|
|
|
|
— |
ru:jobs:vpn_gcloud_srx [2017/04/08 13:17] (current)
admin created |
| | =======Configuring VPN IPSEC between Juniper SRX and Google Cloud Platform (GCP) ======= |
| | ==== Introduction. ==== |
| |
| | |
| | **Juniper SRX**:\\ |
| | GLOBAL IP: 91.208.39.16\\ |
| | Local Network: 192.168.0.0/16\\ |
| | |
| | **GCP**:\\ |
| | GLOBAL assigned static IP: 130.211.235.196\\ |
| | Local Network: 10.128.0.0/20\\ |
| | |
| | For this example will be used pre shared key: test \\ |
| | |
| | Google cloud platfrom are using following IKE, IPSEC policies.\\ |
| | |
| | **IKE policy:**\\ |
| | encryption: aes128\\ |
| | hash: sha1\\ |
| | Diffie-Hellman group: 2\\ |
| | |
| | |
| | **IPSEC policy:**\\ |
| | encryption: aes128\\ |
| | hash: hmac_sha1\\ |
| | Diffie-Hellman group: 2 |
| | |
| | **VPN** - tunnel mode esp |
| | ==== Configuring GCP. ==== |
| | |
| | 1. Create Project in the chosen ZONE |
| | |
| | For example the project with name of pr1-163914 was created in us-central1 ZONE.\\ |
| | Default local network for this ZONE - 10.128.0.0/20 |
| | |
| | 2. Creating VPN router\\ |
| | |
| | For example name of router vpn-1 and assigned static GLOBAL IP. In this example - 130.211.235.196\\ |
| | |
| | gcloud compute --project "pr1-163914" target-vpn-gateways create "vpn-1" --region "us-central1" --network "default" |
| | gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-esp" --region "us-central1" --address "130.211.235.196" --ip-protocol "ESP" --target-vpn-gateway "vpn-1" |
| | gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "vpn-1" |
| | gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp4500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "vpn-1" |
| | gcloud compute --project "pr1-163914" vpn-tunnels create "vpn-1-tunnel-1" --region "us-central1" --peer-address "91.208.39.16" --shared-secret "text" --ike-version "2" --target-vpn-gateway "vpn-1" |
| | gcloud compute --project "avtest1-163914" routes create "vpn-1-tunnel-1-route-1" --network "default" --next-hop-vpn-tunnel "vpn-1-tunnel-1" next-hop-vpn-tunnel-region "us-central1" --destination-range "192.168.0.0/16" |
| | |
| | ==== Configuring Juniper. ==== |
| | |
| | 1. Create ST interface:\\ |
| | |
| | {primary:node1}[edit] |
| | set interfaces st0 unit 0 description GCP |
| | set interfaces st0 unit 0 family inet mtu 1460 |
| | |
| | |
| | 2. Configuring three security zones on the Juniper:\\ |
| | |
| | {primary:node1}[edit] |
| | set security zones security-zone ISPs interfaces reth0.0 |
| | set security zones security-zone Internal interfaces reth1.0 |
| | set security zones security-zone Tunnels st0.0 |
| | |
| | |
| | 3. Configuring security policies (for this example I will not configure detail policy.)\\ |
| | |
| | {primary:node1}[edit] |
| | set security policies default-policy permit-all |
| | |
| | |
| | 4. Configuring IKE |
| | |
| | {primary:node1}[edit] |
| | set security ike proposal IKE_PRO_GOOGLE authentication-method pre-shared-keys |
| | set security ike proposal IKE_PRO_GOOGLE dh-group group2 |
| | set security ike proposal IKE_PRO_GOOGLE authentication-algorithm sha1 |
| | set security ike proposal IKE_PRO_GOOGLE encryption-algorithm aes-128-cbc |
| | set security ike proposal IKE_PRO_GOOGLE lifetime-seconds 28800 |
| | |
| | set security ike policy IKE_POL_GOOGLE mode main |
| | set security ike policy IKE_POL_GOOGLE proposals IKE_PRO_GOOGLE |
| | set security ike policy IKE_POL_GOOGLE pre-shared-key ascii-text |
| | |
| | set security ike gateway GOOGLE ike-policy IKE_POL_GOOGLE |
| | set security ike gateway GOOGLE address 130.211.235.196 |
| | set security ike gateway GOOGLE local-identity inet 91.208.39.16 |
| | set security ike gateway GOOGLE external-interface reth0.0 |
| | set security ike gateway GOOGLE version v2-only |
| | |
| | |
| | 5. Configuring IPSEC |
| | |
| | {primary:node1}[edit] |
| | set security ipsec proposal IPSEC_PRO_GOOGLE protocol esp |
| | set security ipsec proposal IPSEC_PRO_GOOGLE authentication-algorithm hmac-sha1-96 |
| | set security ipsec proposal IPSEC_PRO_GOOGLE encryption-algorithm aes-128-cbc |
| | set security ipsec proposal IPSEC_PRO_GOOGLE lifetime-seconds 3600 |
| | |
| | set security ipsec policy IPSEC_POL_GOOGLE perfect-forward-secrecy keys group2 |
| | set security ipsec policy IPSEC_POL_GOOGLE proposals IPSEC_PRO_GOOGLE |
| | |
| | set security ipsec vpn VPN_GOOGLE bind-interface st0.0 |
| | set security ipsec vpn VPN_GOOGLE ike gateway GOOGLE |
| | set security ipsec vpn VPN_GOOGLE ike ipsec-policy IPSEC_POL_GOOGLE |
| | |
| | 6. Configuring routing |
| | |
| | {primary:node1}[edit] |
| | set routing-options static route 10.128.0.0/20 next-hop st0.0 |
| | |
| | |
| | |
| | 7. Commit |
| | |
| | {primary:node1}[edit] |
| | commit |
| | |
| | |
| | |
| | ==== About author ==== |
| | [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author |
Главная страница
