \/>   ntp {<br \/>   server 0.pool.ntp.org prefer;<br \/>   server 1.pool.ntp.org;<br \/>   server 2.pool.ntp.org;<br \/>   server 3.pool.ntp.org;<br \/>   }<br \/>  }<br \/>  interfaces {<br \/>   ge-0\/0\/0 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   dhcp;<br \/>   }<br \/>   }<br \/>   }<br \/>   ge-0\/0\/1 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   address 172.16.2.1\/27;<br \/>   } <br \/>   }<br \/>   }<br \/>   lo0 {<br \/>   unit 0 {<br \/>   family inet {<br \/>   address 172.31.255.2\/32;<br \/>   }<br \/>   }<br \/>   }<br \/>   st0 {<br \/>   unit 0 {<br \/>   point-to-point;<br \/>   family inet {<br \/>   address 172.16.0.2\/30;<br \/>   }<br \/>   }<br \/>   }<br \/>  }<br \/>  routing-options {<br \/>   router-id 172.31.255.2;<br \/>  }<br \/>  protocols {<br \/>   ospf {<br \/>   area 0.0.0.0 {<br \/>   interface ge-0\/0\/1.0;<br \/>   interface st0.0 {<br \/>   interface-type p2p;<br \/>   hello-interval 10;<br \/>   flood-reduction;<br \/>   neighbor 172.16.0.1;<br \/>   }<br \/>   }<br \/>   }<br \/>  }<br \/>  security {<br \/>   pki {<br \/>   ca-profile openssl_root_ca {<br \/>   ca-identity openssl_root_ca;<br \/>   revocation-check {<br \/>   disable;<br \/>   }<br \/>   }<br \/>   }<br \/>   ike {<br \/>   respond-bad-spi 1;<br \/>   proposal ike-proposal-rsa {<br \/>   authentication-method rsa-signatures;<br \/>   dh-group group14;<br \/>   authentication-algorithm sha-256;<br \/>   encryption-algorithm aes-128-cbc;<br \/>   lifetime-seconds 3600;<br \/>   }<br \/>   policy ike-policy-rsa {<br \/>   mode main;<br \/>   proposals ike-proposal-rsa;<br \/>   certificate {<br \/>   local-certificate gw-jvsrx-2;<br \/>   peer-certificate-type x509-signature;<br \/>   }<br \/>   }<br \/>   gateway gw-jvsrx-1 { <br \/>   ike-policy ike-policy-rsa;<br \/>   address 192.168.136.137;<br \/>   dead-peer-detection {<br \/>   always-send;<br \/>   interval 10;<br \/>   }<br \/>   local-identity hostname gw-jvsrx-2.home.local;<br \/>   remote-identity hostname gw-jvsrx-1.home.local;<br \/>   external-interface ge-0\/0\/0.0;<br \/>   version v2-only;<br \/>   }<br \/>   }<br \/>   ipsec {<br \/>   proposal ipsec-proposal-rsa {<br \/>   protocol esp;<br \/>   authentication-algorithm hmac-sha-256-128;<br \/>   encryption-algorithm aes-128-cbc;<br \/>   lifetime-seconds 7200;<br \/>   }<br \/>   policy ipsec-policy-rsa {<br \/>   perfect-forward-secrecy {<br \/>   keys group14;<br \/>   }<br \/>   proposals ipsec-proposal-rsa;<br \/>   }<br \/>   vpn gw-jvsrx-1 {<br \/>   bind-interface st0.0;<br \/>   vpn-monitor {<br \/>   source-interface ge-0\/0\/0.1;<br \/>   destination-ip 172.16.0.1;<br \/>   }<br \/>   ike {<br \/>   gateway gw-jvsrx-1;<br \/>   ipsec-policy ipsec-policy-rsa;<br \/>   }<br \/>   establish-tunnels immediately;<br \/>   }<br \/>   }<br \/>   nat {<br \/>   source {<br \/>   rule-set trust-to-untrust {<br \/>   from zone trust;<br \/>   to zone untrust;<br \/>   rule source-nat {<br \/>   match {<br \/>   source-address 0.0.0.0\/0;<br \/>   }<br \/>   then {<br \/>   source-nat {<br \/>   interface;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   policies {<br \/>   from-zone trust to-zone untrust {<br \/>   policy trust-to-untrust {<br \/>   match {<br \/>   source-address any; <br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone trust to-zone trust {<br \/>   policy trust-to-trust {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone vpn to-zone trust {<br \/>   policy vpn-to-trust {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   from-zone trust to-zone vpn {<br \/>   policy trust-to-vpn {<br \/>   match {<br \/>   source-address any;<br \/>   destination-address any;<br \/>   application any;<br \/>   }<br \/>   then {<br \/>   permit;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   zones {<br \/>   security-zone untrust {<br \/>   interfaces {<br \/>   ge-0\/0\/0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   ssh;<br \/>   ping;<br \/>   dhcp;<br \/>   ike;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   security-zone trust { <br \/>   interfaces {<br \/>   ge-0\/0\/1.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   all;<br \/>   }<br \/>   protocols {<br \/>   all;<br \/>   }<br \/>   }<br \/>   }<br \/>   lo0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   ping;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   security-zone vpn {<br \/>   interfaces {<br \/>   st0.0 {<br \/>   host-inbound-traffic {<br \/>   system-services {<br \/>   all;<br \/>   }<br \/>   protocols {<br \/>   all;<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>   }<br \/>  }<\/div>\n<\/div>\n<div class=\"clear\"><\/div>\n<\/p><\/div>\n<p> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"http:\/\/habrahabr.ru\/post\/230597\/\"> http:\/\/habrahabr.ru\/post\/230597\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"content html_format\">     \t\u0412 <a href=\"http:\/\/habrahabr.ru\/post\/230087\/\">\u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437<\/a> \u043c\u044b \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u043b\u0438 Site-to-Site IPSec VPN \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c pre-shared-key. \u0421\u0435\u0433\u043e\u0434\u043d\u044f \u043c\u044b \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u0438\u043c \u043f\u0440\u043e \u0442\u043e\u0442 \u0436\u0435 IPSec VPN, \u0442\u043e\u043b\u044c\u043a\u043e \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c SSL \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432.<\/p>\n<p>  \u041e\u0431\u0440\u0430\u0449\u0430\u044e \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043e\u0431\u0430 SRX&#8217;\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u043e\u0431\u043b\u0430\u0434\u0430\u0442\u044c \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0432\u043d\u0435\u0448\u043d\u0438\u043c IP \u0430\u0434\u0440\u0435\u0441\u043e\u043c.<\/p>\n<p>  \u0421\u0445\u0435\u043c\u0430 \u0441\u0435\u0442\u0438 \u0431\u0443\u0434\u0435\u0442 \u0442\u0430 \u0436\u0435, \u0447\u0442\u043e \u0438 \u0432 \u043f\u0440\u043e\u0448\u043b\u044b\u0439 \u0440\u0430\u0437:<br \/>  <img decoding=\"async\" src=\"http:\/\/habrastorage.org\/getpro\/habr\/post_images\/dda\/1a1\/9c3\/dda1a19c38976f11067224a0d57393b0.png\" alt=\"image\"\/><\/p>\n<p>  \u0421\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e OpenSSL, \u0442.\u043a. \u044d\u0442\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u0435\u0439 \u2014 CA \u043f\u043e\u0434 Windows Server 2012 R2 \u043f\u0440\u0438 \u0438\u043d\u0441\u0442\u0430\u043b\u043b\u044f\u0446\u0438\u0438 \u00abNext, Next, Next\u00bb \u0431\u0435\u0437 \u043f\u0440\u043e\u0431\u043b\u0435\u043c \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442 CSR \u0437\u0430\u043f\u0440\u043e\u0441\u044b, \u0441 OpenSSL \u043f\u0440\u0438\u0448\u043b\u043e\u0441\u044c \u0447\u0443\u0442\u044c \u0447\u0443\u0442\u044c \u043f\u043e\u0432\u043e\u0437\u0438\u0442\u044c\u0441\u044f.<\/p>\n<p>  \u0412\u0441\u0435\u0445 \u0437\u0430\u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043e\u0432\u0430\u0432\u0448\u0438\u0445\u0441\u044f \u043f\u0440\u043e\u0448\u0443 \u043f\u043e\u0434 \u043a\u0430\u0442.  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-230597","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/230597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=230597"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/230597\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=230597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=230597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=230597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}