domingo, 29 de diciembre de 2013

DNS Round Robin Gratuito

Surgió en mi la curiosidad y en parte necesidad de realizar balanceo de carga de una Pagina Web que tengo. Esta Pagina Web ha estado en Hostings gratuitos ya que el trafico es bajo aunque en este último tiempo subió considerablemente y para no estar al limite de la transferencia de datos permitida por el Proveedor me propuse hacer balanceo de carga con otro Hosting gratuito a travez de DNS.

La técnica de balanceo de carga por DNS se llama Round Robin donde al momento de consultar en mi caso por la IP el Registro A de mi dominio no se responde con una única IP en cada consulta sino que se van alternando cuando un Host hace mas de una consulta.
Esta técnica de Balanceo de Carga la usan muchos dominios como por ejemplo google, si hacen un dig al dominio de google van a ver una lista extensa de IP's con las que google hace Balanceo de Carga hacia sus Servidores con esta técnica.
Para poder comprobar esto pueden ejecutar la siguiente command line:
#watch dig google.com

Sin saberlo hasta el momento mi Hosting Gratuito de DNS llamado afraid FreeDNS tiene este servicio hace varios años y para que se ponga en funcionamiento el servicio de Balanceo de Carga basta con poner más de un Registro A con IP's diferentes.

En el gif de abajo pueden ver en funcionamiento el DNS Round Robin donde pueden ver que ejecuto dos comandos, el primero es para ver la lista de los Registros NS y el segundo es para ver una consulta de los Registros A que se realiza cada dos segundos gracias al comando watch.


Salu2!
Hernan
Publicado por en No hay comentarios:
Etiquetas: ,

jueves, 31 de octubre de 2013

KDE No Carga Correctamene

Es terrible instalar una distro Linux con KDE y ver que en el momento que inicia el KDM la pantalla se congela y se ve horrible!

Esto me paso hace un tiempo con varias distros de las ultimas versiones disponibles, la razón en mi caso es que mi placa de video no soporta algunas de los nuevos efectos de KDE con lo cual el workaround que encontré es apagar los efectos desde la linea de comandos con el comando kwriteconfig.


Que es el KDM? KDE Display Manager

Que es el kwriteconfig? Write KConfig entries

Workaround: https://wiki.archlinux.org/index.php/KDE#KDE4_does_not_finish_loading


En la consola ejecutar: kwriteconfig --file kwinrc --group Compositing --key Enabled false



Espero que les haya gustado! Si deseas deja un comentario, Saludos!
Publicado por en No hay comentarios:
Etiquetas: , , , , ,

lunes, 21 de octubre de 2013

Juniper SRX Dual WAN with NHTB Full Mesh VPN and OSPF


El siguiente post se trata de una maqueta con Firewalls Juniper SRX cada uno con 2 enlaces WAN simulando ISP's diferentes donde configuraremos 2 VPN NHTB Full Mesh, una VPN por cada enlace WAN a fin de obtener Alta Disponibilidad y enrutamiento dinámico OSPF por dentro de los enlaces túneles.

La mayoría de las configuraciones serán realizadas con el NSM, se crearan las VPN con el VPN Manager y se configurara OSPF, otras configuraciones no se realizaran ya que se supone están cargadas antes de agregar los SRX al NSM. En el paso a paso se aportaran Screenshots de la GUI del NSM y luego las commands line de las configuraciones para hacer copy paste en los Firewalls.


Algunas definiciones antes de comenzar:

WAN
ISP
Juniper SRX
Juniper NSM
VPN
NHTB (Juniper PDF)
OSPF
Martian Packets
Junos Martian Rutes (Purpose)


El siguiente gráfico es un ejemplo de una VPN Full Mesh con NHTB donde podemos observar que por la misma Interface Tunel tenemos asociadas n cantidad de peers.


El siguiente gráfico es del que nos valdremos para hacer nuestro Lab.




