![]() set security ipsec vpn our-ipsec-vpn-1 ike gateway our-ike-gateway IPSec_VPN: This is the section where phase 1 and phase 2 join together. set security ipsec policy our-ipsec-policy proposals our-ipsec-proposal IPSec_Policy: In IPsec policy section, we will announce our IPSec proposal into the policy. Set security ipsec proposal our-ipsec-proposal lifetime-seconds 28800 Set security ipsec proposal our-ipsec-proposal encryption-algorithm 3des-cbc Set security ipsec proposal our-ipsec-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal our-ipsec-proposal protocol esp IPSec_Proposal: IPsec proposal parameter are given above. Set security ike gateway our-ike-gateway external-interface ge-0/0/0.0 Set security ike gateway our-ike-gateway address 2.2.2.2 set security ike gateway our-ike-gateway ike-policy our-ike-policy IKE_Gateway: Here we will assign our external interface, peer id, and ike policy. Set security ike policy our-ike-policy pre-shared-key ascii-text letsconfig ![]() Set security ike policy our-ike-policy proposals our-ike-proposal Set security ike policy our-ike-policy mode main IKE_Policy: Our pre-shared-key is “ letsconfig” which will be added here and combine proposal here with it. Set security ike proposal our-ike-proposal lifetime-seconds 86400 Set security ike proposal our-ike-proposal encryption-algorithm 3des-cbc Set security ike proposal our-ike-proposal authentication-algorithm sha-256 Set security ike proposal our-ike-proposal dh-group group5 set security ike proposal our-ike-proposal authentication-method pre-shared-keys IKE_Proposal: We will configure IKE proposal, according our ipsec parameter table. Now, move to the main part of ipsec configuration. set security zones security-zone untrust host-inbound-traffic system-services ike If you do so, make sure Ike is allowed which is must needed to form IPSec peer. You might need to allow specific services in production networks. Set security zones security-zone untrust interfaces ge-0/0/0.0 Set security zones security-zone untrust host-inbound-traffic protocols all Set security zones security-zone untrust host-inbound-traffic system-services all We also need to check IKE is allowed in our untrust (outside) zone or not. Round-trip min/avg/max/stddev = 10.190/10.697/11.684/0.594 result shows a full reachability to ipsec peer IP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |