与Juniper SRX建立ipsec vpn

收藏

下面案例中讲述如何与SRX建立IPsec vpn Junos版本是11.0

拓扑如下

阶段1的参数

VPN Parameters

Juniper SRX

防火墙

Phase-I (IKE)

Authentication Method

Preshared key

Preshared key

Authentication- Algorithm

Sha1

Sha1

Encryption- Algorithm

3Des-cbc

3Des-cbc

dh-group

5

5

Lifetime (sec)

28800

28800

Mode

Main

Main

Remote gateway Address

10.10.20.2

10.10.10.2

Nat-keepalive

10

10

Phase-II (IPSEC)

Protocol

Esp

Esp

Authentication- Algorithm

sha1-96

sha1-96

Encryption- Algorithm

3Des-cbc

3Des-cbc

PFS keys Groups

5

 5

Lifetime (sec)

86400

86400

Proxy-identity

local

192.168.100.0/24

192.168.200.0/24

remote

192.168.200.0/24

192.168.100.0/24

Service

Any

Any

Locally Significant

Outgoing interface

ge-0/0/0

Wan1

Tunnel interface

st0.1

 

 

先配置SRX端的

user@SRX#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “

user@SRX#set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30

Defineure the LAN side interfaces and assigning the IP address

user@SRX#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “

user@SRX#set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24

Defineure the VPN tunnel interfaces

user@SRX#set interfaces st0 unit 1 description ” VPN SECURE TUNNEL “

user@SRX#set interfaces st0 unit 1 family inet

Defineure default route and route for tunnel traffic

For route of tunnel traffic, next-hop would be normally the gateway ip address of peer device but here st0.1 has been specified as there is not defined the IP address in tunnel interface of peer Device. 

user@SRX#set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1

user@SRX#set routing-options static route 192.168.200.0/24 next-hop st0.1

Defineure security zones and assign interfaces to the zone and adding host-inbound system services in these zones

To separate the security policies for non-VPN and VPN traffic, the secure tunnel is assigned in different zone named VPN than the WAN and LAN zone.IKEmust be defined as host-inbound system services in internet facing zone (WAN) to establish theIKEnegotiations between VPN peer devices.

user@SRX#set security zones security-zone WAN host-inbound-traffic system-services ike

user@SRX#set security zones security-zone WAN interfaces ge-0/0/0.0

user@SRX#set security zones security-zone LAN host-inbound-traffic system-services all

user@SRX#set security zones security-zone LAN interfaces ge-0/0/1.0

user@SRX#set security zones security-zone VPN interfaces st0.1

 

Defineure Phase-I IKE proposal and Policy for main mode as listed above in Table

Here I have defined the VPN parameters manually instead of using the default for Phase-I.

user@SRX#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys

user@SRX#set security ike proposal IKE-PROPOSAL dh-group group5

user@SRX#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1

user@SRX#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc

user@SRX#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800

user@SRX#set security ike policy IKE-POLICY mode main

user@SRX#set security ike policy IKE-POLICY proposals IKE-PROPOSAL

user@SRX#set security ike policy IKE-POLICY pre-shared-key ascii-text

 

Defineure the VPN gateway (Phase-I) with policy, peer address and outgoing interface

To identify the remoteIKEpeer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device.

user@SRX#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY

user@SRX#set security ike gateway VPN-GATEWAY address 10.10.20.2

user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10

user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1

user@SRX#set security ike gateway VPN-GATEWAY nat-keepalive 10

user@SRX#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0

Defineure Phase-II Proposal and Policy as listed in above Table

Here I have defined the VPN parameters manually instead of using the default for Phase-II.

user@SRX#set security ipsec proposal IPSEC-PROPOSAL protocol esp

user@SRX#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96

user@SRX#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc

user@SRX#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400

user@SRX#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5

user@SRX#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

Defineure IPSEC VPN (Phase-II) with IKE gateway, IPSEC policy and Binding the Secure Tunnel st0.1 interface

user@SRX#set security ipsec vpn IPSEC-VPN bind-interface st0.1

user@SRX#set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY

user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity local 192.168.100.0/24

user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity remote 192.168.200.0/24

user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity service any

user@SRX#set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY

user@SRX#set security ipsec vpn IPSEC-VPN establish-tunnels immediately

Defineure the security policy for internet Traffic from LAN to WAN zone

user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address any

user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address any

user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any

user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit

Defineure the security NAT for internet Traffic from LAN to WAN zone

It is important to defineure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address will be translated to the egress interface IP of SRX as source IP when it goes to internet.

user@SRX#set security nat source rule-set LAN-TO_WAN from zone LAN

user@SRX#set security nat source rule-set LAN-TO_WAN to zone WAN

user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0

user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0

user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface

Defineure bi-directional security policy for tunnel traffic from and to LAN to VPN zone

Here bi-directional policies are defineured to pass the VPN traffic from and to LAN to VPN zone. 

user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match source-address any

user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match destination-address any

user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match application any

user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN then permit

user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match source-address any

user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match destination-address any

user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match application any

user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN then permit

Defineure tcp-mss to eliminate fragmentation of TCP traffic across tunnel

The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment

user@SRX#set security flow tcp-mss ipsec-vpn mss 1350

 

Following command verifies the vpn tunnel and status.

  • user@SRX>show security ike security-associations

  • user@ SRX >show security ipsec security-associations

 

配置我方的防火墙 

命令行下配置接口的设置

防火墙 # define system interface

防火墙 (interface) # edit wan1

防火墙 (wan1) # set ip 10.10.20.2 255.255.255.252

防火墙 (wan1) # set alias “WAN_INTERFACE”

防火墙 (wan1) # set allowaccess ping https ssh telnet

防火墙 (wan1) # end

图形界面的设置

 

 

配置内网的IP地址

防火墙 # define system interface

防火墙 (interface) # edit internal

防火墙 (internal) # set ip 192.168.200.1 255.255.255.0

防火墙 (internal) # set alias “LAN_INTERFACE”

防火墙 (internal) # set allowaccess ping https http ssh telnet

防火墙 (internal) # end

图形界面下的配置

.

 

命令行下阶段1的配置

防火墙  # define vpn ipsec phase1-interface

防火墙 (phase1-interface) # edit VPN-GW

防火墙 (VPN-GW) #  set mode main

防火墙 (VPN-GW) #  set interface “wan1”

防火墙 (VPN-GW) #  set proposal 3des-sha1

防火墙 (VPN-GW) #  set dhgrp 5

防火墙 (VPN-GW) #  set dpd enable

防火墙 (VPN-GW) #  set keylife seconds 28800

防火墙 (VPN-GW) #  set keepalive 10

防火墙 (VPN-GW) #  set nattraversal  enable

防火墙 (VPN-GW) #  set remote-gw 10.10.10.2

防火墙 (VPN-GW) #  set psksecret 

防火墙 (VPN-GW) #  end

图形界面下的设置:

阶段2的命令行设置

防火墙  #  define vpn ipsec phase2-interface

防火墙 (phase2-interface) #  edit VPN-TUNNEL

防火墙 (VPN-TUNNEL ) # set phase1name “VPN-GW”

防火墙 (VPN-TUNNEL ) # set proposal 3des-sha1

防火墙 (VPN-TUNNEL ) # set reply enable

防火墙 (VPN-TUNNEL ) # set pfs enable

防火墙 (VPN-TUNNEL ) # set dhgrp 5

防火墙 (VPN-TUNNEL ) # set keylifeseconds 86400

防火墙 (VPN-TUNNEL ) # set keepalive enable

防火墙 (VPN-TUNNEL ) # set src-subnet 192.168.200.0 255.255.255.0

防火墙 (VPN-TUNNEL ) # set dst-subnet 192.168.100.0 255.255.255.0

防火墙 (VPN-TUNNEL ) # end

图形界面的设置

 

定义从外到内防火墙的策略.

命令行下设置:

防火墙 # define firewall policy

防火墙 (policy)  # edit 1

防火墙 (1) # set srcintf  VPN-GW

防火墙 (1) # set dstintf internal

防火墙 (1) # set srcaddr “all”

防火墙 (1) #  set dstaddr “all”

防火墙 (1) # set action accept

防火墙 (1) # set schedule “always”

防火墙 (1) # set service “ANY”

防火墙 (1) # end

图形界面设置

 

定义从内到外的策略

防火墙 # define firewall policy

防火墙 (policy)  # edit 1

防火墙 (1) # set srcintf  internal

防火墙 (1) # set dstintf VPN-GW

防火墙 (1) # set srcaddr “all”

防火墙 (1) #  set dstaddr “all”

防火墙 (1) # set action accept

防火墙 (1) # set schedule “always”

防火墙 (1) # set service “ANY”

防火墙 (1) # end

图形界面设置

 

配置路由,设置目标地址流量通过vpn进行转发。在本例中所有流量都转入通道,如果只转相应网段的流量,那么配置相应路由即可。

防火墙  # define router static

防火墙 (static) # edit 1

防火墙 (1) # set device “VPN-GW”

 防火墙 (1) # end

图形界面设置

 

 

©2020Easynetworks(简网科技)All Rights Reserved.