Pagina Principal ARTIGOS Network

VPN Juniper SRX x Linux Racoon

Durante testes em clientes, consegui estabelecer um Tunnel IPSEC entre Juniper SRX com Linux Racoon, do lado do Juniper consegui fechar por Route Based.


Segue ambos os provisionamentos abaixo:

Linux Racoon

#peer ths-client.conf

remote 200.0.0.1

{

        exchange_mode main;

        my_identifier address 200.0.0.1;

        peers_identifier address 10.1.1.1;

                verify_identifier on;

        nat_traversal on;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

# Lan-to-Lan

sainfo subnet 10.33.0.0/22 any subnet 10.1.0.0/16 any

{

        #phase2

        pfs_group modp1024;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

# Lan-to-Lan

sainfo subnet 10.33.4.0/22 any subnet 10.1.0.0/16 any

{

        #phase2

        pfs_group modp1024;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

Juniper SRX

set interfaces st0 unit 12 family inet

set routing-options static route 10.33.0.0/21 next-hop st0.12

set security ike proposal client description VPN-CLIENT

set security ike proposal client authentication-method pre-shared-keys

set security ike proposal client dh-group group2

set security ike proposal client authentication-algorithm sha1

set security ike proposal client encryption-algorithm 3des-cbc

set security ike policy ike-pol-client mode main

set security ike policy ike-pol-client proposals client

set security ike policy ike-pol-client pre-shared-key ascii-text "$9$Ddid2d1ed1d1d1erq$@R@Re"

set security ike gateway ike-gw-client ike-policy ike-pol-client

set security ike gateway ike-gw-client address 200.0.0.1

set security ike gateway ike-gw-client local-identity inet 10.1.1.1

set security ike gateway ike-gw-client remote-identity inet 200.0.0.1

set security ike gateway ike-gw-client external-interface reth5.0

set security ipsec proposal IPSEC-VPN-CLIENT protocol esp

set security ipsec proposal IPSEC-VPN-CLIENT authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC-VPN-CLIENT encryption-algorithm 3des-cbc

set security ipsec policy ipsec-pol-client perfect-forward-secrecy keys group2

set security ipsec policy ipsec-pol-client proposals IPSEC-VPN-CLIENT

set security ipsec vpn ipsec-vpn-client bind-interface st0.12

set security ipsec vpn ipsec-vpn-client ike gateway ike-gw-client

set security ipsec vpn ipsec-vpn-client ike proxy-identity local 10.1.0.0/16

set security ipsec vpn ipsec-vpn-client ike proxy-identity remote 10.33.0.0/21

set security ipsec vpn ipsec-vpn-client ike ipsec-policy ipsec-pol-client

set security ipsec vpn ipsec-vpn-client establish-tunnels immediately

.