Set interfaces ge-0/0/0 unit 20 description "*** MPLS CONNECTION TO VPN2 SRX ***" Set interfaces ge-0/0/0 unit 10 family inet address 1.1.1.2/30 Set interfaces ge-0/0/0 unit 10 description "*** MPLS CONNECTION TO VPN1 SRX ***" Set interfaces vlan unit 0 family inet address 10.0.99.1/24Ĭonfigure the interface that will act as the WAN interface for our MPLS connections: Set interfaces vlan unit 0 description "*** TRUST ***" Also, I configured the security zones and policies exactly like VPN1 SRX.Ĭonfigure a firewall filter so that VPN1 SRX only accepts IKE packets from specific devices: NOTE: There is no need to enable VPN monitoring on this device, as we only need to be monitoring our primary path to/from the remote site. Set security flow tcp-mss ipsec-vpn mss 1350 Set security ipsec vpn VPN-REMOTE-SITE establish-tunnels immediately Set security ipsec vpn VPN- REMOTE-SITE ike ipsec-policy VPN- REMOTE-SITE Set security ike gateway GW-REMOTE-SITE address 2.2.2.2 Set interfaces st0 unit 1 family inet address 200.200.200.1/30 Set interfaces ge-0/0/15 unit 0 family inet address 2.2.2.1/30 Set interfaces ge-0/0/15 unit 0 description "*** MPLS CONNECTION TO REMOTE SRX ***" Set interfaces vlan unit 0 family inet address 10.0.0.3/24 Set security ipsec vpn VPN- REMOTE-SITE ike ipsec-policy Set security ipsec vpn VPN- REMOTE-SITE ike gateway GW-REMOTE-SITE Set security ipsec vpn VPN- REMOTE-SITE bind-interface st0.1 Set security ipsec policy IPSEC-POLICY- REMOTE-SITE proposal-set standard Set security ipsec policy IPSEC-POLICY- REMOTE-SITE perfect-forward-secrecy keys group2 Set security ike gateway GW-REMOTE-SITE external-interface ge-0/0/15.0 Set security ike gateway GW-REMOTE-SITE address 1.1.1.2 Set security ike gateway GW-REMOTE-SITE ike-policy IKE-POLICY-REMOTE-SITE Set security ike policy IKE-POLICY-REMOTE-SITE pre-shared-key ascii-text testing123 Set security ike policy IKE-POLICY-REMOTE-SITE proposal-set standard Set security ike policy IKE-POLICY-REMOTE-SITE mode main Set routing-options static route 10.0.99.0/24 qualified-next-hop 10.0.0.3 preference 6 Set routing-options static route 10.0.99.0/24 next-hop st0.1 Set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1Ĭonfigure a preferred route to the remote site via 10.0.0.2, and then a backup route via 10.0.0.3: Set interfaces st0 unit 1 family inet address 100.100.100.1/30 Set interfaces st0 unit 1 description "*** CONNECTION TO REMOTE SITE ***" Set interfaces ge-0/0/15 unit 0 family inet address 1.1.1.1/30Ĭonfigure the interface that will be used for the VPN: Set interfaces ge-0/0/15 unit 0 description "*** MPLS CONNECTION TO REMOTE SITE ***" Set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members COREĬonfigure the interface that will act as the WAN interface for our MPLS connection: Set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members CORE Set interfaces vlan unit 0 family inet address 10.0.0.2/24Ĭonfigure the interfaces that will connect to the core switch: Set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members CORE Set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CORE Set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CORE Set interfaces vlan unit 0 family inet address 10.0.0.5/24 Set interfaces vlan unit 0 description "*** CORE ***" Set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24 Set interfaces ge-0/0/0 unit 0 description "*** CORE ***" Configure the interface that will connect to the core switch:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |