IPSec in IBM SoftLay
(3)Customer end: Juniper SRX Firewall (policy based ×××)
- Phase 1
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm md5
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG"
set security ike gateway SL ike-policy ike-phase1-policy
set security ike gateway SL address x.x.x.x
set security ike gateway SL external-interface ge-0/0/0.0
2. Phase 2
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec *** SL××× ike gateway SL
set security ipsec *** SL××× ike proxy-identity local 192.168.109.0/24
set security ipsec *** SL××× ike proxy-identity remote 10.66.24.0/26
set security ipsec *** SL××× ike proxy-identity service any
set security ipsec *** SL××× ike ipsec-policy ipsec-phase2-policy
3. Security Policy (Inbound)
set security policies from-zone trust to-zone untrust policy outbound_*** match source-address local_network
set security policies from-zone trust to-zone untrust policy outbound_*** match destination-address SL-net
set security policies from-zone trust to-zone untrust policy outbound_*** match application any
set security policies from-zone trust to-zone untrust policy outbound_*** then permit tunnel ipsec-*** SL×××
set security policies from-zone trust to-zone untrust policy outbound_*** then count
4. Security Policy (Outbound)
set security policies from-zone untrust to-zone trust policy inbound_*** match source-address SL-net
set security policies from-zone untrust to-zone trust policy inbound_*** match destination-address local_network
set security policies from-zone untrust to-zone trust policy inbound_*** match application any
set security policies from-zone untrust to-zone trust policy inbound_*** then permit tunnel ipsec-*** SL×××
set security policies from-zone untrust to-zone trust policy inbound_*** then count
5.Routing
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1