IPsec 规则和规则集
示例:配置IKE动态 SLA
此示例将展示如何IKE动态 SLA,并包含以下部分。
要求
此示例具有以下硬件和软件组件:
四M Series、MX 系列或 T Series路由器,其中安装了多服务接口。
Junos OS 9.4 或更高版本。
配置此功能之前,不需要除设备初始化之外的特殊配置。
概述和拓扑
安全关联 (SA) 是一种简单连接,允许两个主机通过 IPsec 相互安全通信。
动态 SLA 最适合大型、地理位置分散的网络,其中手动分配、维护和跟踪密钥是艰难的任务。动态 SLA 配置了一组由安全网关协商提议。密钥作为协商的一部分生成,不需要在配置中指定。动态 SA 包括一个或多个提议,允许您为要与对等方协商的协议和算法列表确定优先级。
拓扑
图 1 显示了一个 IPsec 拓扑,其中包含一组四个路由器。此配置要求路由器 2 和 3 使用动态 SA、增强型身份验证和加密IKE来建立 IPsec 隧道。路由器 1 和 4 提供基本连接,用于验证 IPsec 隧道是否正常运行。
未指定多服务 PIC 上的 IKE 提议、IPsec 提议和 IPsec 策略时,Junos OS 将默认为最高级别的加密和身份验证。因此,默认认证协议为 ESP,默认认证模式为 HMAC-SHA1-96,默认加密模式为 3DES-CBC。
配置
要配置IKE SA,请执行以下任务:
此示例中显示的接口类型仅供指示。例如,您可以使用 so- 接口 代替 和 ge- sp- ms-, 而 使用 。
配置路由器 1
CLI快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以匹配网络配置,然后将命令复制并粘贴到路由器 1 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R2 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.1/32 set routing-options router-id 10.0.0.1 set protocols ospf area 0.0.0.0 interface ge-0/0/0 set protocols ospf area 0.0.0.0 interface lo0.0
逐步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航指南CLI,请参阅 CLI 用户指南 中的 在配置模式下CLI 编辑器 。
要配置路由器 1 以OSPF 2 进行安全连接:
配置以太网接口和回环接口。
[edit interfaces] user@router1# set ge-0/0/0 description "to R2 ge-0/0/0" user@router1# set ge-0/0/0 unit 0 family inet address 10.1.12.2/30 user@router1# set lo0 unit 0 family inet address 10.0.0.1/32
指定OSPF区域,并将接口与OSPF区域。
[edit interfaces] user@router1# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router1# set ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router1# set router-id 10.0.0.1
提交配置。
[edit] user@router1# commit
结果
在配置模式下,输入 show interfaces、 和 命令以确认 show protocols ospf您的 show routing-options 配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置
user@router1# show interfaces
interfaces {
ge-0/0/0 {
description "To R2 ge-0/0/0";
unit 0 {
family inet {
address 10.1.12.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
}
}
}
}
user@router1# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
}
}
}
user@router1# show routing-options
routing-options {
router-id 10.0.0.1;
}
配置路由器 2
CLI快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以匹配网络配置,然后将命令复制并粘贴到路由器 2 的 [edit] 层次结构级别中的 CLI 中。
set interfaces ge-0/0/0 description "to R1 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.1/30 set interfaces ge-0/0/1 description "to R3 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.1/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.2/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.2 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.2 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike-demo-proposal dh-group group2 set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposal set services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 set services service-set demo-service-set ipsec-vpn-rules rule-ike
逐步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航指南CLI,请参阅 CLI 用户指南 中的 在配置模式下CLI 编辑器 。
要配置OSPF 2 上的安全连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、一个回环接口和一个多服务接口 (ms-1/2/0)。
[edit interfaces] user@router2# set ge-0/0/0 description "to R1 ge-0/0/0" user@router2# set ge-0/0/0 unit 0 family inet address 10.1.12.1/30 user@router2# set ge-0/0/1 description "to R3 ge-0/0/1" user@router2# set ge-0/0/1 unit 0 family inet address 10.1.15.1/30 user@router2# set ms-1/2/0 services-options syslog host local services info user@router2# set ms-1/2/0 unit 0 family inet user@router2# set ms-1/2/0 unit 1 family inet user@router2# set ms-1/2/0 unit 1 service-domain inside user@router2# set ms-1/2/0 unit 2 family inet user@router2# set ms-1/2/0 unit 2 service-domain outside user@router2# set lo0 unit 0 family inet address 10.0.0.2/32
指定OSPF区域,并将接口与OSPF区域。
[edit protocols] user@router2# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router2# set ospf area 0.0.0.0 interface lo0.0 user@router2# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router2# set router-ID 10.0.0.2
配置 IPsec 规则。在此步骤中,您将配置 IPsec 规则,指定手动 SA 参数,例如远程网关地址、身份验证和加密属性等。
