IPsec 规则和规则集
示例:配置 IKE 动态 SA
此示例说明如何配置 IKE 动态 SA,并包含以下部分。
要求
此示例使用以下硬件和软件组件:
四台安装了多服务接口的 M Series、MX 系列或 T Series 路由器。
Junos OS 9.4 或更高版本。
在配置此功能之前,不需要除设备启动之外的特殊配置。
概述和拓扑
安全关联 (SA) 是一种单工连接,可让两台主机通过 IPsec 安全地相互通信。
动态 SA 最适合大规模、地理位置分散的网络,在这些网络中,手动分发、维护和跟踪密钥是一项艰巨的任务。动态 SA 配置了一组由安全网关协商的提议。密钥将作为协商的一部分生成,无需在配置中指定。动态 SA 包括一个或多个提议,允许您确定要与对等方协商的协议和算法列表的优先级。
拓扑学
图 1 显示了包含一组四台路由器的 IPsec 拓扑。此配置要求路由器 2 和 3 使用 IKE 动态 SA、增强型身份验证和加密建立 IPsec 隧道。路由器 1 和 4 提供基本连接,用于验证 IPsec 隧道是否正常运行。

如果未在多服务 PIC 上指定 IKE 提议、IPsec 提议和 IPsec 策略,则 Junos OS 将默认为最高级别的加密和身份验证。因此,默认身份验证协议为 ESP,默认身份验证模式为 HMAC-SHA1-96,默认加密模式为 3DES-CBC。
配置
要配置 IKE 动态 SA,请执行以下任务:
此示例中显示的接口类型仅供参考。例如,您可以使用 so-
interfaces 代替 ge-
和 sp-
ms-
而不是 。
配置路由器 1
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 1 的 [edit] 层级的 CLI 中。
set interfaces ge-0/0/0 description "to R2 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.1/32 set routing-options router-id 10.0.0.1 set protocols ospf area 0.0.0.0 interface ge-0/0/0 set protocols ospf area 0.0.0.0 interface lo0.0
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置路由器 1 以便与路由器 2 建立 OSPF 连接:
配置以太网接口和环路接口。
[edit interfaces] user@router1# set ge-0/0/0 description "to R2 ge-0/0/0" user@router1# set ge-0/0/0 unit 0 family inet address 10.1.12.2/30 user@router1# set lo0 unit 0 family inet address 10.0.0.1/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit interfaces] user@router1# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router1# set ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router1# set router-id 10.0.0.1
提交配置。
[edit] user@router1# commit
结果
在配置模式下,输入show interfaces
show protocols ospf
、和show routing-options
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router1# show interfaces interfaces { ge-0/0/0 { description "To R2 ge-0/0/0"; unit 0 { family inet { address 10.1.12.2/30; } } } lo0 { unit 0 { family inet { address 10.0.0.1/32; } } } }
user@router1# show protocols ospf protocols { ospf { area 0.0.0.0 { interface ge-0/0/0.0; interface lo0.0; } } }
user@router1# show routing-options routing-options { router-id 10.0.0.1; }
配置路由器 2
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 2 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R1 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.1/30 set interfaces ge-0/0/1 description "to R3 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.1/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.2/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.2 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.2 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike-demo-proposal dh-group group2 set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposal set services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 set services service-set demo-service-set ipsec-vpn-rules rule-ike
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要在路由器 2 上配置 OSPF 连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、一个环路接口和一个多服务接口 (ms-1/2/0)。
[edit interfaces] user@router2# set ge-0/0/0 description "to R1 ge-0/0/0" user@router2# set ge-0/0/0 unit 0 family inet address 10.1.12.1/30 user@router2# set ge-0/0/1 description "to R3 ge-0/0/1" user@router2# set ge-0/0/1 unit 0 family inet address 10.1.15.1/30 user@router2# set ms-1/2/0 services-options syslog host local services info user@router2# set ms-1/2/0 unit 0 family inet user@router2# set ms-1/2/0 unit 1 family inet user@router2# set ms-1/2/0 unit 1 service-domain inside user@router2# set ms-1/2/0 unit 2 family inet user@router2# set ms-1/2/0 unit 2 service-domain outside user@router2# set lo0 unit 0 family inet address 10.0.0.2/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit protocols] user@router2# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router2# set ospf area 0.0.0.0 interface lo0.0 user@router2# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router2# set router-ID 10.0.0.2
配置 IPsec 规则。在此步骤中,您将配置 IPsec 规则,指定手动 SA 参数,例如远程网关地址、身份验证和加密属性等。
注意:默认情况下,Junos OS 使用 IKE 策略版本 1.0。Junos OS 11.4 和更高版本还支持 IKE 策略 2.0 版,您必须在
[edit services ipsec-vpn ike policy policy-name pre-shared]
中配置该策略。[edit services ipsec-vpn] user@router2# set rule rule-ike term term-ike then remote-gateway 10.1.15.2 user@router2# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy user@router2# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router2# set rule match-direction input user@router2# set ike proposal ike-demo-proposal authentication-method pre-shared-keys user@router2# set ike proposal ike-demo-proposal dh-group group2 user@router2# set ike policy ike-demo-policy pre-shared proposals demo-proposal user@router2# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo user@router2# set ipsec proposal ipsec-demo-proposal protocol esp user@router2# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router2# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router2# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router2# set ipsec proposals ipsec-demo-proposal
配置下一跃点样式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集相关联。
[edit services] user@router2# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router2# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router2# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 user@router2# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router2# commit
结果
在配置模式下,输入show interfaces
、show protocols ospf
show routing-options
、和show services
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router1# show interfaces interfaces { ge-0/0/0 { description "To R1 ge-0/0/0"; unit 0 { family inet { address 10.1.12.1/30; } } } ge-0/0/1 { description "To R3 ge-0/0/1"; unit 0 { family inet { address 10.1.15.1/30; } } } ms-1/2/0 { services-options { syslog { host local { services info; } } } unit 0 { family inet; } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } } lo0 { unit 0 { family inet { address 10.0.0.2/32; } } } }
user@router2# show protocols ospf protocols { ospf { area 0.0.0.0 { interface ge-0/0/0.0; interface lo0.0; interface ms-1/2/0.1; } } }
user@router2# show routing-options routing-options { router-id 10.0.0.2; }
user@router2# show services services { ipsec-vpn { rule rule-ike { term term-ike { then { remote-gateway 10.1.15.2; dynamic { ike-policy ike-demo-policy; ipsec-policy ipsec-demo-policy; } } } match-direction input; } ike { proposal ike-demo-proposal { authentication-method pre-shared-keys; dh-group group2; } policy ike-demo-policy { proposals demo-proposal; pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA } } ipsec { proposal ipsec-demo-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsec-demo-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-demo-proposal; } } } service-set demo-service-set { next-hop-service { inside-service-interface ms-1/2/0.1; outside-service-interface ms-1/2/0.2; } ipsec-vpn-options { local-gateway 10.1.15.1; } ipsec-vpn-rules rule-ike; } service-set demo-service-set { next-hop-service { inside-service-interface ms-1/2/0.1; outside-service-interface ms-1/2/0.2; } ipsec-vpn-options { local-gateway 10.1.15.2; } ipsec-vpn-rules rule-ike; }
配置路由器 3
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 3 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R4 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.1/30 set interfaces ge-0/0/1 description "to R2 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.2/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.3/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.3 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.1 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike-demo-proposal dh-group group2 set services ipsec-vpn ike policy ike-demo-policy pre-shared proposals demo-proposal set services ipsec-vpn ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 set services service-set demo-service-set ipsec-vpn-rules rule-ike
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要在路由器 3 上配置 OSPF 连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、一个环路接口和一个多服务接口 (ms-1/2/0)。
[edit interfaces] user@router3# set ge-0/0/0 description "to R4 ge-0/0/0" user@router3# set ge-0/0/0 unit 0 family inet address 10.1.56.1/30 user@router3# set ge-0/0/1 description "to R2 ge-0/0/1" user@router3# set ge-0/0/1 unit 0 family inet address 10.1.15.2/30 user@router3# set ms-1/2/0 services-options syslog host local services info user@router3# set ms-1/2/0 unit 0 family inet user@router3# set ms-1/2/0 unit 1 family inet user@router3# set ms-1/2/0 unit 1 service-domain inside user@router3# set ms-1/2/0 unit 2 family inet user@router3# set ms-1/2/0 unit 2 service-domain outside user@router3# set lo0 unit 0 family inet address 10.0.0.3/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit protocols] user@router3# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router3# set ospf area 0.0.0.0 interface lo0.0 user@router3# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router3# set router-id 10.0.0.3
配置 IPsec 规则。在此步骤中,您将配置 IPsec 规则并指定手动 SA 参数,例如远程网关地址、身份验证和加密属性等。
[edit services ipsec-vpn] user@router3# set rule rule-ike term term-ike then remote-gateway 10.1.15.1 user@router3# set rule rule-ike term term-ike then dynamic ike-policy ike-demo-policy user@router3# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router3# set rule match-direction input user@router3# set ike proposal ike-demo-proposal authentication-method pre-shared-keys user@router3# set ike proposal ike-demo-proposal dh-group group2 user@router3# set ike policy ike-demo-policy pre-shared proposals demo-proposal user@router3# set ike policy ike-demo-policy pre-shared pre-shared-key ascii-text keyfordemo user@router3# set ipsec proposal ipsec-demo-proposal protocol esp user@router3# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router3# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router3# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router3# set ipsec proposals ipsec-demo-proposal
配置下一跃点样式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集相关联。
[edit services] user@router3# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router3# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router3# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 user@router3# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router3# commit
结果
在配置模式下,输入show interfaces
、show protocols ospf
show routing-options
、和show services
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router3# show interfaces interfaces { ge-0/0/0 { description "To R4 ge-0/0/0"; unit 0 { family inet { address 10.1.56.1/30; } } } ge-0/0/1 { description "To R2 ge-0/0/1"; unit 0 { family inet { address 10.1.15.2/30; } } } ms-1/2/0 { services-options { syslog { host local { services info; } } } unit 0 { family inet { } unit 1 { family inet; service-domain inside; } unit 2 { family inet; service-domain outside; } } lo0 { unit 0 { family inet { address 10.0.0.3/32; } } } } }
user@router3# show protocols ospf protocols { ospf { area 0.0.0.0 { interface ge-0/0/0.0; interface lo0.0; interface ms-1/2/0.1; } } }
user@router3# show routing-options routing-options { router-id 10.0.0.3; }
user@router3# show services services { ipsec-vpn { rule rule-ike { term term-ike { then { remote-gateway 10.1.15.1; dynamic { ike-policy ike-demo-policy; ipsec-policy ipsec-demo-policy; } } } match-direction input; } ike { proposal ike-demo-proposal { authentication-method pre-shared-keys; dh-group group2; } policy ike-demo-policy { proposals demo-proposal; pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA } } ipsec { proposal ipsec-demo-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsec-demo-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-demo-proposal; } } }
配置路由器 4
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 4 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R3 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.4/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set routing-options router-id 10.0.0.4
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要设置与路由器 4 的 OSPF 连接
配置接口。在此步骤中,您将配置一个以太网接口 (ge-1/0/1) 和一个环路接口。
user@router4# set interfaces ge-0/0/0 description "to R3 ge-0/0/0" user@router4# set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30 user@router4# set interfaces lo0 unit 0 family inet address 10.0.0.4/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
user@router4# set protocols ospf area 0.0.0.0 interface ge-0/0/0 user@router4# set protocols ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router4# set router-id 10.0.0.4
结果
在配置模式下,输入show interfaces
show protocols ospf
、和show routing-options
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router4# show interfaces interfaces { ge-0/0/0 { description "To R3 ge-0/0/0"; unit 0 { family inet { address 10.1.56.2/30; } } } lo0 { unit 0 { family inet { address 10.0.0.4/32; } } } }
user@router4# show protocols ospf protocols { ospf { area 0.0.0.0 { interface ge-0/0/0.0; interface lo0.0; } } }
user@router4# show routing-options routing-options { router-id 10.0.0.4; }
验证
验证您在路由器 1 上的工作
目的
验证路由器 1 的正确作。
行动
在作模式下,向路由器 4 上的 ge-0/0/0 接口输入 ping 10.1.56.2
命令,以通过 IPsec 隧道发送流量
user@router1>ping 10.1.56.2 PING 10.1.56.2 (10.1.56.2): 56 data bytes 64 bytes from 10.1.56.2: icmp_seq=0 ttl=254 time=1.351 ms 64 bytes from 10.1.56.2: icmp_seq=1 ttl=254 time=1.187 ms 64 bytes from 10.1.56.2: icmp_seq=2 ttl=254 time=1.172 ms 64 bytes from 10.1.56.2: icmp_seq=3 ttl=254 time=1.154 ms 64 bytes from 10.1.56.2: icmp_seq=4 ttl=254 time=1.156 ms ^C --- 10.1.56.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.154/1.204/1.351/0.074 ms
意义
输出显示路由器 1 能够通过 IPsec 隧道访问路由器 4。
验证您在路由器 2 上的工作
目的
验证 IKE SA 协商是否成功。
行动
在作模式下,输入 show services ipsec-vpn ike security-associations
命令。
user@router2>show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.2 Matured 03075bd3a0000003 4bff26a5c7000003 Main
要验证 IPsec 安全关联是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。请注意,SA 包含多服务 PIC 中固有的默认设置,例如协议的 ESP 和身份验证算法的 HMAC-SHA1-96。
在作模式下,输入 show services ipsec-vpn ipsec security-associations detail
命令。
user@router2> show services ipsec-vpn ipsec security-associations detail Service set: demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2 Local identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24) Direction: inbound, SPI: 2666326758, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 684772754, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26863 seconds Hard lifetime: Expires in 26998 seconds Anti-replay service: Enabled, Replay window size: 64
要验证流量是否通过双向 IPsec 隧道,请发出 show services ipsec-vpn statistics 以下命令:
在作模式下,输入 show services ipsec-vpn statistics
命令。
user@router2> show services ipsec-vpn ipsec statistics PIC: ms-1/2/0, Service set: demo-service-set ESP Statistics: Encrypted bytes: 2248 Decrypted bytes: 2120 Encrypted packets: 27 Decrypted packets: 25 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
意义
show services ipsec-vpn ipsec security-associations detail
命令输出显示您配置的 SA 属性。
show services ipsec-vpn ipsec statistics
命令输出显示通过 IPsec 隧道的流量。
验证您在路由器 3 上的工作
目的
验证路由器 3 上的 IKE SA 协商是否成功。
行动
在作模式下,输入 show services ipsec-vpn ike security-associations
命令。要获得成功,路由器 3 上的 SA 必须包含您在路由器 2 上指定的相同设置。
user@router3>show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.1 Matured 03075bd3a0000003 4bff26a5c7000003 Main
要验证 IPsec SA 是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。要获得成功,路由器 3 上的 SA 必须包含您在路由器 2 上指定的相同设置。
在作模式下,输入 show services ipsec-vpn ipsec security-associations detail
命令。
