静态端点 IPsec 隧道的服务集
服务集
配置 IPSec 隧道时,自适应服务 PIC 支持两种类型的服务集。由于它们用于不同的目的,因此了解这些服务集类型之间的差异非常重要。
下一跳服务集 — 支持通过 IPSec 的组播和组播样式动态路由协议(如 OSPF)。下一跃点服务集允许您使用自适应服务 PIC 上的 内部 和 外部 逻辑接口与多个路由实例连接。它们还允许使用网络地址转换 (NAT) 和有状态防火墙功能。但是,默认情况下,下一跃点服务集不会监控路由引擎流量,并且需要配置多个服务集来支持来自多个接口的流量。
接口服务集 — 应用于物理接口,类似于无状态 防火墙过滤器。它们易于配置,可以支持来自多个接口的流量,并且默认情况下可以监控路由引擎流量。但是,它们不支持通过 IPSec 隧道的动态路由协议或组播流量。
通常,我们建议使用下一跃点服务集,因为它们支持通过 IPSec 隧道的路由协议和组播,更易于理解,并且路由表无需管理干预即可做出转发决策。
另见
配置 IPsec 服务集
IPsec 服务集需要您在 [edit services service-set service-set-name ipsec-vpn-options] 层次结构级别配置的其他规范:
[edit services service-set service-set-name ipsec-vpn-options] anti-replay-window-size bits; clear-dont-fragment-bit; copy-dont-fragment-bit set-dont-fragment-bit ike-access-profile profile-name; local-gateway address <gw-interface interface-name.logical-unit-number>; no-anti-replay; no-certificate-chain-in-ike; passive-mode-tunneling; trusted-ca [ ca-profile-names ]; tunnel-mtu bytes;
以下章节介绍了这些语句的配置:
- 为 IPsec 服务集配置本地网关地址
- 为 IPsec 服务集配置 IKE 访问配置文件
- 为 IPsec 服务集配置证书颁发机构
- 配置或禁用防重放服务
- 清除“不分段”位
- 配置被动模式隧道
- 配置隧道 MTU 值
- 使用 UDP 封装配置 IPsec 多路径转发
为 IPsec 服务集配置本地网关地址
如果配置 IPsec 服务集,则还必须通过包含以下 local-gateway 语句来配置本地 IPv4 或 IPv6 地址:
如果互联网密钥交换 (IKE) 网关 IP 地址在 inet.0 中(默认情况),则配置以下语句:
local-gateway address;
如果 IKE 网关 IP 地址位于 VPN 路由和转发 (VRF) 实例中,则可以配置以下语句:
local-gateway address routing-instance instance-name;
您可以在单个下一跳样式服务集中配置共享同一本地网关地址的所有链路类型隧道。您必须在[edit services service-set service-set-name]层次结构级别为inside-service-interface语句指定一个与值匹配ipsec-inside-interface的值,而该值将在层次结构级别上配置[edit services ipsec-vpn rule rule-name term term-name from]该值。有关 IPsec 配置的详细信息,请参阅配置 IPsec 规则。
从 Junos OS 16.1 版开始,要配置链路类型隧道(即下一跃点样式)出于 HA 目的,可以使用语句在[edit services ipsec-vpn rule rule-name term term-name from]层次结构级别将 ipsec-inside-interface interface-name AMS 逻辑接口配置为 IPsec 内部接口。
从 Junos OS 17.1 版开始,AMS 支持 IPSec 隧道分布。
VRF 实例中的 IKE 地址
只要可通过 VRF 实例访问对等方,就可以配置 VPN 路由和转发 (VRF) 实例中存在的互联网密钥交换 (IKE) 网关 IP 地址。
对于下一跃点服务集,密钥管理进程 (kmd) 会将 IKE 数据包放置在包含 outside-service-interface 指定值的路由实例中,如下例所示:
routing-instances vrf-nxthop {
instance-type vrf;
interface sp-1/1/0.2;
...
}
services service-set service-set-1 {
next-hop-service {
inside-service-interface sp-1/1/0.1;
outside-service-interface sp-1/1/0.2;
}
...
}
对于接口服务集, service-interface 语句确定 VRF,如下例所示:
routing-instances vrf-intf {
instance-type vrf;
interface sp-1/1/0.3;
interface ge-1/2/0.1; # interface on which service set is applied
...
}
services service-set service-set-2 {
interface-service {
service-interface sp-1/1/0.3;
}
...
}
当本地网关地址或者 MS-MPC 或 MS-MIC 出现故障时清除 SA
从 Junos OS 17.2R1 版开始,当 IPsec 隧道的本地网关 IP 地址出现问题,或者隧道服务集中使用的 MS-MIC 或 MS-MPC 出现问题时,tou 可以使用该 gw-interface 语句来启用 IKE 触发器以及 IKE 和 IPsec SA 的清理。
local-gateway address <gw-interface interface-name.logical-unit-number>;
interface-name和 logical-unit-number 必须与配置本地网关 IP 地址的接口和逻辑单元匹配。
如果 IPsec 隧道服务集的本地网关 IP 地址出现问题,或者服务集中使用的 MS-MIC 或 MS-MPC 出现问题,则服务集将不再发送 IKE 触发器。此外,当本地网关 IP 地址出现问题时,将清除下一跃点服务集的 IKE 和 IPsec SA,而接口样式服务集将变为“未安装”状态。当本地网关 IP 地址恢复时,状态为“未安装”的 SA 将被删除。
如果下一跃点服务集的本地网关 IP 地址是响应方对等方的,则需要清除发起方对等方上的 IKE 和 IPsec SA,以便在本地网关 IP 地址恢复后,IPsec 隧道才会恢复。您可以手动清除发起方对等方上的 IKE 和 IPsec SA(请参阅 清除服务 IPsec-VPN IKE 安全关联 和 清除服务 IPsec-VPN IPsec 安全关联),也可以在发起方对等方上启用失效对等方检测(请参阅 配置有状态防火墙规则)。
为 IPsec 服务集配置 IKE 访问配置文件
仅对于动态端点隧道,您需要引用在层次结构级别上配置的 [edit access] IKE 访问配置文件。为此,请在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含语ike-access-profile句:
[edit services service-set service-set-name ipsec-vpn-options] ike-access-profile profile-name;
语 ike-access-profile 句引用的名称必须与您 profile 在 [edit access] 层次结构级别上为 IKE 访问配置的语句同名。每个服务集中只能引用一个访问配置文件。此配置文件仅用于与动态对等方协商 IKE 和 IPsec 安全关联。
如果在服务集中配置 IKE 访问配置文件,则其他服务集不能共享相同的 local-gateway 地址。
此外,还必须为每个 VRF 配置单独的服务集。语句在服务集中引用 ipsec-inside-interface 的所有接口都必须属于同一个 VRF。
为 IPsec 服务集配置证书颁发机构
您可以通过包含 trusted-ca 语句来指定一个或多个受信任的证书颁发机构:
trusted-ca [ ca-profile-names ];
在 IPsec 配置中配置公钥基础架构 (PKI) 数字证书时,每个服务集都可以拥有自己的一组受信任的证书颁发机构。为 trusted-ca 语句指定的名称必须与在 [edit security pki] 层次结构级别上配置的配置文件匹配;有关更多信息,请参阅 路由设备的 Junos OS 管理库。IPsec数字证书配置详情,请参阅 配置IPsec规则。
从 Junos OS 18.2R1 版开始,您可以将 MX 系列路由器配置为 MS-MPC 或 MS-MIC,以便仅发送用于基于证书的 IKE 身份验证的最终实体证书,而不是完整的证书链。这样可以避免 IKE 分段。要配置此功能,请包含 no-certificate-chain-in-ike 语句:
[edit services service-set service-set-name ipsec-vpn-options] no-certificate-chain-in-ike;
配置或禁用防重放服务
您可以在层次结构级别包含 anti-replay-window-size 语句 [edit services service-set service-set-name ipsec-vpn-options] ,以指定防重放窗口的大小。
anti-replay-window-size bits;
此语句对于无法在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别为其配置anti-replay-window-size语句的动态端点隧道很有用。
对于静态 IPsec 隧道,此语句将设置此服务集中所有静态隧道的反重放窗口大小。如果特定隧道需要特定值来表示防重放窗口大小,请在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别设置anti-replay-window-size语句。如果必须为此服务集中的特定隧道禁用防重放检查,请在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别设置no-anti-replay语句。
anti-replay-window-size层次结构级别的和 no-anti-replay 设置[edit services ipsec-vpn rule rule-name term term-name then]将覆盖在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别上指定的设置。
还可以在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含no-anti-replay语句以禁用 IPsec 反重放服务。它偶尔会导致安全关联的互作性问题。
no-anti-replay;
此语句对于无法在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别为其配置no-anti-reply语句的动态端点隧道很有用。
对于静态 IPsec 隧道,此语句禁用此服务集中所有隧道的反重放检查。如果必须为特定隧道启用防重放检查,请在[edit services ipsec-vpn rule rule-name term term-name then]层级设置anti-replay-window-size语句。
在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别设置anti-replay-window-size和 no-anti-replay 语句将覆盖在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别上指定的设置。
清除“不分段”位
您可以在层次结构级别包含该 clear-dont-fragment-bit 语句 [edit services service-set service-set-name ipsec-vpn-options] ,以清除进入 IPsec 隧道的所有 IP 版本 4 (IPv4) 数据包上的不分段 (DF) 位。如果封装的数据包大小超过隧道最大传输单元 (MTU),则数据包在封装前会分段。
clear-dont-fragment-bit;
此语句对于无法在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别为其配置clear-dont-fragment-bit语句的动态端点隧道很有用。
对于静态 IPsec 隧道,设置此语句将清除进入此服务集中所有静态隧道的数据包上的 DF 位。如果要清除进入特定隧道的数据包上的 DF 位,请在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别设置clear-dont-fragment-bit语句。
从 Junos OS 14.1 版开始,在通过动态端点 IPSec 隧道传输的数据包中,可以启用仅在进入隧道的数据包的 DF 位中设置的值复制到 IPsec 数据包的外部报头,并且不会对 IPsec 数据包内部标头中的 DF 位造成任何修改。如果数据包大小超过隧道最大传输单元 (MTU) 值,则数据包会在封装前进行分段处理。对于 IPsec 隧道,无论接口 MTU 设置如何,默认 MTU 值均为 1500。要仅将 DF 位值复制到外部报头而不修改内部报头,请在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别使用copy-dont-fragment-bit语句。您还可以将 DF 位配置为仅在 IPsec 数据包的外部 IPv4 报头中设置,而不在内部 IPv4 报头中定义。要仅在 IPsec 数据包的外部报头中配置 DF 位,并且不修改内部报头,请在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含set-dont-fragment-bit语句。这些设置适用于动态端点隧道,而不适用于静态隧道,因为静态隧道需要在层次结构级别包含copy-dont-fragment-bit和 set-dont-fragment-bit 语句[edit services ipsec-vpn rule rule-name term term-name then],以清除进入静态隧道的 IPv4 数据包中的 DF 位。带有 MS-MIC 和 MS-MPC 的 MX 系列路由器支持这些功能。
配置被动模式隧道
您可以在层次结构级别包含语 passive-mode-tunneling 句 [edit services service-set service-set-name ipsec-vpn-options] ,以使服务集能够通过隧道传输格式错误的数据包。
[edit services service-set service-set-name ipsec-vpn-options] passive-mode-tunneling;
此功能可以绕过活动 IP 检查,例如版本、TTL、协议、选项、地址和其他陆地攻击检查,并按原样对数据包建立隧道。如果未配置此语句,则未通过 IP 检查的数据包将被丢弃在 PIC 中。在被动模式下,内部数据包不会被触及;如果数据包大小超过隧道 MTU 值,则不会生成 ICMP 错误。
IPsec 隧道不会被视为下一跃点,TTL 也不会递减。由于如果数据包大小超过隧道 MTU 值,则不会生成 ICMP 错误,因此即使数据包越过隧道 MTU 阈值,数据包也会被隧道化。
此功能类似于跟踪 Junos VPN Site Secure作中所述的语句中提供no-ipsec-tunnel-in-traceroute的功能。从 Junos OS 14.2 版开始,MS-MIC 和 MS-MPC 支持被动模式隧道。
从 Junos OS 14.2 版开始, header-integrity-check MS-MIC 和 MS-MPC 支持的选项用于验证数据包标头中 IP、TCP、UDP 和 ICMP 信息中的异常并标记此类异常和错误,其功能与被动模式隧道引起的功能相反。如果在 MS-MIC 和 MS-MPC 上同时 header-integrity-check 配置语句和语 passive-mode tunneling 句,并尝试提交此类配置,则在提交过程中会显示错误。
被动模式隧道功能(通过在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含passive-mode-tunnelin语句)是在 traceroute 输出中禁用 IPsec 隧道端点的功能的超集(通过在[edit services ipsec-vpn]层次结构级别包含no-ipsec-tunnel-in-traceroute语句)。除了不将 IPsec 隧道视为语句配置no-ipsec-tunnel-in-traceroute的下一跃点之外,被动模式隧道还会绕过活动 IP 检查和隧道 MTU 检查。
配置隧道 MTU 值
您可以在层次结构级别包含 tunnel-mtu 语句 [edit services service-set service-set-name ipsec-vpn-options] ,以设置 IPsec 隧道的最大传输单元 (MTU) 值。
tunnel-mtu bytes;
此语句对于无法在[edit services ipsec-vpn rule rule-name term term-name then]层次结构级别为其配置tunnel-mtu语句的动态端点隧道很有用。
对于静态 IPsec 隧道,此语句将设置此服务集中所有隧道的隧道 MTU 值。如果需要特定隧道的特定值,请在[edit services ipsec-vpn rule rule-name term term-name then]层级设置tunnel-mtu语句。
tunnel-mtu层次结构级别的设置[edit services ipsec-vpn rule rule-name term term-name then]将覆盖在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别上指定的值。
使用 UDP 封装配置 IPsec 多路径转发
从 Junos OS 16.1 版开始,可以通过在服务集中配置 UDP 封装来启用 IPsec 流量的多路径转发,从而将 UDP 标头添加到数据包的 IPsec 封装中。这会导致 IPsec 流量跨多条路径转发,从而增加了 IPsec 流量的吞吐量。如果未启用 UDP 封装,则所有 IPsec 流量都遵循一条转发路径。
检测到 NAT-T 时,仅进行 NAT-T UDP 封装,而不是 IPsec 数据包的 UDP 封装。
要启用 UDP 封装,请执行以下作:
启用 UDP 封装。
[edit services service-set service-set-name ipsec-vpn-options] user@host set udp-encapsulation
(选答)指定 UDP 目标端口号。
[edit services service-set service-set-name ipsec-vpn-options udp-encapsulation] user@host set udp-dest-port destination-port
使用介于 1025 到 65536 之间的目标端口号,但不要使用 4500。如果未指定端口号,则默认目标端口为 4565。
另见
示例:使用数字证书的 IKE 动态 SA 配置
此示例说明如何使用数字证书配置 IKE 动态 SA,并包含以下部分。
要求
此示例使用以下硬件和软件组件:
四台安装了多服务接口的 M Series、MX 系列或 T Series 路由器。
Junos OS 9.4 或更高版本。
配置此示例之前,您必须请求 CA 证书,创建本地证书,并将这些数字证书加载到路由器中。有关详细信息,请参阅 注册证书。
概述
安全关联 (SA) 是一种单工连接,可让两台主机使用 IPsec 安全地相互通信。此示例介绍使用数字证书进行的 IKE 动态 SA 配置。使用数字证书可以为 IKE 隧道提供额外的安全性。使用服务 PIC 中的默认值,无需配置 IPsec 提议或 IPsec 策略。但是,您必须配置指定使用数字证书的 IKE 提议,在 IKE 策略中引用 IKE 提议和本地证书,并将 CA 配置文件应用于服务集。
图 1 显示了包含一组四台路由器的 IPsec 拓扑。此配置要求路由器 2 和 3 使用数字证书代替预共享密钥,建立基于 IKE 的 IPsec 隧道。路由器 1 和 4 提供基本连接,用于验证 IPsec 隧道是否正常运行。
拓扑学
配置
要使用数字证书配置 IKE 动态 SA,请执行以下任务:
此示例中显示的接口类型仅供参考。例如,您可以使用 so- interfaces 代替 ge- 和 sp- ms-而不是 。
配置路由器 1
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 1 的 [edit] 层级的 CLI 中。
set interfaces ge-0/0/0 description "to R2 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.1/32 set routing-options router-id 10.0.0.1 set protocols ospf area 0.0.0.0 interface ge-0/0/0 set protocols ospf area 0.0.0.0 interface lo0.0
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置路由器 1 以便与路由器 2 建立 OSPF 连接:
配置以太网接口和环路接口。
[edit interfaces] user@router1# set ge-0/0/0 description "to R2 ge-0/0/0" user@router1# set ge-0/0/0 unit 0 family inet address 10.1.12.2/30 user@router1# set lo0 unit 0 family inet address 10.0.0.1/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit protocols] user@router1# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router1# set ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router1# set router-id 10.0.0.1
提交配置。
[edit] user@router1# commit
结果
在配置模式下,输入show interfacesshow protocols ospf、和show routing-options命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@router1# show interfaces
interfaces {
ge-0/0/0 {
description "To R2 ge-0/0/0";
unit 0 {
family inet {
address 10.1.12.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
}
}
}
}
user@router1# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
}
}
}
user@router1# show routing-options
routing-options {
router-id 10.0.0.1;
}
配置路由器 2
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 2 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R1 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.1/30 set interfaces ge-0/0/1 description "to R3 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.1/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.2/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.2 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.2 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificates set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method rsa-signatures set services ipsec-vpn ike policy ike-digital-certificates proposals ike-demo-proposal set services ipsec-vpn ike policy ike-digital-certificates local-id fqdn router2.example.com set services ipsec-vpn ike policy ike-digital-certificates local-certificate local-entrust2 set services ipsec-vpn ike policy ike-digital-certificates remote-id fqdn router3.example.com set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services ipsec-vpn establish-tunnels immediately set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options trusted-ca entrust set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 set services service-set demo-service-set ipsec-vpn-rules rule-ike
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要在路由器 2 上配置 OSPF 连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、环路接口和多服务接口 (ms-1/2/0)。
[edit interfaces] user@router2# set ge-0/0/0 description "to R1 ge-0/0/0" user@router2# set ge-0/0/0 unit 0 family inet address 10.1.12.1/30 user@router2# set ge-0/0/1 description "to R3 ge-0/0/1" user@router2# set ge-0/0/1 unit 0 family inet address 10.1.15.1/30 user@router2# set ms-1/2/0 services-options syslog host local services info user@router2# set ms-1/2/0 unit 0 family inet user@router2# set ms-1/2/0 unit 1 family inet user@router2# set ms-1/2/0 unit 1 service-domain inside user@router2# set ms-1/2/0 unit 2 family inet user@router2# set ms-1/2/0 unit 2 service-domain outside user@router2# set lo0 unit 0 family inet address 10.0.0.2/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit protocols] user@router2# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router2# set ospf area 0.0.0.0 interface lo0.0 user@router2# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router2# set router-ID 10.0.0.2
配置 IKE 提议和策略。要为数字证书启用 IKE 提议,请在
[edit services ipsec-vpn ike proposal proposal-name authentication-method]层次结构级别包含语rsa-signatures句。要在 IKE 策略中引用本地证书,请在[edit services ipsec-vpn ike policy policy-name]层次结构级别包含语local-certificate句。要标识服务集中的 CA 或 RA,请在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含trusted-ca语句。注意:有关创建和安装数字证书的信息,请参阅 注册证书。
[edit services ipsec-vpn] user@router2# set ike proposal ike-demo-proposal authentication-method rsa-signatures user@router2# set ike policy ike-digital-certificates proposals ike-demo-proposal user@router2# set ike policy ike-digital-certificates local-id fqdn router2.example.com user@router2# set ike policy ike-digital-certificates local-certificate local-entrust2 user@router2# set ike policy ike-digital-certificates remote-id fqdn router3.example.com
配置 IPsec 提议和策略。另外,将
established-tunnels旋钮设置为immediately。[edit services ipsec-vpn] user@router2# set ipsec proposal ipsec-demo-proposal protocol esp user@router2# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router2# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router2# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router2# set ipsec proposals ipsec-demo-proposal user@router2# set establish-tunnels immediately
配置 IPsec 规则。
[edit services ipsec-vpn] user@router2# set rule rule-ike term term-ike then remote-gateway 10.1.15.2 user@router2# set rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificates user@router2# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router2# set rule match-direction input
配置下一跃点样式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集相关联。
[edit services] user@router2# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router2# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router2# set service-set demo-service-set ipsec-vpn-options trusted-ca entrust user@router2# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1 user@router2# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router2# commit
结果
在配置模式下,输入show interfacesshow protocols ospfshow routing-options、、和show services命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router2# show interfaces
interfaces {
ge-0/0/0 {
description "To R1 ge-0/0/0";
unit 0 {
family inet {
address 10.1.12.1/30;
}
}
}
ge-0/0/1 {
description "To R3 ge-0/0/1";
unit 0 {
family inet {
address 10.1.15.1/30;
}
}
}
ms-1/2/0 {
services-options {
syslog {
host local {
services info;
}
}
}
unit 0 {
family inet;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.2/32;
}
}
}
}
user@router2# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
interface ms-1/2/0.1;
}
}
}
user@router2# show routing-options
routing-options {
router-id 10.0.0.2;
}
user@router2# show services
services {
ipsec-vpn {
rule rule-ike {
term term-ike {
then {
remote-gateway 10.1.15.2;
dynamic {
ike-policy ike-digital-certificates;
ipsec-policy ipsec-demo-policy
}
}
}
match-direction input;
}
ike {
proposal ike-demo-proposal {
authentication-method rsa-signatures;
}
policy ike-digital-certificates {
proposals ike-demo-proposal;
local-id fqdn router2.example.com;
local-certificate local-entrust2;
remote-id fqdn router3.example.com;
}
}
ipsec {
proposal ipsec-demo-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy demo-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-demo-proposal;
}
establish-tunnels immediately;
}
service-set service-set-dynamic-demo-service-set {
next-hop-service {
inside-service-interface ms-1/2/0.1;
outside-service-interface ms-1/2/0.2;
}
ipsec-vpn-options {
trusted-ca entrust;
local-gateway 10.1.15.1;
}
ipsec-vpn-rules rule-ike;
}
}
}
配置路由器 3
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 3 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R4 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.1/30 set interfaces ge-0/0/1 description "to R2 ge-0/0/1" set interfaces ge-0/0/1 unit 0 family inet address 10.1.15.2/30 set interfaces ms-1/2/0 services-options syslog host local services info set interfaces ms-1/2/0 unit 0 family inet set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set interfaces lo0 unit 0 family inet address 10.0.0.3/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ms-1/2/0.1 set routing-options router-id 10.0.0.3 set services ipsec-vpn rule rule-ike term term-ike then remote-gateway 10.1.15.1 set services ipsec-vpn rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificates set services ipsec-vpn rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy set services ipsec-vpn rule match-direction input set services ipsec-vpn ike proposal ike-demo-proposal authentication-method rsa-signatures set services ipsec-vpn ike policy ike-digital-certificates proposals ike-demo-proposal set services ipsec-vpn ike policy ike-digital-certificates local-id fqdn router3.example.com set services ipsec-vpn ike policy ike-digital-certificates local-certificate local-entrust3 set services ipsec-vpn ike policy ike-digital-certificates remote-id fqdn router2.example.com set services ipsec-vpn ipsec proposal ipsec-demo-proposal protocol esp set services ipsec-vpn ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec proposals ipsec-demo-proposal set services ipsec-vpn establish-tunnels immediately set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options trusted-ca entrust set services service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 set services service-set demo-service-set ipsec-vpn-rules rule-ike
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
如果 IPsec 对等方没有包含所有必要组件的对称配置,则无法建立对等关系。您需要申请 CA 证书,创建本地证书,将这些数字证书加载到路由器中,并在 IPsec 配置中引用它们。有关数字认证的信息,请参阅 注册证书。
要在路由器 3 上配置 OSPF 连接和 IPsec 隧道参数:
配置接口属性。在此步骤中,您将配置两个以太网接口(ge-1/0/0 和 ge-1/0/1)、环路接口和多服务接口 (ms-1/2/0)。
[edit interfaces] user@router3# set ge-0/0/0 description "to R4 ge-0/0/0" user@router3# set ge-0/0/0 unit 0 family inet address 10.1.56.1/30 user@router3# set ge-0/0/1 description "to R2 ge-0/0/1" user@router3# set ge-0/0/1 unit 0 family inet address 10.1.15.2/30 user@router3# set ms-1/2/0 services-options syslog host local services info user@router3# set ms-1/2/0 unit 0 family inet user@router3# set ms-1/2/0 unit 1 family inet user@router3# set ms-1/2/0 unit 1 service-domain inside user@router3# set ms-1/2/0 unit 2 family inet user@router3# set ms-1/2/0 unit 2 service-domain outside user@router3# set lo0 unit 0 family inet address 10.0.0.3/32
指定 OSPF 区域,将接口与 OSPF 区域进行关联。
[edit protocols] user@router3# set ospf area 0.0.0.0 interface ge-0/0/0.0 user@router3# set ospf area 0.0.0.0 interface lo0.0 user@router3# set ospf area 0.0.0.0 interface ms-1/2/0.1
配置路由器 ID。
[edit routing-options] user@router3# set router-id 10.0.0.3
配置 IKE 提议和策略。要为数字证书启用 IKE 提议,请在
[edit services ipsec-vpn ike proposal proposal-name authentication-method]层次结构级别包含语rsa-signatures句。要在 IKE 策略中引用本地证书,请在[edit services ipsec-vpn ike policy policy-name]层次结构级别包含语local-certificate句。要标识服务集中的 CA 或 RA,请在[edit services service-set service-set-name ipsec-vpn-options]层次结构级别包含trusted-ca语句。注意:有关创建和安装数字证书的信息,请参阅 注册证书。
[edit services ipsec-vpn] user@router3# set ike proposal ike-demo-proposal authentication-method rsa-signatures user@router3# set ike policy ike-digital-certificates proposals ike-demo-proposal user@router3# set ike policy ike-digital-certificates local-id fqdn router2.example.com user@router3# set ike policy ike-digital-certificates local-certificate local-entrust2 user@router3# set ike policy ike-digital-certificates remote-id fqdn router3.example.com
配置 IPsec 提议。另外,将
established-tunnels旋钮设置为immediately。[edit services ipsec-vpn] user@router3# set ipsec proposal ipsec-demo-proposal protocol esp user@router3# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96 user@router3# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbc user@router3# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2 user@router3# set ipsec proposals ipsec-demo-proposal user@router3# set establish-tunnels immediately
配置 IPsec 规则。
[edit services ipsec-vpn] user@router3# set rule rule-ike term term-ike then remote-gateway 10.1.15.2 user@router3# set rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificates user@router3# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policy user@router3# set rule match-direction input
配置下一跃点样式服务集,指定本地网关地址,并将 IPsec VPN 规则与服务集相关联。
[edit services] user@router3# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@router3# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@router3# set service-set demo-service-set ipsec-vpn-options trusted-ca entrust user@router3# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2 user@router3# set service-set demo-service-set ipsec-vpn-rules rule-ike
提交配置。
[edit] user@router3# commit
结果
在配置模式下,输入show interfacesshow protocols ospfshow routing-options、、和show services命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router3# show interfaces
interfaces {
ge-0/0/0 {
description "To R4 ge-0/0/0";
unit 0 {
family inet {
address 10.1.56.1/30;
}
}
}
ge-0/0/1 {
description "To R2 ge-0/0/1";
unit 0 {
family inet {
address 10.1.15.2/30;
}
}
}
ms-1/2/0 {
services-options {
syslog {
host local {
services info;
}
}
}
unit 0 {
family inet {
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.3/32;
}
}
}
}
}
user@router3# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
interface ms-1/2/0.1;
}
}
}
user@router3# show routing-options
routing-options {
router-id 10.0.0.3;
}
user@router3# show services
services {
ipsec-vpn {
rule rule-ike {
term term-ike {
then {
remote-gateway 10.1.15.1;
dynamic {
ike-policy ike-digital-certificates;
ipsec-policy ipsec-demo-policy
}
}
}
match-direction input;
}
ike {
proposal ike-demo-proposal {
authentication-method rsa-signatures;
}
policy ike-digital-certificates {
proposals ike-demo-proposal;
local-id fqdn router3.example.com;
local-certificate local-entrust3;
remote-id fqdn router2.example.com;
}
}
ipsec {
proposal ipsec-demo-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy demo-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-demo-proposal;
}
establish-tunnels immediately;
}
service-set service-set-dynamic-demo-service-set {
next-hop-service {
inside-service-interface ms-1/2/0.1;
outside-service-interface ms-1/2/0.2;
}
ipsec-vpn-options {
trusted-ca entrust;
local-gateway 10.1.15.2;
}
ipsec-vpn-rules rule-ike;
}
}
}
配置路由器 4
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到路由器 4 的 [edit] 层次结构级别的 CLI 中。
set interfaces ge-0/0/0 description "to R3 ge-0/0/0" set interfaces ge-0/0/0 unit 0 family inet address 10.1.56.2/30 set interfaces lo0 unit 0 family inet address 10.0.0.4/32 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 set routing-options router-id 10.0.0.4
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要设置与路由器 4 的 OSPF 连接
配置接口。在此步骤中,您将配置以太网接口 (ge-1/0/1) 和环路接口。
[edit interfaces] user@router4# set ge-0/0/0 description "to R3 ge-0/0/0" user@router4# set ge-0/0/0 unit 0 family inet address 10.1.56.2/30 user@router4# set lo0 unit 0 family inet address 10.0.0.4/32
指定 OSPF 区域,并将接口与 OSPF 区域相关联。
[edit protocols] user@router4# set ospf area 0.0.0.0 interface ge-0/0/0 user@router4# set ospf area 0.0.0.0 interface lo0.0
配置路由器 ID。
[edit routing-options] user@router4# set router-id 10.0.0.4
结果
在配置模式下,输入show interfacesshow protocols ospf、和show routing-options命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置
user@router4# show interfaces
interfaces {
ge-0/0/0 {
description "To R3 ge-0/0/0";
unit 0 {
family inet {
address 10.1.56.2/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.0.4/32;
}
}
}
}
user@router4# show protocols ospf
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.0;
}
}
}
user@router4# show routing-options
routing-options {
router-id 10.0.0.4;
}
验证
验证您在路由器 1 上的工作
目的
在路由器 1 上,验证对路由器 4 上的 so-0/0/0 接口的 ping 命令,以便通过 IPsec 隧道发送流量。
行动
在作模式下,输入。ping 10.1.56.2
user@router1>ping 10.1.56.2 PING 10.1.56.2 (10.1.56.2): 56 data bytes 64 bytes from 10.1.56.2: icmp_seq=0 ttl=254 time=1.351 ms 64 bytes from 10.1.56.2: icmp_seq=1 ttl=254 time=1.187 ms 64 bytes from 10.1.56.2: icmp_seq=2 ttl=254 time=1.172 ms 64 bytes from 10.1.56.2: icmp_seq=3 ttl=254 time=1.154 ms 64 bytes from 10.1.56.2: icmp_seq=4 ttl=254 time=1.156 ms ^C --- 10.1.56.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.154/1.204/1.351/0.074 ms
如果对路由器 4 的环路地址执行 Ping 命令,则作将会成功,因为该地址是路由器 4 上配置的 OSPF 网络的一部分。
user@router1>ping 10.0.0.4 PING 10.0.0.4 (10.0.0.4): 56 data bytes 64 bytes from 10.0.0.4: icmp_seq=0 ttl=62 time=1.318 ms 64 bytes from 10.0.0.4: icmp_seq=1 ttl=62 time=1.084 ms 64 bytes from 10.0.0.4: icmp_seq=2 ttl=62 time=3.260 ms ^C --- 10.0.0.4 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.084/1.887/3.260/0.975 ms
验证您在路由器 2 上的工作
目的
要验证匹配的流量是否正在转移到双向 IPsec 隧道,请查看 IPsec 统计信息:
行动
在作模式下,输入 show services ipsec-vpn ipsec statistics.
