我在两台 SRX300 设备之间设置了 IPSec 站点到站点 VPN。我正在尝试让多播传播。我正在寻找最简单的配置来获得此设置。我找到了很多文章,但大多数都是比我所拥有的更复杂的用例。我没有 NAT(至少现在还没有)。我希望只启用 IGMP 并且一切正常,但这似乎并不那么容易。
multicast-source---LAN---SRX@remote1 SRX@hub1---LAN---multicast-receiver
192.168.1.100/24 192.168.1.1/24 192.168.2.1/24 192.168.2.100/24
10.50.1.1/8--WAN--10.50.1.2/8
(忽略我现在在 WAN 上使用专用 10 网络的事实)
集线器上的 SRX 配置
security {
ike {
policy ike-phase1-policy {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$VVs4J5TF39t";
}
gateway gw-remote1 {
ike-policy ike-phase1-policy;
address 10.50.1.1;
external-interface ge-0/0/5.0;
}
}
ipsec {
policy ipsec-phase2-policy {
proposal-set compatible;
}
vpn ike-vpn-remote1 {
bind-interface st0.0;
ike {
gateway gw-remote1;
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
}
...
zones {
security-zone trust {
address-book {
address hub1 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
address-book {
address remote1 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ike;
}
protocols {
pim;
}
}
interfaces {
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
st0.0 {
host-inbound-traffic {
protocols {
pim;
}
}
}
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.50.1.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.255.0.156/32;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
traceoptions {
file all-packets-trace;
flag all;
}
static {
route 192.168.1.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop 10.50.1.1;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface st0.0;
interface ge-0/0/5.0 {
passive;
}
interface lo0.0;
}
}
pim {
rp {
local {
address 10.255.0.156;
}
}
interface st0.0;
interface ge-0/0/5.0;
interface lo0.0 {
family inet;
}
}
}
```
SRX Configuration on remote1 (basically a mirror of above):
```
security {
ike {
policy ike-phase1-policy {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$m5F6Ehyrv8";
}
gateway gw-hub1 {
ike-policy ike-phase1-policy;
address 10.50.1.2;
external-interface ge-0/0/5.0;
}
}
ipsec {
policy ipsec-phase2-policy {
proposal-set compatible;
}
vpn vpn-hub1 {
bind-interface st0.0;
ike {
gateway gw-hub1;
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
}
...
zones {
security-zone trust {
address-book {
address remote1 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
address-book {
address hub1 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
ike;
}
protocols {
pim;
}
}
interfaces {
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.0 {
host-inbound-traffic {
protocols {
pim;
}
}
}
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.50.1.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
traceoptions {
file all-packets-trace;
flag all;
}
static {
route 192.168.2.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop 10.50.1.2;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface st0.0;
interface ge-0/0/1.0 {
passive;
}
interface lo0.0;
}
}
pim {
rp {
static {
address 10.255.0.156;
}
}
interface ge-0/0/5.0;
interface lo0.0;
interface st0.0;
}
}