Configuraciones previas para los SRX, en naranja lo estrictamente necesario:

SRX100

set system host-name SRX100.1
set interfaces ge-0/0/0 description WAN1
set interfaces ge-0/0/0 unit 0 family inet address 10.202.0.10/24
set interfaces ge-0/0/1 description WAN2
set interfaces ge-0/0/1 unit 0 family inet address 10.203.0.10/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 description P2P
set interfaces fe-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 201.1.2.63/32 next-hop 10.202.0.1
set routing-options static route 200.1.2.63/32 next-hop 10.203.0.1
set routing-options static route 202.1.2.10/32 next-hop 10.202.0.1
set routing-options static route 10.201.0.10/32 next-hop 10.203.0.1
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces fe-0/0/7.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

SRX210

set system host-name SRX210.2
set interfaces ge-0/0/0 unit 0 family inet address 202.1.2.10/24
set interfaces ge-0/0/1 description "BrokenPort :("
set interfaces ge-0/0/1 disable
set interfaces ge-0/0/1 unit 0
set interfaces ge-0/0/2 unit 0 family inet address 10.201.0.10/24
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 description P2P
set interfaces ge-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.2.1/24
set routing-options static route 10.202.0.10/32 next-hop 202.1.2.2
set routing-options static route 10.203.0.10/32 next-hop 10.201.0.1
set routing-options static route 201.1.2.63/32 next-hop 202.1.2.2
set routing-options static route 200.1.2.63/32 next-hop 10.201.0.1
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces ge-0/0/7.0
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

SRX240

set system host-name SRX240.3
set interfaces ge-0/0/0 description WAN1
set interfaces ge-0/0/0 unit 0 family inet address 201.1.2.63/24
set interfaces ge-0/0/1 description WAN2
set interfaces ge-0/0/1 unit 0 family inet address 200.1.2.63/24
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 description vlan-201
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-201
set interfaces ge-0/0/6 description vlan-202
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-202
set interfaces ge-0/0/7 description vlan-203
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-203
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces ge-0/0/14 description Trunk-Router
set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/14 unit 0 family ethernet-switching native-vlan-id 100
set interfaces ge-0/0/15 description Net-Company
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-Switch
set interfaces vlan unit 0 family inet address 192.168.3.1/24
set interfaces vlan unit 1 description "P2P Zone - vlan-Switch"
set interfaces vlan unit 1 family inet address 10.5.40.251/24
set routing-options static route 10.202.0.10/32 next-hop 201.1.2.2
set routing-options static route 202.1.2.10/32 next-hop 201.1.2.2
set routing-options static route 10.203.0.10/32 next-hop 200.1.2.2
set routing-options static route 10.201.0.10/32 next-hop 200.1.2.2
set routing-options static route 10.100.30.77/32 next-hop 10.5.40.204
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone P2P policy trust-to-P2P match source-address any
set security policies from-zone trust to-zone P2P policy trust-to-P2P match destination-address any
set security policies from-zone trust to-zone P2P policy trust-to-P2P match application any
set security policies from-zone trust to-zone P2P policy trust-to-P2P then permit
set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit
set security policies policy-rematch
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone P2P host-inbound-traffic system-services all
set security zones security-zone P2P host-inbound-traffic protocols all
set security zones security-zone P2P interfaces vlan.1
set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set vlans vlan-201 vlan-id 201
set vlans vlan-202 vlan-id 202
set vlans vlan-203 vlan-id 203
set vlans vlan-Switch vlan-id 100
set vlans vlan-Switch l3-interface vlan.1                  
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0




Agregar equipos al NSM

El primer paso con el NSM será agregar los dispositivos para luego crear la VPN con el VPN Manager.

Procedimiento:

Loguearse al NSM



En Configure ir a Devices y hacer clic en el botón +



Elegir la opción: Device Is Not Reacheable.

Nota: Esta opción nos permite agregar equipos remotos los cuales no conocemos la IP o equipos que la IP pueda cambiar, la ventaja principal de este tipo de conexión es que el Firewall en nuestro caso será el que siempre intente realizar la conexión contra el NSM.
En nuestro ejemplo tenemos el NSM en una Red Privada pero también se podría publicar los servicios del NSM en Internet.


Completar según corresponda con el modelo de Hard y Soft:

Nota: Podemos ayudarnos con los comandos: show version y show chassis hardware para ver la versión de Junos y Modelo de Equipo.


Completar Admin User, Admin Password y One-Time Password, luego hacer click en Show Device Commands:


Seleccionar y copiar los comandos para pegar en el SRX



En la consola del SRX tipeamos  load set terminal y copiamos los comando anteriores.



Por ultimo hay que Importar los Dispositivos agregados al NSM, para esto seleccionamos el dispositivo, Clic derecho Import.

Nota: Volver a realizar todos estos pasos con los demás equipos.



Creación de interface loopback para router id de OSPF

Procedimiento:

Hacemos doble clic sobre el SRX100 y vamos a la solapa Configurations:
Interfaces -> Interface List -> botón + -> lo0 loopback interface


 En la nueva ventana vamos a Unit


Botón +


En la ventana nueva en unit ponemos 0 (cero) y vamos a Family -> Inet


Clic en Enable Feature y vamos Address


 Botón +


En Name ponemos la ip del router id: 1.1.1.1/32



Clics en Ok



Configuración de OSPF, Area 0 y router-id

Procedimiento:

En la solapa Configurations -> Protocols -> OSPF -> Area -> botón +


Ir a Interface -> click botón +

En Name tipear: vlan.0


Ir Passive y marcar Enable Feature


Clic en Ok

En la solapa Configurations vamos a Routing Options

En router id colocar la IP de la interface loopback: 1.1.1.1


Clic en Ok


Nota: Si quisieramos dar a conocer a nuestros Neighbors que a través nuestro pueden llegar a ciertas rutas al cual no estamos directamente conectados es necesario realizar un filtro y exportarlo en las configuraciones de OSPF.

Procedimiento:

En la Solapa Configurations -> Policy Statement -> botón +


En Name poner un nombre: export-policy


Ir a Term -> botón +

Asignar un nombre: term1


Dentro de la misma ventana ir a From -> Router Filter -> botón +


En Address colocar una red: 10.0.4.0/24


Dentro de la misma ventana ir a Exact y seleccionar Exact


Clic en Ok

Ir a Then y seleccionar accept


Clics en Ok


Para exportar la política creada:
Vamos a la solapa Configurations -> Protocols -> OSPF -> Export



Seleccionamos nuestra Policy creada y hacemos clic en el botón Add


Clics en Ok



Uso de VPN Manager

Procedimiento:

En el NSM vamos al VPN Manager y Hacemos click en Create new IKE VPN



Ponemos un Nombre a la VPN y seleccionamos Route Based:

Nota: En el Screenshot el nombre de la VPN figura con espacios pero para evitar errores no se recomienda dejar espacios ya que luego el NSM intentara cargar este nombre a las configuraciones de los equipos.

Click en OK

Hacer click en Device dentro de Route Based Configurations y en Primary Zone seleccionar VPN:


Clic en OK

Hacemos Clic en el Botón + de la ventana abierta.

Seleccionar los dispositivos que participaran en la VPN Full Mesh:


Click en OK

Hacer doble click en los Dispositivos que agregamos:


Clic en OK

En la nueva ventana configurar IP y Mascara:

Nota: Para el Full Mesh VPN de la WAN1 usaremos la red 10.10.10.0/24 e iremos asignando IP a las interfaces de cada dispositivo según corresponda, por ejemplo para el SRX100 la IP será 10.10.10.1 y para el SRX210 la IP será 10.10.10.2 y así sucesivamente.


SRX100:
SRX210:
SRX240:

Click en OK

Hacer clic en Routes y luego doble click en cada Source Device con el fin de asociar el Área de
OSPF:

Nota: En nuestro caso usaremos una sola área de OSPF para todo.


Clic en OK

Hacer clic en Topology y seleccionar todos los Mains para lograr el Mesh:


Clic en OK


Clic en OK

Hacer clic en Gateway Parameters e ir a la Solapa Security y poner nuestra Preshared Key:



Clic en OK


Hacer clic en AutoKey IKE Parameters y seleccionar Replay Protection, VPN Monitor, Rekey y Optimized:


Clic en OK

Hacer clic en AutoConnect VPN Parameters y luego clic en el botón Import:



Clic en Ok y luego Clic en el botón Save.

Vamos a Habilitar Dead Peer Detection y luego modificaremos el MTU de las interfaces tunel.

Hacer clic en Device Configuration en Overrides

Desplegamos las opciones del SRX100 y seleccionamos Gateway:


Hacemos doble clic sobre el primer IKE Gateway

Seleccionar Dead Peer Detection y marcar el Enable Feature:


Repetir este paso con el segundo IKE Gateway y luego con los 2 dispositivos faltantes.

Para cambiar la MTU de la Interface Tunel seleccionamos la st0 y luego doble clic en el unit:


Ir a Unit y doble clic en 0


Navegar por Family, Init y cambiar el MTU a 1514:



Clic en botón Ok y luego Save


Para la VPN over WAN2 repetir todos los pasos y en el momento de llegar a los terminations point cambiar a las interfaces de WAN2






Configuraciones extras necesarias para los SRX:

Hay que indicar que las Interface Tnuel son de tipo p2mp y Dynamic Neighbors.