注意:默认情况下,Junos OS使用 IKE 1.0 版策略。Junos OS 11.4 和更高版本还IKE策略版本 2.0,您必须在 中配置该策略
[edit services ipsec-vpn ike policy policy-name pre-shared]。[edit services ipsec-vpn] user@router2# set rule rule-ike term term-ike then remote-gateway 10.1.15.2 user@router2# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy user@router2# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router2# set rule match-direction input user@router2# set ike proposal ike-demo-proposal authentication-method pre-shared-keys user@router2# set ike proposal ike-demo-proposal dh-group group2 user@router2# set ike policy ike-demo-policy pre-shared proposals demo-proposal user@router2# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo user@router2# set ipsec proposal ipsec-demo-proposal protocol esp user@router2# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router2# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router2# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router2# set ipsec proposals ipsec-demo-proposal
配置下一跳跃式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集关联。
[edit services] user@router2# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router2# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router2# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 user@router2# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router2# commit
结果
在配置模式下,输入 show interfaces、 和 show protocols ospf命令以确认 show routing-options您的 show services 配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置
user@router1# show interfaces
interfaces {
ge-0/0/0 {
description "To R1 ge-0/0/0";
unit 0 {
family inet {
address 10.1.12.1/30;
}
}
}
ge-0/0/1 {
description "To R3 ge-0/0/1";
unit 0 {
family inet {
address 10.1.15.1/30;
}
}
}
ms-1/2/0 {
services-options {
syslog {
host local {
services info;
}
}
}
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32;
}
}
}
}
user@router2# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
interface ms-1/2/0.1;
}
}
}
user@router2# show routing-options
routing-options {
router-id 10.0.0.2;
}
user@router2# show services
services {
ipsec-vpn {
rule rule-ike {
term term-ike {
then {
remote-gateway 10.1.15.2;
dynamic {
ike-policy ike-demo-policy;
ipsec-policy ipsec-demo-policy;
}
}
}
match-direction input;
}
ike {
proposal ike-demo-proposal {
authentication-method pre-shared-keys;
dh-group group2;
}
policy ike-demo-policy {
proposals demo-proposal;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
ipsec {
proposal ipsec-demo-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec-demo-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-demo-proposal;
}
}
}
service-set demo-service-set {
next-hop-service {
inside-service-interface ms-1/2/0.1;
outside-service-interface ms-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.15.1;
}
ipsec-vpn-rules rule-ike;
}
service-set demo-service-set {
next-hop-service {
inside-service-interface ms-1/2/0.1;
outside-service-interface ms-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 10.1.15.2;
}
ipsec-vpn-rules rule-ike;
}
配置路由器 3
CLI快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以匹配网络配置,然后将命令复制并粘贴到路由器 3 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R4 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.1/30 set interfaces ge-0/0/1 description "to R2 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.2/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.3/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.3 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.1 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike-demo-proposal dh-group group2 set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposal set services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 set services service-set demo-service-set ipsec-vpn-rules rule-ike
逐步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航指南CLI,请参阅 CLI 用户指南 中的 在配置模式下CLI 编辑器 。
要配置OSPF 3 上的安全连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、一个回环接口和一个多服务接口 (ms-1/2/0)。
[edit interfaces] user@router3# set ge-0/0/0 description "to R4 ge-0/0/0" user@router3# set ge-0/0/0 unit 0 family inet address 10.1.56.1/30 user@router3# set ge-0/0/1 description "to R2 ge-0/0/1" user@router3# set ge-0/0/1 unit 0 family inet address 10.1.15.2/30 user@router3# set ms-1/2/0 services-options syslog host local services info user@router3# set ms-1/2/0 unit 0 family inet user@router3# set ms-1/2/0 unit 1 family inet user@router3# set ms-1/2/0 unit 1 service-domain inside user@router3# set ms-1/2/0 unit 2 family inet user@router3# set ms-1/2/0 unit 2 service-domain outside user@router3# set lo0 unit 0 family inet address 10.0.0.3/32
指定OSPF区域,并将接口与OSPF区域。
[edit protocols] user@router3# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router3# set ospf area 0.0.0.0 interface lo0.0 user@router3# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router3# set router-id 10.0.0.3
配置 IPsec 规则。在此步骤中,您将配置 IPsec 规则并指定手动 SA 参数,例如远程网关地址、身份验证和加密属性等。
[edit services ipsec-vpn] user@router3# set rule rule-ike term term-ike then remote-gateway 10.1.15.1 user@router3# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy user@router3# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router3# set rule match-direction input user@router3# set ike proposal ike-demo-proposal authentication-method pre-shared-keys user@router3# set ike proposal ike-demo-proposal dh-group group2 user@router3# set ike policy ike-demo-policy pre-shared proposals demo-proposal user@router3# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo user@router3# set ipsec proposal ipsec-demo-proposal protocol esp user@router3# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router3# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router3# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router3# set ipsec proposals ipsec-demo-proposal
配置下一跳跃式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集关联。
[edit services] user@router3# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router3# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router3# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 user@router3# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router3# commit
结果
在配置模式下,输入 show interfaces、 和 show protocols ospf命令以确认 show routing-options您的 show services 配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置
user@router3# show interfaces
interfaces {
ge-0/0/0 {
description "To R4 ge-0/0/0";
unit 0 {
family inet {
address 10.1.56.1/30;
}
}
}
ge-0/0/1 {
description "To R2 ge-0/0/1";
unit 0 {
family inet {
address 10.1.15.2/30;
}
}
}
ms-1/2/0 {
services-options {
syslog {
host local {
services info;
}
}
}
unit 0 {
family inet {
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32;
}
}
}
}
}
user@router3# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
interface ms-1/2/0.1;
}
}
}
user@router3# show routing-options
routing-options {
router-id 10.0.0.3;
}
user@router3# show services
services {
ipsec-vpn {
rule rule-ike {
term term-ike {
then {
remote-gateway 10.1.15.1;
dynamic {
ike-policy ike-demo-policy;
ipsec-policy ipsec-demo-policy;
}
}
}
match-direction input;
}
ike {
proposal ike-demo-proposal {
authentication-method pre-shared-keys;
dh-group group2;
}
policy ike-demo-policy {
proposals demo-proposal;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
ipsec {
proposal ipsec-demo-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec-demo-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-demo-proposal;
}
}
}
配置路由器 4
CLI快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以匹配网络配置,然后将命令复制并粘贴到路由器 4 的 [edit] 层次结构级别中的 CLI 中。
set interfaces ge-0/0/0 description "to R3 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.4/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set routing-options router-id 10.0.0.4
逐步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航指南CLI,请参阅 CLI 用户指南 中的 在配置模式下CLI 编辑器 。
要设置与OSPF 4 的路由连接
配置接口。在此步骤中,您将配置以太网接口 (ge-1/0/1) 和环路接口。
user@router4# set interfaces ge-0/0/0 description "to R3 ge-0/0/0" user@router4# set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30 user@router4# set interfaces lo0 unit 0 family inet address 10.0.0.4/32
指定OSPF区域,并将接口与OSPF区域。
user@router4# set protocols ospf area 0.0.0.0 interface ge-0/0/0 user@router4# set protocols ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router4# set router-id 10.0.0.4
结果
在配置模式下,输入 show interfaces、 和 命令以确认 show protocols ospf您的 show routing-options 配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置
user@router4# show interfaces
interfaces {
ge-0/0/0 {
description "To R3 ge-0/0/0";
unit 0 {
family inet {
address 10.1.56.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.4/32;
}
}
}
}
user@router4# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
}
}
}
user@router4# show routing-options
routing-options {
router-id 10.0.0.4;
}
验证
验证您对路由器 1 的工作
目的
验证路由器 1 是否正常运行。
行动
在操作模式下,输入 ping 10.1.56.2 命令至路由器 4 上的 ge-0/0/0 接口,以通过 IPsec 隧道发送流量
user@router1>ping 10.1.56.2 PING 10.1.56.2 (10.1.56.2): 56 data bytes 64 bytes from 10.1.56.2: icmp_seq=0 ttl=254 time=1.351 ms 64 bytes from 10.1.56.2: icmp_seq=1 ttl=254 time=1.187 ms 64 bytes from 10.1.56.2: icmp_seq=2 ttl=254 time=1.172 ms 64 bytes from 10.1.56.2: icmp_seq=3 ttl=254 time=1.154 ms 64 bytes from 10.1.56.2: icmp_seq=4 ttl=254 time=1.156 ms ^C --- 10.1.56.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.154/1.204/1.351/0.074 ms
意义
输出显示路由器 1 能够通过 IPsec 隧道到达路由器 4。
验证您对路由器 2 的工作
目的
验证IKE SA 协商是否成功。
行动
在操作模式下,输入 show services ipsec-vpn ike security-associations 命令。
user@router2>show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.2 Matured 03075bd3a0000003 4bff26a5c7000003 Main
要验证 IPsec 安全关联是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。请注意,SA 包含多服务 PIC 中固有的默认设置,例如协议的 ESP 和认证算法的 HMAC-SHA1-96。
在操作模式下,输入 show services ipsec-vpn ipsec security-associations detail 命令。
user@router2> show services ipsec-vpn ipsec security-associations detail Service set: demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2 Local identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24) Direction: inbound, SPI: 2666326758, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 684772754, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64
要验证信息流是否通过双向 IPsec 隧道,请发出 show services ipsec-vpn statistics 命令:
在操作模式下,输入 show services ipsec-vpn statistics 命令。
user@router2> show services ipsec-vpn ipsec statistics PIC: ms-1/2/0, Service set: demo-service-set ESP Statistics: Encrypted bytes: 2248 Decrypted bytes: 2120 Encrypted packets: 27 Decrypted packets: 25 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
意义
命令 show services ipsec-vpn ipsec security-associations detail 输出显示您配置的 SA 属性。
命令 show services ipsec-vpn ipsec statistics 输出显示通过 IPsec 隧道的流量。
验证您从事路由器的工作 3
目的
验证路由器 3 IKE SA 协商是否成功。
行动
在操作模式下,输入 show services ipsec-vpn ike security-associations 命令。要成功,路由器 3 上的 SA 必须包含您于路由器 2 上指定的相同设置。
user@router3>show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.1 Matured 03075bd3a0000003 4bff26a5c7000003 Main
要验证 IPsec SA 是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。要成功,路由器 3 上的 SA 必须包含您于路由器 2 上指定的相同设置。
在操作模式下,输入 show services ipsec-vpn ipsec security-associations detail 命令。
user@router3>show services ipsec-vpn ipsec security-associations detail Service set: demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1 Local identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24) Direction: inbound, SPI: 684772754, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26598 seconds Hard lifetime: Expires in 26688 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 2666326758, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26598 seconds Hard lifetime: Expires in 26688 seconds Anti-replay service: Enabled, Replay window size: 64
要验证信息流是否通过双向 IPsec 隧道,请发出 show services ipsec-vpn statistics 命令:
在操作模式下,输入 show services ipsec-vpn ike security-associations 命令。
user@router3>show services ipsec-vpn ipsec statistics PIC: ms-1/2/0, Service set: demo-service-set ESP Statistics: Encrypted bytes: 2120 Decrypted bytes: 2248 Encrypted packets: 25 Decrypted packets: 27 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
意义
命令 show services ipsec-vpn ipsec security-associations detail 输出显示您配置的 SA 属性。
命令 show services ipsec-vpn ipsec statistics 输出显示通过 IPsec 隧道的流量。
验证您从事路由器的工作 4
目的
验证协议 SA IKE是否成功。
行动
在操作模式下,输入 ping 10.1.12.2 命令至路由器 1 上的 ge-0/0/0 接口,以通过 IPsec 隧道发送流量。
user@router4>ping 10.1.12.2 PING 10.1.12.2 (10.1.12.2): 56 data bytes 64 bytes from 10.1.12.2: icmp_seq=0 ttl=254 time=1.350 ms 64 bytes from 10.1.12.2: icmp_seq=1 ttl=254 time=1.161 ms 64 bytes from 10.1.12.2: icmp_seq=2 ttl=254 time=1.124 ms 64 bytes from 10.1.12.2: icmp_seq=3 ttl=254 time=1.142 ms 64 bytes from 10.1.12.2: icmp_seq=4 ttl=254 time=1.139 ms 64 bytes from 10.1.12.2: icmp_seq=5 ttl=254 time=1.116 ms ^C --- 10.1.12.2 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.116/1.172/1.350/0.081 ms
要确认信息流通过 IPsec traceroute 隧道,请发出命令至路由器 1 上的 ge-0/0/0 接口。请注意,路径中未引用路由器 2 和 3 之间的物理接口;信息流通过路由器 3 上的自适应服务 IPsec 内部接口进入 IPsec 隧道,经过路由器 2 上的环路接口,在路由器 1 上的 ge-0/0/0 接口结束。
在操作模式下,输入 traceroute 10.1.12.2。
user@router4>traceroute 10.1.12.2 traceroute to 10.1.12.2 (10.1.12.2), 30 hops max, 40 byte packets 1 10.1.15.2 (10.1.15.2) 0.987 ms 0.630 ms 0.563 ms 2 10.0.0.2 (10.0.0.2) 1.194 ms 1.058 ms 1.033 ms 3 10.1.12.2 (10.1.12.2) 1.073 ms 0.949 ms 0.932 ms
意义
输出 ping 10.1.12.2 显示路由器 4 能够通过 IPsec 隧道到达路由器 1。
输出 traceroute 10.1.12.2 显示流量通过 IPsec 隧道。
配置 IPsec 规则
要配置 IPsec 规则,请包含 rule 语句,并指定层级规则 [edit services ipsec-vpn] 名称:
[edit services ipsec-vpn] rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; } manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } }
每个 IPsec 规则都由一组术语组成,类似于防火墙过滤器。
术语由以下内容组成:
from语句 — 指定包括和排除的匹配条件和应用程序。then语句 — 指定由路由器软件执行的操作和操作修改器。
以下部分介绍如何配置 IPsec 规则的组件:
配置 IPsec 规则的匹配方向
每个规则都必须包含一 match-direction 个语句,用于指定对接口的输入或输出侧应用匹配。要配置应用匹配的位置,请包含 match-direction (input | output) 层级的 [edit services ipsec-vpn rule rule-name] 语句:
[edit services ipsec-vpn rule rule-name] match-direction (input | output);
ACX 系列路由器不支持 match-direction 作为 output。
匹配方向用于信息流通过 AS 或多服务 PIC。将数据包发送至 PIC 时,方向信息将随 PIC 一起传输。
使用接口服务集时,数据包方向由数据包是否进入或离开应用服务集的接口来确定。
使用下一跳跃服务集时,数据包方向由用于将数据包路由至路由器或多服务 PIC AS确定。如果使用内部接口来路由数据包,则数据包方向为输入。如果外部接口用于将数据包引导至 PIC,则数据包方向为输出。
在 AS 或多服务 PIC 上,执行流查找。如果未找到流,将执行规则处理。服务集内的所有规则都被视为。在规则处理期间,将数据包方向与规则方向进行比较。仅考虑具有与数据包方向匹配的方向信息的规则。
在 IPsec 规则中配置匹配条件
要配置 IPsec 规则中的匹配条件,请包含 from 层级的 [edit services ipsec-vpn rule rule-name term term-name] 语句:
[edit services ipsec-vpn rule rule-name term term-name] from { destination-address address; ipsec-inside-interface interface-name; source-address address; }
您可以使用源地址或目标地址作为匹配条件,其使用方式与配置防火墙过滤器相同;有关详细信息,请参阅 Junos OS 协议库 。
IPsec 服务同时支持 IPv4 和 IPv6 地址格式。如果不特别配置源地址或目标地址,则使用 0.0.0.0/0 默认值 (IPv4 ANY)。要使用 IPv6 ANY (0::0/128) 作为源地址或目标地址,必须显式配置。
ACX 系列上的 IPsec 服务支持 IPv4 地址格式。如果不特别配置源地址或目标地址,则使用 0.0.0.0/0 默认值 (IPv4 ANY)。
仅对于下一跳跃式服务集 ipsec-inside-interface ,该语句允许您为由于此匹配条件建立的隧道分配逻辑接口。可在 inside-service-interface 层次结构级别配置的 [edit services service-set name next-hop-service] .1 .2 语句允许您将 接口指定为 接口内外部接口。但是,您可以使用 语句配置多个自适应服务逻辑 service-domain inside 接口,并使用其中一个来配置 ipsec-inside-interface 语句。
标准Junos OS评估在语句中配置 from 的标准。 ipsec-inside-interface 0.0.0.0/0 如果在同一个下一跳式服务集内配置了多个链路类型隧道,则当所有隧道的源地址和目标地址为 (ANY-ANY) 时,该值使规则查找模块能够区分特定隧道与其他隧道。
配置 语句时 ipsec-inside-interface ,将不支持接口式服务集。
特殊情况由包含"任意"匹配条件(通常是由于省略 from 该语句)的术语提供。如果隧道中存在任意匹配,则不需要流,因为此隧道内的所有流量都使用相同的安全关联 (SA) 和数据包选择器,不会发挥重大作用。因此,这些隧道将使用基于数据包的 IPsec。此策略节省了 PIC 上的某些流资源,可用于需要基于流量的服务的其他隧道。
以下配置示例显示了 在 中无 语句的任何通道 from 配置 term-1。语句中缺少选择 from 器将会导致基于数据包的 IPsec 服务。
services {
ipsec-vpn {
rule rule-1 {
term term-1 {
then {
remote-gateway 10.1.0.1;
dynamic {
ike-policy ike_policy;
ipsec-policy ipsec_policy;
}
}
}
match-direction input;
}
.....