user@router2>show services ipsec-vpn ipsec statistics PIC: sp-1/2/0, Service set: service-set-dynamic-demo-service-set ESP Statistics: Encrypted bytes: 162056 Decrypted bytes: 161896 Encrypted packets: 2215 Decrypted packets: 2216 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
要验证 IKE SA 协商是否成功,请发出 show services ipsec-vpn ike security-associations 以下命令:
在作模式下,进入 show services ipsec-vpn ike security-associations
user@router2> show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.2 Matured d82610c59114fd37 ec4391f76783ef28 Main
要验证 IPsec 安全关联是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。请注意,SA 包含服务 PIC 中固有的默认设置,例如协议的 ESP 和身份验证算法的 HMAC-SHA1-96。
在作模式下,进入 show services ipsec-vpn ipsec security-associations detail
user@router2> show services ipsec-vpn ipsec security-associations detail Service set: service-set-dynamic-demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2 IPsec inside interface: sp-1/2/0.1 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Direction: inbound, SPI: 857451461, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 9052 seconds Hard lifetime: Expires in 9187 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 1272330309, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 9052 seconds Hard lifetime: Expires in 9187 seconds Anti-replay service: Enabled, Replay window size: 64
要显示用于建立 IPsec 隧道的数字证书,请发出 show services ipsec-vpn certificates 命令:
在作模式下,进入 show services ipsec-vpn certificates
user@router2> show services ipsec-vpn certificates Service set: service-set-dynamic-demo-service-set, Total entries: 3 Certificate cache entry: 3 Flags: Non-root Trusted Issued to: router3.example.com, Issued by: juniper Alternate subject: router3.example.com Validity: Not before: 2005 Nov 21st, 23:33:58 GMT Not after: 2008 Nov 22nd, 00:03:58 GMT Certificate cache entry: 2 Flags: Non-root Trusted Issued to: router2.example.com, Issued by: juniper Alternate subject: router2.example.com Validity: Not before: 2005 Nov 21st, 23:28:22 GMT Not after: 2008 Nov 21st, 23:58:22 GMT Certificate cache entry: 1 Flags: Root Trusted Issued to: juniper, Issued by: juniper Validity: Not before: 2005 Oct 18th, 23:54:22 GMT Not after: 2025 Oct 19th, 00:24:22 GMT
要显示 CA 证书,请发出 show security pki ca-certificate detail 命令。请注意,有三个单独的证书:一个用于证书签名,一个用于密钥加密,一个用于 CA 的数字签名。
在作模式下,进入 show security pki ca-certificate detail
user@router2> show security pki ca-certificate detail Certificate identifier: entrust Certificate version: 3 Serial number: 4355 9235 Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us Validity: Not before: 2005 Oct 18th, 23:54:22 GMT Not after: 2025 Oct 19th, 00:24:22 GMT Public key algorithm: rsaEncryption(1024 bits) cb:9e:2d:c0:70:f8:ea:3c:f2:b5:f0:02:48:87:dc:68:99:a3:57:4f 0e:b9:98:0b:95:47:0d:1f:97:7c:53:17:dd:1a:f8:da:e5:08:d1:1c 78:68:1f:2f:72:9f:a2:cf:81:e3:ce:c5:56:89:ce:f0:97:93:fa:36 19:3e:18:7d:8c:9d:21:fe:1f:c3:87:8d:b3:5d:f3:03:66:9d:16:a7 bf:18:3f:f0:7a:80:f0:62:50:43:83:4f:0e:d7:c6:42:48:c0:8a:b2 c7:46:30:38:df:9b:dc:bc:b5:08:7a:f3:cd:64:db:2b:71:67:fe:d8 04:47:08:07:de:17:23:13 Signature algorithm: sha1WithRSAEncryption Fingerprint: 00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1) 71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: CRL signing, Certificate signing Certificate identifier: entrust Certificate version: 3 Serial number: 4355 925c Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us, Common name: First Officer Validity: Not before: 2005 Oct 18th, 23:55:59 GMT Not after: 2008 Oct 19th, 00:25:59 GMT Public key algorithm: rsaEncryption(1024 bits) c0:a4:21:32:95:0a:cd:ec:12:03:d1:a2:89:71:8e:ce:4e:a6:f9:2f 1a:9a:13:8c:f6:a0:3d:c9:bd:9d:c2:a0:41:77:99:1b:1e:ed:5b:80 34:46:f8:5b:28:34:38:2e:91:7d:4e:ad:14:86:78:67:e7:02:1d:2e 19:11:b7:fa:0d:ba:64:20:e1:28:4e:3e:bb:6e:64:dc:cd:b1:b4:7a ca:8f:47:dd:40:69:c2:35:95:ce:b8:85:56:d7:0f:2d:04:4d:5d:d8 42:e1:4f:6b:bf:38:c0:45:1e:9e:f0:b4:7f:74:6f:e9:70:fd:4a:78 da:eb:10:27:bd:46:34:33 Signature algorithm: sha1WithRSAEncryption Fingerprint: bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17 (sha1) 23:79:40:c9:6d:a6:f0:ca:e0:13:30:d4:29:6f:86:79 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: Key encipherment Certificate identifier: entrust Certificate version: 3 Serial number: 4355 925b Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us, Common name: First Officer Validity: Not before: 2005 Oct 18th, 23:55:59 GMT Not after: 2008 Oct 19th, 00:25:59 GMT Public key algorithm: rsaEncryption(1024 bits) ea:75:c4:f3:58:08:ea:65:5c:7e:b3:de:63:0a:cf:cf:ec:9a:82:e2 d7:e8:b9:2f:bd:4b:cd:86:2f:f1:dd:d8:a2:95:af:ab:51:a5:49:4e 00:10:c6:25:ff:b5:49:6a:99:64:74:69:e5:8c:23:5b:b4:70:62:8e e4:f9:a2:28:d4:54:e2:0b:1f:50:a2:92:cf:6c:8f:ae:10:d4:69:3c 90:e2:1f:04:ea:ac:05:9b:3a:93:74:d0:59:24:e9:d2:9d:c2:ef:22 b9:32:c7:2c:29:4f:91:cb:5a:26:fe:1d:c0:36:dc:f4:9c:8b:f5:26 af:44:bf:53:aa:d4:5f:67 Signature algorithm: sha1WithRSAEncryption Fingerprint: 46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f (sha1) ee:cc:c7:f4:5d:ac:65:33:0a:55:db:59:72:2c:dd:16 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: Digital signature
要显示本地证书请求,请发出 show security pki certificate-request 命令:
在作模式下,进入 show security pki certificate-request
user@router2> show security pki certificate-request Certificate identifier: local-entrust2 Issued to: router2.example.com Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed
要显示本地证书,请发出 show security pki local-certificate 命令:
在作模式下,进入 show security pki local-certificate
user@router2> show security pki local-certificate Certificate identifier: local-entrust2 Issued to: router2.example.com, Issued by: juniper Validity: Not before: 2005 Nov 21st, 23:28:22 GMT Not after: 2008 Nov 21st, 23:58:22 GMT Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed
验证您在路由器 3 上的工作
目的
要验证匹配的流量是否正在转移到双向 IPsec 隧道,请查看 IPsec 统计信息:
行动
在作模式下,输入 show services ipsec-vpn ipsec statistics.