Vamos a Configure -> Devices y hacemos doble clic sobre el SRX100

Luego ir a la solapa Configuration -> Protocols -> OSPF -> Area -> 0.0.0.0


Hacemos doble clic sobre  la Interface Tunel:


En Interface Type seleccionar p2mp y Dynamic Neighbors:



Prevent alternate routes. Override the routes (fowards the OSPF peers)

Crear rutas estáticas hacia nuestros peers a fin de prevenir flapeos de OSPF.

Ir a Routing Options -> Static -> Routes

Clic en botón +


En nuestra maqueta tenemos 3 Firewalls en la ecuación, con lo cual hay que agregar 4 rutas en cada Firewall, siendo estas, 2 rutas hacia los 2 peers de la VPN sobre la WAN1 y 2 rutas hacia los 2 peers de la VPN sobre la WAN2:

SRX100:
10.10.10.2/32 next-hop 10.10.10.2 -> st0.0 to SRX210
10.10.10.3/32 next-hop 10.10.10.3 -> st0.0 to SRX240
20.20.20.2/32 next-hop 20.20.20.2 -> st0.1 to SRX210
20.20.20.3/32 next-hop 20.20.20.3 -> st0.1 to SRX240

Vamos a mostrar el ejemplo para la IP 10.10.10.2:


En Next Hop hacer clic en el botón + y cargar la IP 10.10.10.2


Por ultimo repetir los pasos para agregar las demás rutas al SRX100 y luego a los demás Firewalls.

Nota: Para los demás SRX las rutas estáticas son las siguientes:

SRX210:

10.10.10.1 next-hop 10.10.10.1 -> st0.0 to SRX100
10.10.10.3 next-hop 10.10.10.3 -> st0.0 to SRX240
20.20.20.1 next-hop 20.20.20.1 -> st0.1 to SRX100
20.20.20..3 next-hop 20.20.20.3 -> st0.1 to SRX240

SRX240:

10.10.10.1 next-hop 10.10.10.1 -> st0.0 to SRX100
10.10.10.2 next-hop 10.10.10.2 -> st0.0 to SRX210
20.20.20.1 next-hop 20.20.20.1 -> st0.1 to SRX100
20.20.20.2 next-hop 20.20.20.2 -> st0.1 to SRX210

En el NSM hacer un Update de los Dispositivos para impactar las configuraciones realizadas.



A continuación las commands de las configuraciones realizadas con el NSM:

SRX100

Configuración de Interfaces Tunel:

set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.3 ipsec-vpn vpn58-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.2 ipsec-vpn vpn60-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.1/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.3 ipsec-vpn vpn58-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.2 ipsec-vpn vpn60-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set interfaces vlan unit 0 family inet address 192.168.1.1/24

 OSPF:

set routing-options router-id 1.1.1.1

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors

set protocols ospf export export-policy
set policy-options policy-statement export-policy term term1 from route-filter 10.0.4.0/24 exact
set policy-options policy-statement export-policy term term1 then accept

Rutas estáticas:

set routing-options static route 10.10.10.2/32 next-hop 10.10.10.2
set routing-options static route 10.10.10.3/32 next-hop 10.10.10.3
set routing-options static route 20.20.20.2/32 next-hop 20.20.20.2
set routing-options static route 20.20.20.3/32 next-hop 20.20.20.3

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1

Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit

Fase 1 WAN1:

set security ike policy ike60-VPN_FullMesh_WAN1 mode main
set security ike policy ike60-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike60-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn60-VPN_FullMesh_WAN1 ike-policy ike60-VPN_FullMesh_WAN1
set security ike gateway vpn60-VPN_FullMesh_WAN1 address 202.1.2.10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn58-VPN_FullMesh_WAN1 ike-policy ike60-VPN_FullMesh_WAN1
set security ike gateway vpn58-VPN_FullMesh_WAN1 address 201.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0

Fase 1 WAN2:

set security ike policy ike60-VPN_FullMesh_WAN2 mode main
set security ike policy ike60-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike60-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn60-VPN_FullMesh_WAN2 ike-policy ike60-VPN_FullMesh_WAN2
set security ike gateway vpn60-VPN_FullMesh_WAN2 address 10.201.0.10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0
set security ike gateway vpn58-VPN_FullMesh_WAN2 ike-policy ike60-VPN_FullMesh_WAN2
set security ike gateway vpn58-VPN_FullMesh_WAN2 address 200.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0

