Versions Compared

Old Version 2

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version 3

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

============================================================================

A-Site:

1- IKE Phase 1:

#1a- create ike proposal
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP dh-group group5
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP lifetime-seconds 3600

#1c- create ike gateway
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL pre-shared-key ascii-text juniper

#1c- create ike gateway
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 1.2.3.22 # remote IP@!!!
set security ike gateway IKE-GW external-interface ge-0/0/0


#2- allow IKE traffic inbound to untrusted zone
set security zones security-zone untrust host-inbound-traffic system-services ike


#3- IKE Phase 2 / IPSEC :

#3a- create ipsec proposal
set security ipsec proposal IPSEC-PROP protocol esp
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600

#3b- create ipsec policy
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POL proposals IPSEC-PROP

#3c- create ipsec gateway
set security ipsec vpn IPSEC-VPN vpn-monitor
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security ipsec vpn IPSEC-VPN bind-interface st0.1


set interfaces st0 unit 1 family inet
set security zones security-zone VPN interfaces st0.1
set routing-options static route 11.11.11.0/24 next-hop st0.1


#4- Configure sec policy between zones

set security address-book global address Network-A 10.10.10.0/24
set security address-book global address Network-B 11.11.11.0/24

...


==============================================================================================================

B Side:

#1- IKE Phase 1:

#1a- create ike proposal
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP dh-group group5
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP lifetime-seconds 3600

#1c- create ike gateway
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL pre-shared-key ascii-text juniper

#1c- create ike gateway
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 1.2.3.21 # remote IP@!!!
set security ike gateway IKE-GW external-interface ge-0/0/0


#2- allow IKE traffic inbound to untrusted zone
set security zones security-zone untrust host-inbound-traffic system-services ike


#3- IKE Phase 2 / IPSEC :

#3a- create ipsec proposal
set security ipsec proposal IPSEC-PROP protocol esp
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600

#3b- create ipsec policy
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POL proposals IPSEC-PROP

#3c- create ipsec gateway
set security ipsec vpn IPSEC-VPN vpn-monitor
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security ipsec vpn IPSEC-VPN bind-interface st0.1

...

set interfaces st0 unit 1 family inet
#set security zones security-zone VPN
set security zones security-zone VPN interfaces st0.1
set routing-options static route 10.10.10.0/24 next-hop st0.1


#4- Configure sec policy between zones

set security address-book global address Network-A 10.10.10.0/24
set security address-book global address Network-B 11.11.11.0/24

...