user@router3>show services ipsec-vpn ipsec statistics PIC: sp-1/2/0, Service set: service-set-dynamic-demo-service-set ESP Statistics: Encrypted bytes: 161896 Decrypted bytes: 162056 Encrypted packets: 2216 Decrypted packets: 2215 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
要验证 IKE SA 协商是否成功,请发出 show services ipsec-vpn ike security-associations 命令。要获得成功,路由器 3 上的 SA 必须包含您在路由器 2 上指定的相同设置。
在作模式下,输入 show services ipsec-vpn ike security-associations.
user@router3>show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 10.1.15.1 Matured d82610c59114fd37 ec4391f76783ef28 Main
要验证 IPsec SA 是否处于活动状态,请发出 show services ipsec-vpn ipsec security-associations detail 命令。要获得成功,路由器 3 上的 SA 必须包含您在路由器 2 上指定的相同设置。
在作模式下,输入 show services ipsec-vpn ipsec security-associations detail.
user@router3>show services ipsec-vpn ipsec security-associations detail Service set: service-set-dynamic-demo-service-set Rule: rule-ike, Term: term-ike, Tunnel index: 1 Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1 IPsec inside interface: sp-1/2/0.1 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Direction: inbound, SPI: 1272330309, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 7219 seconds Hard lifetime: Expires in 7309 seconds Anti-replay service: Enabled, Replay window size: 64 Direction: outbound, SPI: 857451461, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Soft lifetime: Expires in 7219 seconds Hard lifetime: Expires in 7309 seconds Anti-replay service: Enabled, Replay window size: 64
要显示用于建立 IPsec 隧道的数字证书,请发出 show services ipsec-vpn certificates 命令:
在作模式下,输入 show services ipsec-vpn certificates.
user@router3>show services ipsec-vpn certificates Service set: service-set-dynamic-demo-service-set, Total entries: 3 Certificate cache entry: 3 Flags: Non-root Trusted Issued to: router3.example.com, Issued by: juniper Alternate subject: router3.example.com Validity: Not before: 2005 Nov 21st, 23:33:58 GMT Not after: 2008 Nov 22nd, 00:03:58 GMT Certificate cache entry: 2 Flags: Non-root Trusted Issued to: router2.example.com, Issued by: juniper Alternate subject: router2.example.com Validity: Not before: 2005 Nov 21st, 23:28:22 GMT Not after: 2008 Nov 21st, 23:58:22 GMT Certificate cache entry: 1 Flags: Root Trusted Issued to: juniper, Issued by: juniper Validity: Not before: 2005 Oct 18th, 23:54:22 GMT Not after: 2025 Oct 19th, 00:24:22 GMT
要显示 CA 证书,请发出 show security pki ca-certificate detail 命令。请注意,有三个单独的证书:一个用于证书签名,一个用于密钥加密,一个用于 CA 的数字签名。
在作模式下,输入 show security pki ca-certificate detail.
user@router3>show security pki ca-certificate detail Certificate identifier: entrust Certificate version: 3 Serial number: 4355 9235 Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us Validity: Not before: 2005 Oct 18th, 23:54:22 GMT Not after: 2025 Oct 19th, 00:24:22 GMT Public key algorithm: rsaEncryption(1024 bits) cb:9e:2d:c0:70:f8:ea:3c:f2:b5:f0:02:48:87:dc:68:99:a3:57:4f 0e:b9:98:0b:95:47:0d:1f:97:7c:53:17:dd:1a:f8:da:e5:08:d1:1c 78:68:1f:2f:72:9f:a2:cf:81:e3:ce:c5:56:89:ce:f0:97:93:fa:36 19:3e:18:7d:8c:9d:21:fe:1f:c3:87:8d:b3:5d:f3:03:66:9d:16:a7 bf:18:3f:f0:7a:80:f0:62:50:43:83:4f:0e:d7:c6:42:48:c0:8a:b2 c7:46:30:38:df:9b:dc:bc:b5:08:7a:f3:cd:64:db:2b:71:67:fe:d8 04:47:08:07:de:17:23:13 Signature algorithm: sha1WithRSAEncryption Fingerprint: 00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1) 71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: CRL signing, Certificate signing Certificate identifier: entrust Certificate version: 3 Serial number: 4355 925c Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us, Common name: First Officer Validity: Not before: 2005 Oct 18th, 23:55:59 GMT Not after: 2008 Oct 19th, 00:25:59 GMT Public key algorithm: rsaEncryption(1024 bits) c0:a4:21:32:95:0a:cd:ec:12:03:d1:a2:89:71:8e:ce:4e:a6:f9:2f 1a:9a:13:8c:f6:a0:3d:c9:bd:9d:c2:a0:41:77:99:1b:1e:ed:5b:80 34:46:f8:5b:28:34:38:2e:91:7d:4e:ad:14:86:78:67:e7:02:1d:2e 19:11:b7:fa:0d:ba:64:20:e1:28:4e:3e:bb:6e:64:dc:cd:b1:b4:7a ca:8f:47:dd:40:69:c2:35:95:ce:b8:85:56:d7:0f:2d:04:4d:5d:d8 42:e1:4f:6b:bf:38:c0:45:1e:9e:f0:b4:7f:74:6f:e9:70:fd:4a:78 da:eb:10:27:bd:46:34:33 Signature algorithm: sha1WithRSAEncryption Fingerprint: bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17 (sha1) 23:79:40:c9:6d:a6:f0:ca:e0:13:30:d4:29:6f:86:79 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: Key encipherment Certificate identifier: entrust Certificate version: 3 Serial number: 4355 925b Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us, Common name: First Officer Validity: Not before: 2005 Oct 18th, 23:55:59 GMT Not after: 2008 Oct 19th, 00:25:59 GMT Public key algorithm: rsaEncryption(1024 bits) ea:75:c4:f3:58:08:ea:65:5c:7e:b3:de:63:0a:cf:cf:ec:9a:82:e2 d7:e8:b9:2f:bd:4b:cd:86:2f:f1:dd:d8:a2:95:af:ab:51:a5:49:4e 00:10:c6:25:ff:b5:49:6a:99:64:74:69:e5:8c:23:5b:b4:70:62:8e e4:f9:a2:28:d4:54:e2:0b:1f:50:a2:92:cf:6c:8f:ae:10:d4:69:3c 90:e2:1f:04:ea:ac:05:9b:3a:93:74:d0:59:24:e9:d2:9d:c2:ef:22 b9:32:c7:2c:29:4f:91:cb:5a:26:fe:1d:c0:36:dc:f4:9c:8b:f5:26 af:44:bf:53:aa:d4:5f:67 Signature algorithm: sha1WithRSAEncryption Fingerprint: 46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f (sha1) ee:cc:c7:f4:5d:ac:65:33:0a:55:db:59:72:2c:dd:16 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: Digital signature
要显示本地证书请求,请发出 show security pki certificate-request 命令:
在作模式下,输入 show security pki certificate-request.
user@router3>show security pki certificate-request Certificate identifier: local-entrust3 Issued to: router3.example.com Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed
要显示本地证书,请发出 show security pki local-certificate 命令:
在作模式下,输入 show security pki local-certificate.
user@router3>show security pki local-certificate Certificate identifier: local-entrust3 Issued to: router3.example.com, Issued by: juniper Validity: Not before: 2005 Nov 21st, 23:33:58 GMT Not after: 2008 Nov 22nd, 00:03:58 GMT Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed
验证您在路由器 4 上的工作
目的
在路由器 4 上,向路由器 1 上的 so-0/0/0 接口发出 ping 命令,以通过 IPsec 隧道发送流量。
行动
在作模式下,输入。ping 10.1.12.2
user@router4>ping 10.1.12.2 PING 10.1.12.2 (10.1.12.2): 56 data bytes 64 bytes from 10.1.12.2: icmp_seq=0 ttl=254 time=1.350 ms 64 bytes from 10.1.12.2: icmp_seq=1 ttl=254 time=1.161 ms 64 bytes from 10.1.12.2: icmp_seq=2 ttl=254 time=1.124 ms 64 bytes from 10.1.12.2: icmp_seq=5 ttl=254 time=1.116 ms ^C --- 10.1.12.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.116/1.172/1.350/0.081 ms
确认流量是否通过 IPsec 隧道传输的最后一种方法是向路由器 1 上的 so-0/0/0 接口发出 traceroute 命令。请注意,路径中未引用路由器 2 和 3 之间的物理接口;流量通过路由器 3 上的自适应服务 IPsec 内部接口进入 IPsec 隧道,通过路由器 2 上的环路接口,最后到达路由器 1 上的 so-0/0/0 接口。
在作模式下,输入 traceroute 10.1.12.2.