}
无流 IPsec 服务可提供给具有任意匹配的链路类型隧道,以及专用和共享模式下具有任意匹配的动态隧道。
对于链路类型隧道,服务集内支持无流和基于流的 IPsec 混合使用。 from 如果服务集包括语句中具有任意匹配某些术语和带选择器的一些术语,则为任意任意隧道提供基于数据包的服务,为具有选择器的其他隧道提供基于流的服务。
对于非链路类型隧道,如果服务集同时包含任意术语和基于选择器的术语,则所有隧道均会提供基于流的服务。
在 IPsec 规则中配置操作
要配置 IPsec 规则中的操作,请包含 then 层级的 [edit services ipsec-vpn rule rule-name term term-name] 语句:
[edit services ipsec-vpn rule rule-name term term-name] then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; } manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; }
主要 IPsec 操作是配置动态或手动 SA:
您配置动态 SA 时
dynamic,您可以在 层次结构级别包含[edit services ipsec-vpn rule rule-name term term-name then]语句,并引用在 和 层次结构级别配置[edit services ipsec-vpn ipsec][edit services ipsec-vpn ike]的策略。您可将 语句包括在 层次结构级别,以配置手动
[edit services ipsec-vpn rule rule-name term term-name then]SAmanual。
您可以配置以下附加属性:
启用 IPsec 数据包分片
要启用 IPsec 隧道中 IP 版本 4 (IPv4) 数据包的clear-dont-fragment-bit[edit services ipsec-vpn rule rule-name term term-name then]分段,请包含 层级的 语句:
[edit services ipsec-vpn rule rule-name term term-name then] clear-dont-fragment-bit;
无论数据包 clear-dont-fragment-bit 大小如何,设置语句将清除数据包标头中的"不分段 "(DF) 位。如果数据包大小超过隧道的 最大传输单元 (MTU) 值,则数据包在封装之前先分片。对于 IPsec 隧道,无论MTU设置如何,默认 MTU 值为 1500。
配置不工作对等方检测的目标地址
要指定 IPsec 流量定向到的远程地址, remote-gateway 请包含层级的 [edit services ipsec-vpn rule rule-name term term-name then] 语句:
[edit services ipsec-vpn rule rule-name term term-name then] remote-gateway address;
要指定备份远程地址,请包含 backup-remote-gateway 层级的 [edit services ipsec-vpn rule rule-name term term-name then] 语句:
[edit services ipsec-vpn rule rule-name term term-name then] backup-remote-gateway address;
这两种语句同时支持 IPv4 和 IPv6 地址格式。
配置语句将 backup-remote-gateway 启用不工作对等方检测 (DPD) 协议,用于监控隧道状态和远程对等方可用性。当 语句定义的主 remote-gateway 通道处于活动状态时,备份隧道将处于待机模式。如果 DPD 协议确定主远程网关地址不再可用,将为备份地址建立新隧道。
如果在定义的 10 秒间隔内没有来自对等方的传入信息流,路由器将检测隧道为非活动状态。全局计时器每隔 10 秒轮询所有隧道,自适应服务 (AS) 或多服务物理接口卡 (PIC) 会发送一条消息列出任何无效隧道。如果隧道无效,路由器将采取以下步骤故障切换至备份地址:
自适应服务消息会触发 DPD 协议,以向对等方发送 hello 消息。
如果未收到确认,则以 2 秒的间隔发送两次重试,随后隧道将被宣布无效。
如果隧道被宣布无效,或者存在 IPsec 第 1 阶段协商超时,则发生故障切换。主通道处于待机模式,备份通道变为活动状态。
如果与备份隧道的协商时间过长,路由器将切换回主隧道。如果两个对等方出现故障,则尝试六次故障切换。然后,由于主隧道处于活动状态,备份处于待机模式,因此可停止故障切换并恢复到原始配置。
您也可在 层级包含 语句,启用 DPD hello initiate-dead-peer-detection [edit services ipsec-vpn rule rule-name term term-name then] 消息触发,而不配置备份远程网关:
[edit services ipsec-vpn rule rule-name term term-name then] initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; }
此外,对于 IKEv1 SLA interval threshold,您可以在使用 语句时dead-peer-detection在 语句下设置和initiate-dead-peer-detection选项。从Junos OS版本17.2R1,和intervalthreshold选项也适用于 IKEv2 SLA。在 Junos OS 17.1 interval threshold 和早期版本中,和 选项不适用于使用默认值的 IKEv2 A。间隔是对等方在发送 DPD 请求数据包之前等待其目标对等方发送信息流的时间量,阈值是对等方认为不可用之前要发送的最大成功 DPD 请求数。
监控行为与语句描述的相同 backup-remote-gateway 。此配置允许路由器在不存在备份 IPsec 网关时启动 DPD hello,并清理 IKE 和 IPsec SLA(如果IKE对等方不可访问)。
如果 DPD 协议确定主远程网关地址不再可用,将为备份地址建立新隧道。 initiate-dead-peer-detection 但是,在配置没有备份远程网关地址且 DPD 协议确定主远程网关地址不可访问时,隧道将宣布无效,IKE 和 IPsec SLA 将清理。
有关 DPD 协议的信息,请参阅 RFC 3706,一种基于流量的不工作互联网密钥交换 (IKE)对等方检测方法。
配置或禁用 IPsec 防重播
要配置 IPsec 反replay 窗口的大小, anti-replay-window-size 请包含 层级的 [edit services ipsec-vpn rule rule-name term term-name then] 语句:
[edit services ipsec-vpn rule rule-name term term-name then] anti-replay-window-size bits;
anti-replay-window-size 可以使用范围为 64 到 4096 位的值。默认值为 AS 个 PC 64 位,多服务 PICS 和 DPC 128 位。AS 个 PC 可支持 1024 位的最大重放窗口大小,而多服务 PIC 和 DPC 可支持 4096 位的最大重放窗口大小。当软件提交 IPsec 配置时,密钥管理进程 (kmd) 无法区分服务接口类型。因此,如果每个 PIC 的最大反replay 窗口大小超过 1024 AS,则提交将成功,并且不会生成错误消息。但是,软件在内部将 AS 的反replay 窗口大小设置到 1024 位 anti-replay-window-size ,即使 的已配置值更大。
要禁用 IPsec 反replay 功能,请包含 no-anti-replay 层级的 [edit services ipsec-vpn rule rule-name term term-name then] 语句:
[edit services ipsec-vpn rule rule-name term term-name then] no-anti-replay;
默认情况下,反replay 服务已启用。偶尔这可能会导致与其他供应商的设备出现互操作性问题。
启用系统日志消息
指定 IPsec MTU的
要配置 IPsec tunnel-mtu 最大传输单元 (MTU) 值,请包含 层级的 [edit services ipsec-vpn rule rule-name term term-name then] 语句:
[edit services ipsec-vpn rule rule-name term term-name then] tunnel-mtu bytes;
设置 tunnel-mtu 是唯一需要为 IPsec 隧道配置 MTU值的位置。不支持在 mtu 层级 [edit interfaces sp-fpc/pic/port unit logical-unit-number family inet] 包含设置。
配置 IPsec 规则集
该 rule-set 语句定义了 IPsec 规则的集合,可确定路由器软件对数据流中的数据包执行哪些操作。通过指定规则名称并配置术语,可定义每个规则。然后,您指定规则的顺序 rule-set [edit services ipsec-vpn] rule ,具体包括层级的 语句以及每个规则的语句:
[edit services ipsec-vpn] rule-set rule-set-name { rule rule-name; }
路由器软件按在配置中指定的顺序处理规则。如果规则中的术语与数据包匹配,则路由器将执行相应的操作,并且规则处理停止。如果规则中的术语与数据包匹配,则处理将继续到规则集的下一个规则。如果没有与数据包匹配的规则,则默认情况下会丢弃该数据包。