user@router3>show services ipsec-vpn ipsec security-associations detail Service set: demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1 Local identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24) Direction: inbound, SPI: 684772754, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26598 seconds Hard lifetime: Expires in 26688 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 2666326758, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 26598 seconds Hard lifetime: Expires in 26688 seconds Anti-replay service: Enabled, Replay window size: 64
要验证流量是否通过双向 IPsec 隧道,请发出 show services ipsec-vpn statistics 以下命令:
在作模式下,输入 show services ipsec-vpn ike security-associations
命令。
user@router3>show services ipsec-vpn ipsec statistics PIC: ms-1/2/0, Service set: demo-service-set ESP Statistics: Encrypted bytes: 2120 Decrypted bytes: 2248 Encrypted packets: 25 Decrypted packets: 27 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
意义
show services ipsec-vpn ipsec security-associations detail
命令输出显示您配置的 SA 属性。
show services ipsec-vpn ipsec statistics
命令输出显示通过 IPsec 隧道的流量。
验证您在路由器 4 上的工作
目的
验证 IKE SA 协商是否成功。
行动
在作模式下,向路由器 1 上的 ge-0/0/0 接口输入 ping 10.1.12.2
命令,以通过 IPsec 隧道发送流量。
user@router4>ping 10.1.12.2 PING 10.1.12.2 (10.1.12.2): 56 data bytes 64 bytes from 10.1.12.2: icmp_seq=0 ttl=254 time=1.350 ms 64 bytes from 10.1.12.2: icmp_seq=1 ttl=254 time=1.161 ms 64 bytes from 10.1.12.2: icmp_seq=2 ttl=254 time=1.124 ms 64 bytes from 10.1.12.2: icmp_seq=3 ttl=254 time=1.142 ms 64 bytes from 10.1.12.2: icmp_seq=4 ttl=254 time=1.139 ms 64 bytes from 10.1.12.2: icmp_seq=5 ttl=254 time=1.116 ms ^C --- 10.1.12.2 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.116/1.172/1.350/0.081 ms
要确认流量是否通过 IPsec 隧道,请向路由器 1 上的 ge-0/0/0 接口发出 traceroute
命令。请注意,路径中未引用路由器 2 和 3 之间的物理接口;流量通过路由器 3 上的自适应服务 IPsec 内部接口进入 IPsec 隧道,通过路由器 2 上的环路接口,最后到达路由器 1 上的 ge-0/0/0 接口。
在作模式下,输入 traceroute 10.1.12.2
.
user@router4>traceroute 10.1.12.2 traceroute to 10.1.12.2 (10.1.12.2), 30 hops max, 40 byte packets 1 10.1.15.2 (10.1.15.2) 0.987 ms 0.630 ms 0.563 ms 2 10.0.0.2 (10.0.0.2) 1.194 ms 1.058 ms 1.033 ms 3 10.1.12.2 (10.1.12.2) 1.073 ms 0.949 ms 0.932 ms
意义
ping 10.1.12.2
输出显示路由器 4 能够通过 IPsec 隧道访问路由器 1。
traceroute 10.1.12.2
输出显示流量在 IPsec 隧道中传输。
配置 IPsec 规则
要配置 IPsec 规则,请包含 rule
语句并在层次结构级别指定规则名称 [edit services ipsec-vpn]
:
[edit services ipsec-vpn] rule rule-name { match-direction (input | output); term term-name { from { destination-address address; ipsec-inside-interface interface-name; source-address address; } then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; } manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; } } }
每个 IPsec 规则都由一组术语组成,类似于防火墙过滤器。
术语由以下内容组成:
from
语句 - 指定包含和排除的匹配条件和应用程序。then
语句 — 指定路由器软件要执行的作和作修饰符。
以下部分说明如何配置 IPsec 规则的组件:
配置 IPsec 规则的匹配方向
每个规则都必须包含一个match-direction
语句,用于指定是在接口的输入端还是输出端应用匹配。要配置应用匹配的位置,请在[edit services ipsec-vpn rule rule-name]
层次结构级别包含语match-direction (input | output)
句:
[edit services ipsec-vpn rule rule-name] match-direction (input | output);
ACX 系列路由器不支持 match-direction
AS output。
匹配方向用于通过 AS 或多服务 PIC 的流量。将数据包发送到 PIC 时,会随身携带方向信息。
对于接口服务集,数据包的方向由数据包是进入还是离开应用服务集的接口决定。
使用下一跃点服务集时,数据包的方向由用于将数据包路由到 AS 或多服务 PIC 的接口决定。如果使用内部接口路由数据包,则输入数据包方向。如果使用外部接口将数据包定向到 PIC,则输出数据包方向。
在 AS 或多服务 PIC 上,将执行流查找。如果未找到流,则执行规则处理。将考虑服务集中的所有规则。在规则处理期间,系统会将数据包方向与规则方向进行比较。仅考虑方向信息与数据包方向匹配的规则。
在 IPsec 规则中配置匹配条件
要在 IPsec 规则中配置匹配条件,请在[edit services ipsec-vpn rule rule-name term term-name]
层次结构级别包含以下from
语句:
[edit services ipsec-vpn rule rule-name term term-name] from { destination-address address; ipsec-inside-interface interface-name; source-address address; }
您可以使用源地址或目标地址作为匹配条件,就像配置防火墙过滤器一样;有关详细信息,请参阅 Junos OS 路由协议库。
IPsec 服务同时支持 IPv4 和 IPv6 地址格式。如果未特定配置源地址或目标地址,则使用默认值 0.0.0.0/0
(IPv4 ANY)。要使用 IPv6 ANY (0::0/128
) 作为源地址或目标地址,必须对其进行显式配置。
ACX 系列上的 IPsec 服务支持 IPv4 地址格式。如果未特定配置源地址或目标地址,则使用默认值 0.0.0.0/0
(IPv4 ANY)。
该语句仅适用于下一跃点样式的服务集,ipsec-inside-interface
能够将逻辑接口分配给由于此匹配条件而建立的隧道。inside-service-interface
您可以在层次结构级别配置[edit services service-set name next-hop-service]
的语句允许您将和 .2
指定.1
为内部接口和外部接口。但是,您可以使用该service-domain inside
语句配置多个自适应服务逻辑接口,并使用其中一个接口来配置ipsec-inside-interface
语句。
Junos OS 将评估您在语句中配置的from
条件。如果在同一下一跳样式服务集中配置了多个链路类型隧道,则如果所有隧道的源地址和目的地址均为 0.0.0.0/0
(ANY-ANY),则ipsec-inside-interface
该值使规则查找模块能够将特定隧道与其他隧道区分开来。
配置 ipsec-inside-interface
语句时,不支持接口样式的服务集。
一种特殊情况是由包含“任意-任意”匹配条件的术语提供的(通常是因为省略了 from
该语句)。如果隧道中存在任意-任意匹配项,则不需要流,因为此隧道中的所有流量都使用相同的安全关联 (SA),并且数据包选择器不会发挥重要作用。因此,这些隧道将使用基于数据包的 IPsec。此策略会在 PIC 上节省一些流量资源,这些资源可用于需要基于流服务的其他隧道。
以下配置示例显示了 any-any 隧道配置,其中没有 from
语 term-1
句。如果子句中缺少选择器 from
,则会导致基于数据包的 IPsec 服务。
services { ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10.1.0.1; dynamic { ike-policy ike_policy; ipsec-policy ipsec_policy; } } } match-direction input; } ..... }
无流 IPsec 服务适用于具有任意匹配的链路类型隧道,以及专用和共享模式下具有任意匹配的动态隧道。
对于链路型隧道,服务集支持混合使用无流 IPsec 和基于流的 IPsec。如果服务集在子句中 from
包含一些带有任意-任意匹配的术语和一些带有选择器的术语,则将为任意-任意隧道提供基于数据包的服务,为带有选择器的其他隧道提供基于流的服务。
对于非链路类隧道,如果服务集同时包含任意条件条款和基于选择器的条款,则会向所有隧道提供基于流的服务。
在 IPsec 规则中配置作
要在 IPsec 规则中配置作,请在[edit services ipsec-vpn rule rule-name term term-name]
层次结构级别包含语then
句:
[edit services ipsec-vpn rule rule-name term term-name] then { anti-replay-window-size bits; backup-remote-gateway address; clear-dont-fragment-bit; dynamic { ike-policy policy-name; ipsec-policy policy-name; } initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; } manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } auxiliary-spi spi-value; encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | bundle | esp); spi spi-value; } } no-anti-replay; remote-gateway address; syslog; tunnel-mtu bytes; }
IPsec 的主要作是配置动态或手动 SA:
配置动态 SA 的方法是在
[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含dynamic
语句,并引用您在和[edit services ipsec-vpn ike]
层次结构级别配置[edit services ipsec-vpn ipsec]
的策略。您可以通过在
[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含manual
语句来配置手动 SA。
您可以配置以下附加属性:
启用 IPsec 数据包分片
要在 IPsec 隧道中启用 IP 版本 4 (IPv4) 数据包分段,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含以下clear-dont-fragment-bit
语句:
[edit services ipsec-vpn rule rule-name term term-name then] clear-dont-fragment-bit;
无论数据包大小如何,设置 clear-dont-fragment-bit
语句都会清除数据包标头中的不分段 (DF) 位。如果数据包大小超过隧道最大传输单元 (MTU) 值,则数据包会在封装前进行分段处理。对于 IPsec 隧道,无论接口 MTU 设置如何,默认 MTU 值均为 1500。
配置失效对等体检测的目标地址
要指定 IPsec 流量定向到的远程地址,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含语remote-gateway
句:
[edit services ipsec-vpn rule rule-name term term-name then] remote-gateway address;
要指定备份远程地址,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含语backup-remote-gateway
句:
[edit services ipsec-vpn rule rule-name term term-name then] backup-remote-gateway address;
这两个语句同时支持 IPv4 和 IPv6 地址格式。
配置该 backup-remote-gateway
语句将启用失效对等方检测 (DPD) 协议,该协议将监视隧道状态和远程对等方可用性。当语句定义 remote-gateway
的主隧道处于活动状态时,备用隧道处于备用模式。如果 DPD 协议确定不再可访问主远程网关地址,则会为备份地址建立新的隧道。
如果在定义的 10 秒间隔内没有来自对等方的传入流量,路由器会将隧道检测为非活动状态。全局计时器每 10 秒轮询一次所有隧道,并且自适应服务 (AS) 或多服务物理接口卡 (PIC) 发送一条消息,列出任何非活动隧道。如果隧道变为非活动状态,路由器将按照以下步骤故障转移到备份地址:
自适应服务消息触发 DPD 协议向对等方发送hello 消息。
如果未收到确认,则每隔 2 秒发送两次重试,然后宣布隧道已失效。
如果隧道被宣布为无效或存在 IPsec 第 1 阶段协商超时,则发生故障切换。主隧道处于备用模式,备份隧道将变为活动状态。
如果与备用隧道的协商超时,路由器将切换回主隧道。如果两个对等方都已关闭,它将尝试故障切换六次。然后,它将停止故障切换并恢复到原始配置,主隧道处于活动状态,备份隧道处于备用模式。
您还可以通过在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含initiate-dead-peer-detection
语句来启用 DPD hello 消息的触发,而无需配置备份远程网关:
[edit services ipsec-vpn rule rule-name term term-name then] initiate-dead-peer-detection; dead-peer-detection { interval seconds; threshold number; }
此外,对于 IKEv1 SA,使用initiate-dead-peer-detection
语句时,可以在语dead-peer-detection
句下设置interval
和 threshold
选项。从 Junos OS 17.2R1 版开始,“interval
和threshold
”选项也适用于 IKEv2 SA。在 Junos OS 17.1 及更低版本中,“interval
和threshold
”选项不适用于使用默认值的 IKEv2 SA。间隔是对等方在发送 DPD 请求数据包之前等待来自其目标对等方的流量的时间量,阈值是在对等方被视为不可用之前发送的最大不成功的 DPD 请求数。
监视行为与语句所述 backup-remote-gateway
相同。此配置使路由器能够在不存在备份 IPsec 网关时启动 DPD hello,并在无法访问 IKE 对等方时清理 IKE 和 IPsec SA。
如果 DPD 协议确定不再可访问主远程网关地址,则会为备份地址建立新的隧道。但是,如果您在没有备份远程网关地址的情况下进行配置 initiate-dead-peer-detection
,并且 DPD 协议确定主远程网关地址不再可访问,隧道将被声明为无效,并且 IKE 和 IPsec SA 将被清理。
有关 DPD 协议的详细信息,请参阅 RFC 3706, 一种基于流量的不工作互联网密钥交换 (IKE) 对等方检测方法。
配置或禁用 IPsec 防重放
要配置 IPsec 防重放窗口的大小,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含语anti-replay-window-size
句:
[edit services ipsec-vpn rule rule-name term term-name then] anti-replay-window-size bits;
anti-replay-window-size
可以取 64 到 4096 位范围内的值。AS PIC 的默认值为 64 位,多服务 PIC 和 DPC 的默认值为 128 位。AS PIC 可支持的最大重放窗口大小为 1024 位,而多服务 PIC 和 DPC 可支持的最大重放窗口大小为 4096 位。当软件提交 IPsec 配置时,密钥管理进程 (kmd) 无法区分服务接口类型。因此,如果 AS PIC 的最大防重放窗口大小超过 1024,则提交将成功,并且不会生成错误消息。但是,软件会在内部将 AS PIC 的防重放窗口大小设置为 1024 位,即使配置 anti-replay-window-size
的值较大也是如此。
要禁用 IPsec 防重放功能,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含以下no-anti-replay
语句:
[edit services ipsec-vpn rule rule-name term term-name then] no-anti-replay;
默认情况下,防重放服务处于启用状态。有时,这可能会导致与其他供应商设备的互作性问题。
指定 IPsec 隧道的 MTU
要为 IPsec 隧道配置特定的最大传输单元 (MTU) 值,请在[edit services ipsec-vpn rule rule-name term term-name then]
层次结构级别包含以下tunnel-mtu
语句:
[edit services ipsec-vpn rule rule-name term term-name then] tunnel-mtu bytes;
该tunnel-mtu
设置是为 IPsec 隧道配置 MTU 值的唯一位置。不支持在[edit interfaces sp-fpc/pic/port unit logical-unit-number family inet]
层次结构级别包含mtu
设置。
配置 IPsec 规则集
该rule-set
语句定义一系列 IPsec 规则,用于确定路由器软件对数据流中的数据包执行哪些作。您可以通过指定规则名称和配置术语来定义每个规则。然后,通过在[edit services ipsec-vpn]
层次结构级别上包含rule-set
语句来指定规则的顺序,每个规则都有一条rule
语句:
[edit services ipsec-vpn] rule-set rule-set-name { rule rule-name; }
路由器软件按照您在配置中指定的顺序处理规则。如果规则中的术语与数据包匹配,路由器将执行相应的作,规则处理将停止。如果规则中没有术语与数据包匹配,则处理将继续到规则集中的下一个规则。如果所有规则都与数据包不匹配,则默认情况下丢弃数据包。
另见
变更历史表
是否支持某项功能取决于您使用的平台和版本。使用 功能浏览器 查看您使用的平台是否支持某项功能。
interval
和
threshold
”选项也适用于 IKEv2 SA。