user@router4>traceroute 10.1.12.2 traceroute to 10.1.12.2 (10.1.12.2), 30 hops max, 40 byte packets 1 10.1.15.2 (10.1.15.2) 0.987 ms 0.630 ms 0.563 ms 2 10.0.0.2 (10.0.0.2) 1.194 ms 1.058 ms 1.033 ms 3 10.1.12.2 (10.1.12.2) 1.073 ms 0.949 ms 0.932 ms
配置 Junos VPN Site Secure 或 IPSec VPN
所有带有 MS-MIC、MS-MPC 或 MS-DPC 的 MX 系列路由器都支持 IPsec VPN。
在 M Series 和 T Series 路由器上,多服务 100 PIC、多服务 400 PIC 和多服务 500 PIC 支持 IPsec VPN。
Junos OS 13.2 及更高版本支持 MS-MIC 和 MS-MPC。MS-MIC 和 MS-MPC 支持 MS-DPC 和 MS-PIC 支持的所有功能,但用于动态或手动安全关联和无流 IPsec 服务的认证头协议 (AH)、封装安全有效负载协议 (ESP) 和捆绑协议(AH 和 ESP 协议)协议除外。
从 Junos OS 17.4R1 版本开始,IKEv1 和 IKEv2 支持 NAT 遍历 (NAT-T)。NAT-T 默认处于启用状态。您可以使用层次结构级别的配置disable-natt[edit services ipsec-vpn]为 IKE 和 ESP 数据包指定 UDP 封装和解封装。
另见
示例:在 MS-MIC 和 MS-MPC 上配置 Junos VPN Site Secure
您可以按照此示例中给出的相同过程并使用相同的配置,在 MS-MPC 上配置 Junos VPN Site Secure(以前称为 IPsec 功能)。
此示例包含以下部分:
要求
此示例使用以下硬件和软件组件:
两台带 MS-MIC 的 MX 系列路由器
Junos OS 13.2 或更高版本
概述
Junos OS 13.2 版将对 Junos VPN Site Secure(以前称为 IPsec 功能)的支持扩展到 MX 系列路由器上新引入的多服务 MIC 和 MPC(MS-MIC 和 MS-MPC)。Junos OS 扩展提供程序包在 MS-MIC 和 MS-MPC 上预安装和预配置。
13.2 版中的 MS-MIC 和 MS-MPC 支持以下 Junos VPN Site Secure 功能:
动态端点 (DEP)
封装安全有效负载 (ESP) 协议
失效对等方检测 (DPD) 触发消息
序列号翻转通知
具有下一跃点样式和接口样式服务集的静态 IPsec 隧道
但是,在 Junos OS 13.2 版中,MS-MIC 和 MS-MPC 对 Junos VPN Site Secure 的支持仅限于 IPv4 流量。MS-MIC 和 MS-MPC 不支持无源模块隧道。
图 2 显示了 IPsec VPN 隧道拓扑。
此示例显示了路由器 1 和路由器 2 两台路由器之间的配置,这两台路由器之间配置了 IPsec VPN 隧道。
配置路由器时,请注意以下几点:
您在路由器 1 上的层级下
[edit services ipsec-vpn rule name term term from]配置的source-addressIP 地址必须与您在路由器 2 上的相同层级下配置的destination-addressIP 地址相同,反之亦然。您在层级下配置的
remote-gatewayIP 地址应与您在路由器 2 的层级下[edit services service-set name ipsec-vpn-options]配置的local-gatewayIP 地址匹配,反之亦[edit services ipsec-vpn rule name term term then]然。
配置
本节包含:
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到 [编辑] 层次结构级别的 CLI 中。
在路由器 1 上配置接口
set interfaces ms-4/0/0 unit 0 family inet set interfaces ms-4/0/0 unit 1 family inet set interfaces ms-4/0/0 unit 1 family inet6 set interfaces ms-4/0/0 unit 1 service-domain inside set interfaces ms-4/0/0 unit 2 family inet set interfaces ms-4/0/0 unit 2 family inet6 set interfaces ms-4/0/0 unit 2 service-domain outside set interfaces xe-0/2/0 unit 0 family inet address 10.0.1.1/30
在路由器 1 上配置 IPsec VPN 服务
set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 from source-address 172.16.0.0/16 set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 from destination-address 192.168.0.0/16 set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then remote-gateway 10.0.1.2 set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then dynamic ike-policy ike_policy_ms_4_0_0 set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_4_0_0 set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then anti-replay-window-size 4096 set services ipsec-vpn rule vpn_rule_ms_4_0_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0 perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0 proposals ipsec_proposal_ms_4_0_0 set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0 authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0 dh-group group2 set services ipsec-vpn ike policy ike_policy_ms_4_0_0 version 2 set services ipsec-vpn ike policy ike_policy_ms_4_0_0 proposals ike_proposal_ms_4_0_0 set services ipsec-vpn ike policy ike_policy_ms_4_0_0 pre-shared-key ascii-text secret-data
在路由器 1 上配置服务集
set services service-set ipsec_ss_ms_4_0_01 next-hop-service inside-service-interface ms-4/0/0.1 set services service-set ipsec_ss_ms_4_0_01 next-hop-service outside-service-interface ms-4/0/0.2 set services service-set ipsec_ss_ms_4_0_01 ipsec-vpn-options local-gateway 10.0.1.1 set services service-set ipsec_ss_ms_4_0_01 ipsec-vpn-rules vpn_rule_ms_4_0_01
在路由器 1 上配置路由选项
set routing-options static route 192.168.0.0/16 next-hop ms-4/0/0.1
在路由器 2 上配置接口
set interfaces ms-1/0/0 unit 0 family inet set interfaces ms-1/0/0 unit 1 family inet set interfaces ms-1/0/0 unit 1 family inet6 set interfaces ms-1/0/0 unit 1 service-domain inside set interfaces ms-1/0/0 unit 2 family inet set interfaces ms-1/0/0 unit 2 family inet6 set interfaces ms-1/0/0 unit 2 service-domain outside set interfaces ge-2/0/0 unit 0 family inet address 10.0.1.2/30
在路由器 2 上配置 IPsec VPN 服务
set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 from source-address 192.168.0.0/16 set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 from destination-address 172.16.0.0/16 set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then remote-gateway 10.0.1.1 set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then dynamic ike-policy ike_policy_ms_5_2_0 set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_5_2_0 set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then anti-replay-window-size 4096 set services ipsec-vpn rule vpn_rule_ms_5_2_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy ipsec_policy_ms_5_2_0 perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec policy ipsec_policy_ms_5_2_0 proposals ipsec_proposal_ms_5_2_0 set services ipsec-vpn ike proposal ike_proposal_ms_5_2_0 authentication-method pre-shared-keys set services ipsec-vpn ike proposal ike_proposal_ms_5_2_0 dh-group group2 set services ipsec-vpn ike policy ike_policy_ms_5_2_0 version 2 set services ipsec-vpn ike policy ike_policy_ms_5_2_0 proposals ike_proposal_ms_5_2_0 set services ipsec-vpn ike policy ike_policy_ms_5_2_0 pre-shared-key ascii-text secret-data set services ipsec-vpn establish-tunnels immediately
在路由器 2 上配置服务集
set services service-set ipsec_ss_ms_5_2_01 next-hop-service inside-service-interface ms-1/0/0.1 set services service-set ipsec_ss_ms_5_2_01 next-hop-service outside-service-interface ms-1/0/0.2 set services service-set ipsec_ss_ms_5_2_01 ipsec-vpn-options local-gateway 10.0.1.2 set services service-set ipsec_ss_ms_5_2_01 ipsec-vpn-rules vpn_rule_ms_5_2_01
在路由器 2 上配置路由选项
set routing-options static route 172.16.0.0/16 next-hop ms-1/0/0.1
配置路由器 1
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
从版本 13.2 开始,Junos OS 扩展提供程序软件包预安装在多服务 MIC 和 MPC(MS-MIC 和 MS-MPC)上。 adaptive-services 层次结构级别的配置 [edit chassis fpc number pic number] 在这些卡上预先配置。
配置接口属性,如 family、service-domain 和 unit。
user@router1# set interfaces ms-4/0/0 unit 0 family inet user@router1# set interfaces ms-4/0/0 unit 1 family inet user@router1# set interfaces ms-4/0/0 unit 1 family inet6 user@router1# set interfaces ms-4/0/0 unit 1 service-domain inside user@router1# set interfaces ms-4/0/0 unit 2 family inet user@router1# set interfaces ms-4/0/0 unit 2 family inet6 user@router1# set interfaces ms-4/0/0 unit 2 service-domain outside user@router1# set interfaces xe-0/2/0 unit 0 family inet address 10.0.1.1/30
配置 IPsec 属性,例如地址、远程网关、策略、匹配方向、协议、重播窗口大小、算法详细信息、保密密钥、提议、身份验证方法、组和版本。
user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 from source-address 172.16.0.0/16 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 from destination-address 192.168.0.0/16 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then remote-gateway 10.0.1.2 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then dynamic ike-policy ike_policy_ms_4_0_0 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_4_0_0 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 term term11 then anti-replay-window-size 4096 user@router1# set services ipsec-vpn rule vpn_rule_ms_4_0_01 match-direction input user@router1# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 protocol esp user@router1# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 authentication-algorithm hmac-sha1-96 user@router1# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_4_0_0 encryption-algorithm 3des-cbc user@router1# set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0 perfect-forward-secrecy keys group2 user@router1# set services ipsec-vpn ipsec policy ipsec_policy_ms_4_0_0 proposals ipsec_proposal_ms_4_0_0 user@router1# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0 authentication-method pre-shared-keys user@router1# set services ipsec-vpn ike proposal ike_proposal_ms_4_0_0 dh-group group2 user@router1# set services ipsec-vpn ike policy ike_policy_ms_4_0_0 version 2 user@router1# set services ipsec-vpn ike policy ike_policy_ms_4_0_0 proposals ike_proposal_ms_4_0_0 user@router1# set services ipsec-vpn ike policy ike_policy_ms_4_0_0 pre-shared-key ascii-text secret-key
配置服务集、ipsec-vpn 选项和规则。
user@router1# set services service-set ipsec_ss_ms_4_0_01 next-hop-service inside-service-interface ms-4/0/0.1 user@router1# set services service-set ipsec_ss_ms_4_0_01 next-hop-service outside-service-interface ms-4/0/0.2 user@router1# set services service-set ipsec_ss_ms_4_0_01 ipsec-vpn-options local-gateway 10.0.1.1 user@router1# set services service-set ipsec_ss_ms_4_0_01 ipsec-vpn-rules vpn_rule_ms_4_0_01
配置路由选项、静态路由和下一跃点。
user@router1# set routing-options static route 192.168.0.0/16 next-hop ms-4/0/0.1
结果
在路由器 1 的配置模式下,输入show interfacesshow services ipsec-vpn、和show services service-set命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@router1# show interfaces
ms-4/0/0{
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain outside;
}
}
xe-0/2/0 {
unit 0 {
family inet {
address 10.0.1.1/30;
}
}
}
user@router1# show services ipsec-vpn
rule vpn_rule_ms_4_0_01 {
term term11 {
from {
source-address {
172.16.0.0/16;
}
destination-address {
192.168.0.0/16;
}
}
then {
remote-gateway 10.0.1.2;
dynamic {
ike-policy ike_policy_ms_4_0_0;
ipsec-policy ipsec_policy_ms_4_0_0;
}
anti-replay-window-size 4096;
}
}
match-direction input;
}
ipsec {
proposal ipsec_proposal_ms_4_0_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec_policy_ms_4_0_0 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec_proposal_ms_4_0_0;
}
}
ike {
proposal ike_proposal_ms_4_0_0 {
authentication-method pre-shared-keys;
dh-group group2;
}
policy ike_policy_ms_4_0_0 {
version 2;
proposals ike_proposal_ms_4_0_0;
pre-shared-key ascii-text "$9ABC123"; ## SECRET-DATA
}
}
user@router1# show services service-set
ipsec_ss_ms_4_0_01 {
next-hop-service {
inside-service-interface ms-4/0/0.1;
outside-service-interface ms-4/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.0.1.1;
}
ipsec-vpn-rules vpn_rule_ms_4_0_01;
}
配置路由器 2
分步过程
配置接口属性,如 family、service-domain 和 unit。
user@router2# set interfaces ms-1/0/0 services-options inactivity-non-tcp-timeout 600 user@router2# set interfaces ms-1/0/0 unit 0 family inet user@router2# set interfaces ms-1/0/0 unit 1 family inet user@router2# set interfaces ms-1/0/0 unit 1 family inet6 user@router2# set interfaces ms-1/0/0 unit 1 service-domain inside user@router2# set interfaces ms-1/0/0 unit 2 family inet user@router2# set interfaces ms-1/0/0 unit 2 family inet6 user@router2# set interfaces ms-1/0/0 unit 2 service-domain outside user@router2# set interfaces ge-2/0/0 unit 0 family inet adddress 10.0.1.2/30
配置 IPsec 属性,例如地址、远程网关、策略、匹配方向、协议、重播窗口大小、算法详细信息、保密密钥、提议、身份验证方法、组和版本。
user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 from source-address 192.168.0.0/16 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 from destination-address 172.16.0.0/16 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then remote-gateway 10.0.1.1 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then dynamic ike-policy ike_policy_ms_5_2_0 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_5_2_0 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 term term11 then anti-replay-window-size 4096 user@router2# set services ipsec-vpn rule vpn_rule_ms_5_2_01 match-direction input user@router2# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 protocol esp user@router2# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 authentication-algorithm hmac-sha1-96 user@router2# set services ipsec-vpn ipsec proposal ipsec_proposal_ms_5_2_0 encryption-algorithm 3des-cbc user@router2# set services ipsec-vpn ipsec policy ipsec_policy_ms_5_2_0 perfect-forward-secrecy keys group2 user@router2# set services ipsec-vpn ipsec policy ipsec_policy_ms_5_2_0 proposals ipsec_proposal_ms_5_2_0 user@router2# set services ipsec-vpn ike proposal ike_proposal_ms_5_2_0 authentication-method pre-shared-keys user@router2# set services ipsec-vpn ike proposal ike_proposal_ms_5_2_0 dh-group group2 user@router2# set services ipsec-vpn ike policy ike_policy_ms_5_2_0 version 2 user@router2# set services ipsec-vpn ike policy ike_policy_ms_5_2_0 proposals ike_proposal_ms_5_2_0 user@router2# set services ipsec-vpn ike policy ike_policy_ms_5_2_0 pre-shared-key ascii-text "$ABC123" user@router2# set services ipsec-vpn establish-tunnels immediately
配置服务集,例如 next-hop-service 和 ipsec-vpn-options。
user@router2# set services service-set ipsec_ss_ms_5_2_01 next-hop-service inside-service-interface ms-1/0/0.1 user@router2# set services service-set ipsec_ss_ms_5_2_01 next-hop-service outside-service-interface ms-1/0/0.2 user@router2# set services service-set ipsec_ss_ms_5_2_01 ipsec-vpn-options local-gateway 10.0.1.2 user@router2# set services service-set ipsec_ss_ms_5_2_01 ipsec-vpn-rules vpn_rule_ms_5_2_01
配置路由选项、静态路由和下一跃点。
user@router2# set routing-options static route 172.16.0.0/16 next-hop ms-1/0/0.1
结果
在路由器 2 的配置模式下,输入show interfacesshow services ipsec-vpn、和show services service-set命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@router2# show interfaces
ms-1/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain outside;
}
}
ge-2/0/0 {
unit 0 {
family inet {
address 10.0.1.2/30;
}
}
}
user@router2# show services ipsec-vpn
rule vpn_rule_ms_5_2_01 {
term term11 {
from {
source-address {
192.168.0.0/16;
}
destination-address {
172.16.0.0/16;
}
}
then {
remote-gateway 10.0.1.1;
dynamic {
ike-policy ike_policy_ms_5_2_0;
ipsec-policy ipsec_policy_ms_5_2_0;
}
anti-replay-window-size 4096;
}
}
match-direction input;
}
ipsec {
proposal ipsec_proposal_ms_5_2_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec_policy_ms_5_2_0 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec_proposal_ms_5_2_0;
}
}
ike {
proposal ike_proposal_ms_5_2_0 {
authentication-method pre-shared-keys;
dh-group group2;
}
policy ike_policy_ms_5_2_0 {
version 2;
proposals ike_proposal_ms_5_2_0;
pre-shared-key ascii-text "$9ABC123"; ## SECRET-DATA
}
}
establish-tunnels immediately;
user@router2# show services service-set
ipsec_ss_ms_5_2_01 {
next-hop-service {
inside-service-interface ms-1/0/0.1;
outside-service-interface ms-1/0/0.2;
}
ipsec-vpn-options {
local-gateway 10.0.1.2;
}
ipsec-vpn-rules vpn_rule_ms_5_2_01;
}
user@router2 #show routing-options
static {
route 172.16.0.0/16 next-hop ms-1/0/0.1;
}
验证
验证隧道创建
目的
验证是否已创建动态端点。
行动
在路由器 1 上运行以下命令:
user@router1 >show services ipsec-vpn ipsec security-associations detail
Service set: ipsec_ss_ms_4_0_01, IKE Routing-instance: default
Rule: vpn_rule_ms_4_0_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.1, Remote gateway: 10.0.1.2
IPSec inside interface: ms-4/0/0.1, Tunnel MTU: 1500
Local identity: ipv4_subnet(any:0,[0..7]=172.16.0.0/16)
Remote identity: ipv4_subnet(any:0,[0..7]=192.168.0.0/16)
Direction: inbound, SPI: 112014862, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 24556 seconds
Hard lifetime: Expires in 25130 seconds
Anti-replay service: Enabled, Replay window size: 4096
Direction: outbound, SPI: 1469281276, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 24556 seconds
Hard lifetime: Expires in 25130 seconds
Anti-replay service: Enabled, Replay window size: 4096
意义
输出显示 IPSec SA 在路由器上已启动,其状态为已安装。IPSec 隧道已启动,可通过隧道发送流量。
验证通过 DEP 隧道的流量
目的
验证通过新创建的 DEP 隧道的流量。
行动
在路由器 2 上运行以下命令:
user@router2> show services ipsec-vpn ipsec statistics PIC: ms-1/0/0, Service set: ipsec_ss_ms_5_2_01 ESP Statistics: Encrypted bytes: 153328 Decrypted bytes: 131424 Encrypted packets: 2738 Decrypted packets: 2738 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0 ESP authentication failures: 0 ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Replay before window drops: 0, Replayed pkts: 0 IP integrity errors: 0, Exceeds tunnel MTU: 0 Rule lookup failures: 0, No SA errors: 0 Flow errors: 0, Misc errors: 0
验证服务集的 IPsec 安全关联
目的
验证为服务集配置的安全关联是否正常工作。
行动
在路由器 2 上运行以下命令:
user@router2> show services ipsec-vpn ipsec security-associations ipsec_ss_ms_5_2_01
Service set: ipsec_ss_ms_5_2_01, IKE Routing-instance: default
Rule: vpn_rule_ms_5_2_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.2., Remote gateway: 10.0.1.1
IPSec inside interface: ms-1/0/0.1, Tunnel MTU: 1500
Direction SPI AUX-SPI Mode Type Protocol
inbound 1612447024 0 tunnel dynamic ESP
outbound 1824720964 0 tunnel dynamic ESP
示例:通过VRF实例配置静态分配的IPsec隧道
此示例说明如何通过 VRF 实例配置静态分配的 IPsec 隧道,并包含以下部分:
要求
此示例使用以下硬件和软件组件:
配置为提供商边缘路由器的 M Series、MX 系列或 T Series 路由器。
Junos OS 9.4 及更高版本。
在配置此功能之前,不需要除设备初始化之外的特殊配置。
概述
Junos OS 允许您在虚拟路由和转发 (VRF) 实例上配置静态分配的 IPsec 隧道。能够在 VRF 实例上配置 IPsec 隧道,从而增强网络分段和安全性。您可以通过 VRF 实例在同一 PE 路由器上配置多个客户隧道。每个 VRF 实例充当具有专用路由表的逻辑路由器。
配置
此示例显示了在提供商边缘路由器上通过 VRF 实例配置 IPsec 隧道,并提供完成所需配置的分步说明。
本节包含:
配置提供商边缘路由器
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到 [编辑] 层次结构级别的 CLI 中。
