简介
基于PNET-LAB模拟器,使用 vSRX-NG 23.4R1.9 镜像进行实验。
博客:songxwn.com
实验需求
两台防火墙配置基于路由的 IPsec VPN,打通两边站点内网。
ISP 路由器使用Cisco IOS模拟。
基础配置参考:https://songxwn.com/Juniper-SRX-snat/
SRX的基础配置
set system root-authentication plain-text-password
# vSRX 默认无root密码,会强制要求配置一个。
set system host-name SRX01
# 配置设备的主机名,方便标识。
set system time-zone Asia/Shanghai
# 配置设备时区,可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html
set system ntp server 1.1.1.1
# 配置NTP服务器地址。如果目标是域名,需要配置DNS服务器。(安全类产品时间很重要)
set interfaces ge-0/0/0 description LAN1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
set interfaces ge-0/0/1 description WAN1
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
# 配置接口描述、配置IP地址。
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
# 配置默认路由指向公网出口网关。
set security zones security-zone LAN
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set security zones security-zone LAN interfaces ge-0/0/0.0
# 内网区域配置允许所有服务、允许所有协议进入,并把 ge-0/0/0.0 加入内网区域。
set security zones security-zone WAN
set security zones security-zone WAN host-inbound-traffic system-services ping
set security zones security-zone WAN interfaces ge-0/0/1.0
# 外网区域配置只允许ICMP进入区域,并把 ge-0/0/1.0 加入外网区域
set security nat source rule-set LAN_to_WAN_SNAT from zone LAN
# 配置NAT源区域
set security nat source rule-set LAN_to_WAN_SNAT to zone WAN
# 配置NAT目标区域
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0
# 不限制源地址
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface
# 配置NAT地址为接口IP。
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match application any
set security policies from-zone LAN to-zone WAN policy Default-Permit then permit
# 配置LAN区域到WAN区域允许所有IP和APP。
set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101
set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200
# 配置地址池192.168.0.0/24 配置分配地址范围。
set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114
# 配置DNS服务器
set system services dhcp pool 192.168.0.0/24 router 192.168.0.1
# 配置默认网关
set system services dhcp pool 192.168.0.0/24 default-lease-time 3600
# 配置IP地址保留时间
set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
# 配置LAN区域指定接口允许DHCP服务通过。
PS:接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后,会自动关联。
实验步骤
实验拓扑
site1为 192.168.0.0/24
site2为 192.168.10.0/24
步骤规划
-
配置 st0 隧道接口,加入到LAN 安全区域。
-
配置第一阶段 IKE配置
-
配置第二阶段 IPsec配置
创建st0 隧道虚拟接口和加入安全区域(vSRX-NG01/02)
set interfaces st0 unit 0 family inet
set security zones security-zone LAN interfaces st0.0
安全策略-允许WAN口区域通过IKE(vSRX-NG01/02)
set security zones security-zone WAN host-inbound-traffic system-services ike
安全策略-允许IPsec虚拟接口关联访问LAN(vSRX-NG01/02)
set security policies from-zone LAN to-zone LAN policy default-permit match source-address any
set security policies from-zone LAN to-zone LAN policy default-permit match destination-address any
set security policies from-zone LAN to-zone LAN policy default-permit match application any
set security policies from-zone LAN to-zone LAN policy default-permit then permit
# 允许LAN区域的接口访问LAN区域,不限制IP。
配置一阶段IKE策略(vSRX-NG01)
set security ike proposal TO_site1_ike_pp authentication-method pre-shared-keys
set security ike proposal TO_site1_ike_pp dh-group group14
set security ike proposal TO_site1_ike_pp encryption-algorithm aes-256-gcm
set security ike proposal TO_site1_ike_pp lifetime-seconds 86385
# 配置IKE 提议的认证模式为与共享密钥,DH组为14,加密算法为 aes-256-gcm 。生命周期为86385秒。
set security ike policy TO_site1_ike_pl mode main
set security ike policy TO_site1_ike_pl proposals TO_site1_ike_pp
set security ike policy TO_site1_ike_pl pre-shared-key ascii-text songxwn.com
# 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com
set security ike gateway TO_site1_ike_gw ike-policy TO_site1_ike_pl
# 配置IKE网关,关联上面的IKE策略。
set security ike gateway TO_site1_ike_gw address 2.2.2.1
set security ike gateway TO_site1_ike_gw remote-identity hostname site2
# 配置IKE网关对端IP地址和对端ID标识符
set security ike gateway TO_site1_ike_gw external-interface ge-0/0/1.0
set security ike gateway TO_site1_ike_gw local-address 1.1.1.1
set security ike gateway TO_site1_ike_gw local-identity hostname site1
# 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。
set security ike gateway TO_site1_ike_gw version v2-only
# 配置IKE版本指定为 v2。
配置一阶段IKE策略(vSRX-NG02)
set security ike proposal TO_site2_ike_pp authentication-method pre-shared-keys
set security ike proposal TO_site2_ike_pp dh-group group14
set security ike proposal TO_site2_ike_pp encryption-algorithm aes-256-gcm
set security ike proposal TO_site2_ike_pp lifetime-seconds 86385
# 配置IKE 提议的认证模式为与共享密钥,DH组为14,加密算法为 aes-256-gcm 。生命周期为86385秒。
set security ike policy TO_site2_ike_pl mode main
set security ike policy TO_site2_ike_pl proposals TO_site2_ike_pp
set security ike policy TO_site2_ike_pl pre-shared-key ascii-text songxwn.com
# 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com
set security ike gateway TO_site2_ike_gw ike-policy TO_site2_ike_pl
# 配置IKE网关,关联上面的IKE策略。
set security ike gateway TO_site2_ike_gw address 1.1.1.1
set security ike gateway TO_site2_ike_gw remote-identity hostname site1
# 配置IKE网关对端IP地址和对端ID标识符
set security ike gateway TO_site2_ike_gw external-interface ge-0/0/1.0
set security ike gateway TO_site2_ike_gw local-address 2.2.2.1
set security ike gateway TO_site2_ike_gw local-identity hostname site2
# 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。
set security ike gateway TO_site2_ike_gw version v2-only
# 配置IKE版本指定为 v2。
配置二阶段IPsec策略(vSRX-NG01)
set security ipsec proposal TO_site1_ipsec_pp protocol esp
# 配置IPsec提议,指定加密封装类型为ESP。
set security ipsec proposal TO_site1_ipsec_pp encryption-algorithm aes-256-gcm
set security ipsec proposal TO_site1_ipsec_pp lifetime-seconds 43200
# 配置IPsec提议,指定加密算法、生存时间。
set security ipsec policy TO_site1_ipsec_pl proposals TO_site1_ipsec_pp
set security ipsec policy TO_site1_ipsec_pl perfect-forward-secrecy keys group14
# 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group14.
set security ipsec vpn TO_site1_ipsec_vpn bind-interface st0.0
set security ipsec vpn TO_site1_ipsec_vpn ike gateway TO_site1_ike_gw
set security ipsec vpn TO_site1_ipsec_vpn ike ipsec-policy TO_site1_ipsec_pl
# 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。
set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24
set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24
# 配置流量策略,本地IP段为 192.168.0.0/24 ,远程IP段为 192.186.10.0/24
set security ipsec vpn TO_site1_ipsec_vpn establish-tunnels immediately
# 配置隧道在 VPN 配置更改提交后立即协商。
配置二阶段IPsec策略(vSRX-NG02)
set security ipsec proposal TO_site2_ipsec_pp protocol esp
# 配置IPsec提议,指定加密封装类型为ESP。
set security ipsec proposal TO_site2_ipsec_pp encryption-algorithm aes-256-gcm
set security ipsec proposal TO_site2_ipsec_pp lifetime-seconds 43200
# 配置IPsec提议,指定加密算法、生存时间。
set security ipsec policy TO_site2_ipsec_pl proposals TO_site2_ipsec_pp
set security ipsec policy TO_site2_ipsec_pl perfect-forward-secrecy keys group14
# 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group14.
set security ipsec vpn TO_site2_ipsec_vpn bind-interface st0.0
set security ipsec vpn TO_site2_ipsec_vpn ike gateway TO_site2_ike_gw
set security ipsec vpn TO_site2_ipsec_vpn ike ipsec-policy TO_site2_ipsec_pl
# 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。
set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24
set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24
# 配置流量策略,本地IP段为 192.168.10.0/24 ,远程IP段为 192.186.0.0/24
set security ipsec vpn TO_site2_ipsec_vpn establish-tunnels immediately
# 配置隧道在 VPN 配置更改提交后立即协商。
配置验证
Web管理验证
命令验证
show security ike security-associations
# 查看IKE SA 当前状态
show security ipsec security-associations
# 查看IPsec SA当前状态
show security ipsec statistics
# 查看IPsec 统计信息
restart ipsec-key-management
# 重启IPsec进程