Fase 2 WAN1:

set security ipsec policy ipsec60-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike gateway vpn60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity local 10.202.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity remote 202.1.2.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike ipsec-policy ipsec60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike gateway vpn58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity local 10.202.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity remote 201.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike ipsec-policy ipsec60-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 establish-tunnels immediately

Fase 2 WAN2:

set security ipsec policy ipsec60-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike gateway vpn60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity local 10.203.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity remote 10.201.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike ipsec-policy ipsec60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike gateway vpn58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity local 10.203.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity remote 200.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike ipsec-policy ipsec60-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 establish-tunnels immediately


SRX210


set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.3 ipsec-vpn vpn58-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.1 ipsec-vpn vpn62-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.2/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.3 ipsec-vpn vpn58-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.1 ipsec-vpn vpn62-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.2/24
set interfaces lo0 unit 0 family inet address 1.1.1.2/32
set interfaces vlan unit 0 family inet address 192.168.2.1/24

 OSPF:

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set routing-options router-id 1.1.1.2

Rutas estáticas:

set routing-options static route 10.10.10.1/32 next-hop 10.10.10.1
set routing-options static route 10.10.10.3/32 next-hop 10.10.10.3
set routing-options static route 20.20.20.1/32 next-hop 20.20.20.1
set routing-options static route 20.20.20.3/32 next-hop 20.20.20.3

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1


Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit


Fase 1 WAN1:

set security ike policy ike58-VPN_FullMesh_WAN1 mode main
set security ike policy ike58-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike58-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn58-VPN_FullMesh_WAN1 ike-policy ike58-VPN_FullMesh_WAN1
set security ike gateway vpn58-VPN_FullMesh_WAN1 address 201.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn62-VPN_FullMesh_WAN1 ike-policy ike58-VPN_FullMesh_WAN1
set security ike gateway vpn62-VPN_FullMesh_WAN1 address 10.202.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0



Fase 1 WAN2:


set security ike policy ike58-VPN_FullMesh_WAN2 mode main
set security ike policy ike58-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike58-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn58-VPN_FullMesh_WAN2 ike-policy ike58-VPN_FullMesh_WAN2
set security ike gateway vpn58-VPN_FullMesh_WAN2 address 200.1.2.63
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn58-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn58-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn58-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn58-VPN_FullMesh_WAN2 external-interface ge-0/0/2.0
set security ike gateway vpn62-VPN_FullMesh_WAN2 ike-policy ike58-VPN_FullMesh_WAN2
set security ike gateway vpn62-VPN_FullMesh_WAN2 address 10.203.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN2 external-interface ge-0/0/2.0


Fase 2 WAN1:

set security ipsec policy ipsec58-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike gateway vpn58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity local 202.1.2.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity remote 201.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 ike ipsec-policy ipsec58-VPN_FullMesh_WAN1
set security ipsec vpn vpn58-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike gateway vpn62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity local 202.1.2.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity remote 10.202.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike ipsec-policy ipsec58-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 establish-tunnels immediately


Fase 2 WAN2:


set security ipsec policy ipsec58-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike gateway vpn58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity local 10.201.0.10/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity remote 200.1.2.63/32
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 ike ipsec-policy ipsec58-VPN_FullMesh_WAN2
set security ipsec vpn vpn58-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike gateway vpn62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity local 10.201.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity remote 10.203.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike ipsec-policy ipsec58-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 establish-tunnels immediately



SRX240



set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1514
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.2 ipsec-vpn vpn60-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.1 ipsec-vpn vpn62-VPN_FullMesh_WAN1
set interfaces st0 unit 0 family inet address 10.10.10.3/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet mtu 1514
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.2 ipsec-vpn vpn60-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet next-hop-tunnel 20.20.20.1 ipsec-vpn vpn62-VPN_FullMesh_WAN2
set interfaces st0 unit 1 family inet address 20.20.20.3/24
set interfaces lo0 unit 0 family inet address 1.1.1.3/32
set interfaces vlan unit 0 family inet address 192.168.3.1/24

OSPF:

set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set routing-options router-id 1.1.1.3


Rutas estáticas:

set routing-options static route 10.10.10.1/32 next-hop 10.10.10.1
set routing-options static route 10.10.10.2/32 next-hop 10.10.10.2
set routing-options static route 20.20.20.1/32 next-hop 20.20.20.1
set routing-options static route 20.20.20.2/32 next-hop 20.20.20.2

Bindeo de Interfaces Tunel a Zona VPN:

set security zones security-zone VPN host-inbound-traffic system-services any-service
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set security zones security-zone VPN interfaces st0.1


Políticas de Firewall:

set security policies from-zone trust to-zone VPN policy trust-VPN match source-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match destination-address any
set security policies from-zone trust to-zone VPN policy trust-VPN match application any
set security policies from-zone trust to-zone VPN policy trust-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-trust then permit


Fase 1 WAN1:

set security ike policy ike62-VPN_FullMesh_WAN1 mode main
set security ike policy ike62-VPN_FullMesh_WAN1 proposal-set compatible
set security ike policy ike62-VPN_FullMesh_WAN1 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn62-VPN_FullMesh_WAN1 ike-policy ike62-VPN_FullMesh_WAN1
set security ike gateway vpn62-VPN_FullMesh_WAN1 address 10.202.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection interval 60
set security ike gateway vpn62-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0
set security ike gateway vpn60-VPN_FullMesh_WAN1 ike-policy ike62-VPN_FullMesh_WAN1
set security ike gateway vpn60-VPN_FullMesh_WAN1 address 202.1.2.10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN1 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN1 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN1 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN1 external-interface ge-0/0/0.0

Fase 1 WAN2:

set security ike policy ike62-VPN_FullMesh_WAN2 mode main
set security ike policy ike62-VPN_FullMesh_WAN2 proposal-set compatible
set security ike policy ike62-VPN_FullMesh_WAN2 pre-shared-key ascii-text electrotrunk2
set security ike gateway vpn62-VPN_FullMesh_WAN2 ike-policy ike62-VPN_FullMesh_WAN2
set security ike gateway vpn62-VPN_FullMesh_WAN2 address 10.203.0.10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn62-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn62-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn62-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn62-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0
set security ike gateway vpn60-VPN_FullMesh_WAN2 ike-policy ike62-VPN_FullMesh_WAN2
set security ike gateway vpn60-VPN_FullMesh_WAN2 address 10.201.0.10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection always-send
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection interval 10
set security ike gateway vpn60-VPN_FullMesh_WAN2 dead-peer-detection threshold 1
set security ike gateway vpn60-VPN_FullMesh_WAN2 no-nat-traversal
set security ike gateway vpn60-VPN_FullMesh_WAN2 nat-keepalive 5
set security ike gateway vpn60-VPN_FullMesh_WAN2 external-interface ge-0/0/1.0


Fase 2 WAN1:

set security ipsec policy ipsec62-VPN_FullMesh_WAN1 proposal-set compatible
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike gateway vpn62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity local 201.1.2.63/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity remote 10.202.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 ike ipsec-policy ipsec62-VPN_FullMesh_WAN1
set security ipsec vpn vpn62-VPN_FullMesh_WAN1 establish-tunnels immediately
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 bind-interface st0.0
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike gateway vpn60-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity local 201.1.2.63/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity remote 202.1.2.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 ike ipsec-policy ipsec62-VPN_FullMesh_WAN1
set security ipsec vpn vpn60-VPN_FullMesh_WAN1 establish-tunnels immediately

Fase 2 WAN2:


set security ipsec policy ipsec62-VPN_FullMesh_WAN2 proposal-set compatible
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike gateway vpn62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity local 200.1.2.63/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity remote 10.203.0.10/32
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 ike ipsec-policy ipsec62-VPN_FullMesh_WAN2
set security ipsec vpn vpn62-VPN_FullMesh_WAN2 establish-tunnels immediately
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 bind-interface st0.1
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 df-bit clear
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 vpn-monitor optimized
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike gateway vpn60-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity local 200.1.2.63/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity remote 10.201.0.10/32
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike proxy-identity service any
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 ike ipsec-policy ipsec62-VPN_FullMesh_WAN2
set security ipsec vpn vpn60-VPN_FullMesh_WAN2 establish-tunnels immediately



Nota: Para prevenir la instalación de una ruta interna de OSPF en la tabla de ruteo hay que agregar rutas marcianas, ver KB26772.


Espero que les haya gustado, si deseas deja un comentario, Saludos!
Hernan
Publicado por en No hay comentarios:
Etiquetas: , , , , , , ,
Ubicación: Buenos Aires, Argentina
Suscribirse a: Entradas (Atom)