配置 IPsec VPN
IPSec VPN 设计目标
您的 IPsec VPN 必须满足以下标准:
- 配置动态 IPsec VPN 以支持互联网服务提供商向 WAN 接口分配 DHCP 地址。
- 确保只有源自信任区域的信息流才能使用 IPsec 隧道。
- 确保仅发往 172.168.200.0/24 子网的信息流使用 IPsec 隧道。
| 参数 | 值 |
|---|---|
| 隧道接口 | st0 |
| 分支隧道 IP | 10.0.0.1/24 |
| 企业隧道 IP | 10.0.0.2/24 |
| IKE 提议 | 标准 |
| IKE 模式 | 积极 |
| 预共享密钥 | “srx_branch” |
| 隧道建立 | 立即 |
| 分支机构身份 | 分公司 |
| 公司身份 | 总部 |
| 隧道安全区段 | Vpn |
配置基于路由的 IPsec VPN
让我们开始配置 IPsec VPN!
- 以 root 身份登录设备控制台。启动 CLI 并进入配置模式。
login: branch_srx (ttyu0) root@branch_srx% cli root@branch_srx> configure Entering configuration mode [edit] root@branch_srx#
- 配置 st0 隧道接口。在这种情况下,支持无编号隧道。在这里,我们选择为隧道端点编号。编号隧道的一个好处是允许对隧道端点进行 ping 测试,以帮助调试任何连接问题。
[edit] root@branch_srx# set interfaces st0 unit 0 family inet address 10.0.0.1/24
- 定义静态路由,将发送至 172.16.200.0/24 的流量发送到 IPsec 隧道。
[edit] root@branch_srx# set routing-options static route 172.16.200.0/24 next-hop st0.0
- 配置 IKE 参数。本地身份和远程身份参数对于支持动态 IPsec VPN 非常重要。使用静态 IP 地址时,您将定义指定这些静态 IP 地址的本地和远程 IKE 网关。
顺便说一下,我们会配置一些安全产品,以便您将自己停在层次结构中
[edit security]:[edit security] root@branch_srx# set ike proposal standard authentication-method pre-shared-keys root@branch_srx# set ike policy ike-pol mode aggressive root@branch_srx# set ike policy ike-pol proposals standard root@branch_srx# set ike policy ike-pol pre-shared-key ascii-text branch_srx root@branch_srx# set ike gateway ike-gw ike-policy ike-pol root@branch_srx# set ike gateway ike-gw address 172.16.1.1 root@branch_srx# set ike gateway ike-gw local-identity hostname branch root@branch_srx# set ike gateway ike-gw remote-identity hostname hq root@branch_srx# set ike gateway ike-gw external-interface ge-0/0/0
注意:要支持动态 IPsec VPN,远程端必须在
set security ike gateway ike-gw dynamic hostname <name>IKE 提议中配置语句。当远程端启动连接时,名称用于匹配 IKE 提议,而不是 IP。当 IP 地址因动态分配而发生变化时,会使用此方法。 - 配置 IPsec 隧道参数。
[edit security] root@branch_srx# set ipsec proposal standard root@branch_srx# set ipsec policy ipsec-pol proposals standard root@branch_srx# set ipsec vpn to_hq bind-interface st0.0 root@branch_srx# set ipsec vpn to_hq ike gateway ike-gw root@branch_srx# set ipsec vpn to_hq ike ipsec-policy ipsec-pol root@branch_srx# set ipsec vpn to_hq establish-tunnels immediately
- 调整安全策略以创建 vpn 区域,并允许流量从区域 trust 流向该 vpn 区域。鉴于我们选择编号 IPsec 隧道,我们配置了 vpn 该区域以允许将主机绑定 ping 用于调试。在此步骤中,您还将 IPsec 隧道接口放置在区域中 vpn 。
[edit security] root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match application any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn then permit root@branch_srx# set security zones security-zone vpn host-inbound-traffic system-services ping root@branch_srx# set zones security-zone vpn interfaces st0.0
注意:在此示例中,我们将保持简单,并在任何源或目标 IP 地址上保持匹配。我们依靠静态路由将发送到远程站点的信息流直接发送到隧道中。为提高安全性,请考虑为本地分支机构 192.168.2.0/24 和远程 172.16.200.0/24 子网定义地址簿条目。通过为两个子网定义的地址簿条目,您可在安全策略上和
destination-address <dest_name>中source-address <source_name>匹配。将源子网和目标子网包含在策略中,使得它对于能够使用隧道的信息流更加明确。 - 挂在那里,你几乎完成了。请回顾一下,IKE 用于协商用于保护 IPsec 隧道的共享密钥。必须通过 WAN 接口发送和接收 IKE 消息,才能在 st0 接口上建立隧道。
您需要修改通过 WAN 接口访问的 untrust 本地主机服务以包括 IKE。
[edit security] root@branch_srx# set zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
就是这样。您已在分支机构位置配置了基于 IPsec 路由的 VPN。请务必提交更改。
结果
让我们显示基于 IPsec 路由的 VPN 配置的结果。我们省略了默认配置的一部分以实现简洁性。
[edit]
root@branch-srx# show interfaces st0
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
[edit]
root@branch-srx# show routing-options
static {
route 172.16.200.0/24 next-hop st0.0;
}
ike {
proposal standard {
authentication-method pre-shared-keys;
}
policy ike-pol {
mode aggressive;
proposals standard;
pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39"; ## SECRET-DATA
}
gateway ike-gw {
ike-policy ike-pol;
address 172.16.1.1;
local-identity hostname branch;
remote-identity hostname hq;
external-interface ge-0/0/0;
}
}
ipsec {
proposal standard;
policy ipsec-pol {
proposals standard;
}
vpn to_hq {
bind-interface st0.0;
ike {
gateway ike-gw;
ipsec-policy ipsec-pol;
}
establish-tunnels immediately;
}
}
. . .
policies {
. . .
from-zone trust to-zone vpn {
policy trust-to-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
..
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
. . .
ike;
. . .
}
}
}
}
}
. . .
security-zone vpn {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
st0.0;
}
}
}
请务必提交配置以激活 SRX 上的更改。
快速配置
快速配置:分支机构
要快速配置 IPsec VPN,请使用以下 set 语句。只需根据环境需要编辑配置语句,然后粘贴到 SRX 中。
以下是分支机构位置的 SRX300 系列设备的 IPsec VPN 配置:
set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw address 172.16.1.1 set security ike gateway ike-gw local-identity hostname branch set security ike gateway ike-gw remote-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone vpn interfaces st0.0 set security zones security-zone vpn host-inbound-traffic system-services ping set interfaces st0 unit 0 family inet address 10.0.0.1/24 set routing-options static route 172.16.200.0/24 next-hop st0.0
快速配置:远程定位
为了实现完整性,以下是适用于远程站点的匹配 IPsec VPN 快速配置。这类似于我们为分支机构详细介绍的一个。主要区别是我们使用语 dynamic hostname 句,以及用于引导信息流进入隧道的静态路由的不同目标。我们允许在远程站点的 vpn 区域中 ping。因此,您可对隧道端点(我们编号为隧道)以及回传接口进行 ping 处理。远程站点的环路接口表示 172.16.200.0/24 子网。远程站点的 lo0 接口放置在区域内 vpn 。
set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$1POEhrKMX7NbSrvLXNY2puORyKWLN-wg" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw dynamic hostname branch set security ike gateway ike-gw local-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/6 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services ping set security zones security-zone vpn interfaces st0.0 set security zones security-zone vpn interfaces lo0.0 set security zones security-zone vpn host-inbound-traffic system-services ping set interfaces lo0 unit 0 family inet address 172.16.200.1/32 set interfaces st0 unit 0 family inet address 10.0.0.2/24 set routing-options static route 192.168.2.0/24 next-hop st0.0
请务必提交更改。在下一节中,我们将向您展示如何验证 IPsec 隧道是否正确运行。