set interfaces ge-0/3/0 unit 0 family inet address 10.6.6.6/32 set interfaces ge-1/1/0 description "teller ge-0/1/0" set interfaces ge-1/1/0 unit 0 family inet address 10.21.1.1/16 set interfaces ms-1/2/0 unit 0 family inet address 10.7.7.7/32 set interfaces ms-1/2/0 unit 1 family inet set interfaces ms-1/2/0 unit 1 service-domain inside set interfaces ms-1/2/0 unit 2 family inet set interfaces ms-1/2/0 unit 2 service-domain outside set policy-options policy-statement vpn-export then community add vpn-community set policy-options policy-statement vpn-export then accept set policy-options policy-statement vpn-import term a from community vpn-community set policy-options policy-statement vpn-import term a then accept set policy-options community vpn-community members target:100:20 set routing-instances vrf instance-type vrf set routing-instances vrf interface ge-0/3/0.0 set routing-instances vrf interface ms-1/2/0.1 set routing-instances vrf route-distinguisher 192.168.0.1:1 set routing-instances vrf vrf-import vpn-import set routing-instances vrf vrf-export vpn-export set routing-instances vrf routing-options static route 10.0.0.0/0 next-hop ge-0/3/0.0 set routing-instances vrf routing-options static route 10.11.11.1/32 next-hop ge-0/3/0.0 set routing-instances vrf routing-options static route 10.8.8.1/32 next-hop ms-1/2/0.1 set services ipsec-vpn ipsec proposal demo_ipsec_proposal protocol esp set services ipsec-vpn ipsec proposal demo_ipsec_proposal authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal demo_ipsec_proposal encryption-algorithm 3des-cbc set services ipsec-vpn ipsec policy demo_ipsec_policy perfect-forward-secrecy keys group2 set services ipsec-vpn ipsec policy demo_ipsec_policy proposals demo_ipsec_proposal set services ipsec-vpn ike proposal demo_ike_proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal demo_ike_proposal dh-group group2 set services ipsec-vpn ike policy demo_ike_policy proposals demo_ike_proposal set services ipsec-vpn ike policy demo_ike_policy pre-shared-key ascii-text juniperkey set services ipsec-vpn rule demo-rule term demo-term then remote-gateway 10.21.2.1 set services ipsec-vpn rule demo-rule term demo-term then dynamic ike-policy demo_ike_policy set services ipsec-vpn rule demo-rule match-direction input set services service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 set services service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 set services service-set demo-service-set ipsec-vpn-options local-gateway 10.21.1.1 set services service-set demo-service-set ipsec-vpn-rules demo-rule
分步过程
下面的示例要求您在各个配置层级中进行导航。有关 CLI 导航的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要在 VRF 实例上配置静态分配的 IPsec 隧道,请执行以下作:
配置接口。在此步骤中,您将配置两个以太网 (
ge) 接口、一个服务接口 (ms-),以及服务接口的逻辑接口的服务域属性。请注意,标记为内部接口的逻辑接口对流量应用已配置的服务,而标记为外部接口的逻辑接口则充当内部接口应用该服务的流量的出口点。[edit interfaces] user@PE1# set ge-0/3/0 unit 0 family inet address 10.6.6.6/32 user@PE1# set ge-1/1/0 description "teller ge-0/1/0" user@PE1# set ge-1/1/0 unit 0 family inet address 10.21.1.1/16 user@PE1# set ms-1/2/0 unit 0 family inet address 10.7.7.7/32 user@PE1# set ms-1/2/0 unit 1 family inet user@PE1# set ms-1/2/0 unit 1 service-domain inside user@PE1# set ms-1/2/0 unit 2 family inet user@PE1# set ms-1/2/0 unit 2 service-domain outside
配置路由策略,为 VRF 实例指定路由导入和导出条件。此步骤中定义的导入和导出策略将从下一步中的路由实例配置中引用。
[edit policy-options] user@PE1# set policy-statement vpn-export then community add vpn-community user@PE1# set policy-statement vpn-export then accept user@PE1# set policy-statement vpn-import term a from community vpn-community user@PE1# set policy-statement vpn-import term a then accept user@PE1# set community vpn-community members target:100:20
配置路由实例并将路由实例类型指定为
vrf。将上一步中定义的导入和导出策略应用于路由实例,并指定静态路由以将 IPsec 流量发送到在第一步中配置的内部接口 (ms-1/2/0.1)。[edit routing-instance] user@PE1# set vrf instance-type vrf user@PE1# set vrf interface ge-0/3/0.0 user@PE1# set vrf interface ms-1/2/0.1 user@PE1# set vrf route-distinguisher 192.168.0.1:1 user@PE1# set vrf vrf-import vpn-import user@PE1# set vrf vrf-export vpn-export user@PE1# set vrf routing-options static route 10.0.0.0/0 next-hop ge-0/3/0.0 user@PE1# set vrf routing-options static route 10.11.11.1/32 next-hop ge-0/3/0.0 user@PE1# set vrf routing-options static route 10.8.8.1/32 next-hop ms-1/2/0.1
配置 IKE 和 IPsec 提议和策略,以及用于对传入流量应用 IKE 策略的规则。
注意:默认情况下,Junos OS 使用 IKE 策略版本 1.0。Junos OS 11.4 和更高版本还支持 IKE 策略 2.0 版,您必须在
[edit services ipsec-vpn ike policy policy-name pre-shared]中配置该策略。[edit services] user@PE1# set ipsec-vpn ipsec proposal demo_ipsec_proposal protocol esp user@PE1# set ipsec-vpn ipsec proposal demo_ipsec_proposal authentication-algorithm hmac-sha1-96 user@PE1# set ipsec-vpn ipsec proposal demo_ipsec_proposal encryption-algorithm 3des-cbc user@PE1# set ipsec-vpn ipsec policy demo_ipsec_policy perfect-forward-secrecy keys group2 user@PE1# set ipsec-vpn ipsec policy demo_ipsec_policy proposals demo_ipsec_proposal user@PE1# set ipsec-vpn ike proposal demo_ike_proposal authentication-method pre-shared-keys user@PE1# set ipsec-vpn ike proposal demo_ike_proposal dh-group group2 user@PE1# set ipsec-vpn ike policy demo_ike_policy proposals demo_ike_proposal user@PE1# set ipsec-vpn ike policy demo_ike_policy pre-shared-key ascii-text juniperkey user@PE1# set ipsec-vpn rule demo-rule term demo-term then remote-gateway 10.21.2.1 user@PE1# set ipsec-vpn rule demo-rule term demo-term then dynamic ike-policy demo_ike_policy user@PE1# set ipsec-vpn rule demo-rule match-direction input
配置下一跃点样式服务集。请注意,您必须将在第一步中配置的内部接口和外部接口分别配置为
inside-service-interface和outside-service-interface。[edit services] user@PE1# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1 user@PE1# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2 user@PE1# set service-set demo-service-set ipsec-vpn-options local-gateway 10.21.1.1 user@PE1# set service-set demo-service-set ipsec-vpn-rules demo-rule
提交配置。
[edit] user@PE1# commit
结果
在路由器 1 的配置模式下,输入show interfacesshow services ipsec-vpnshow policy-optionsshow routing-instances、和show services service-set 命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@PE1# show interfaces
...
ms-1/2/0 {
unit 0 {
family inet {
address 10.7.7.7/32;
}
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}
}
ge-0/3/0 {
unit 0 {
family inet {
address 10.6.6.6/32;
}
}
}
ge-1/1/0 {
description "teller ge-0/1/0";
unit 0 {
family inet {
address 10.21.1.1/16;
}
}
}
...
user@PE1# show policy-options
policy-statement vpn-export {
then {
community add vpn-community;
accept;
}
}
policy-statement vpn-import {
term a {
from community vpn-community;
then accept;
}
}
community vpn-community members target:100:20;
user@PE1# show routing-instances
vrf {
instance-type vrf;
interface ge-0/3/0.0;
interface ms-1/2/0.1;
route-distinguisher 192.168.0.1:1;
vrf-import vpn-import;
vrf-export vpn-export;
routing-options {
static {
route 10.0.0.0/0 next-hop ge-0/3/0.0;
route 10.11.11.1/32 next-hop ge-0/3/0.0;
route 10.8.8.1/32 next-hop ms-1/2/0.1;
}
}
}
user@PE1# show services ipsec-vpn
ipsec-vpn {
rule demo-rule {
term demo-term {
then {
remote-gateway 10.21.2.1;
dynamic {
ike-policy demo_ike_policy;
}
}
}
match-direction input;
}
ipsec {
proposal demo_ipsec_proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy demo_ipsec_policy {
perfect-forward-secrecy {
keys group2;
}
proposals demo_ipsec_proposal;
}
}
ike {
proposal demo_ike_proposal {
authentication-method pre-shared-keys;
dh-group group2;
}
policy demo_ike_policy {
proposals demo_ike_proposal;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
}
}
user@PE1# show services service-set demo-service-set
next-hop-service {
inside-service-interface ms-1/2/0.1;
outside-service-interface ms-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 10.21.1.1;
}
ipsec-vpn-rules demo-rule;
多任务示例:配置 IPsec 服务
以下基于示例的说明如何配置 IPsec 服务。配置涉及定义 IKE 策略、IPsec 策略、IPsec 规则、追踪选项和服务集。
本主题包含以下任务:
- 配置 IKE 提议
- 配置 IKE 策略(并引用 IKE 提议)
- 配置 IPsec 提议
- 配置 IPsec 策略(并引用 IPsec 提议)
- 配置 IPsec 规则(并引用 IKE 和 IPsec 策略)
- 配置 IPsec 追踪选项
- 配置访问配置文件(并引用 IKE 和 IPsec 策略)
- 配置服务集(并引用 IKE 配置文件和 IPsec 规则)
配置 IKE 提议
IKE 提议配置定义用于与对等安全网关建立安全 IKE 连接的算法和密钥。有关 IKE 提议的详细信息,请参阅 配置 IKE 提议。
要定义 IKE 提议aI,请执行以下作:
以下示例输出显示了 IKE 提议的配置:
[edit services ipsec-vpn]
user@host# show ike
proposal test-IKE-proposal {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
}
另见
配置 IKE 策略(并引用 IKE 提议)
IKE 策略配置定义 IKE 协商期间使用的提议、模式、地址和其他安全参数。有关 IKE 策略的详细信息,请参阅 配置 IKE 策略。
要定义 IKE 策略并引用 IKE 提议,请执行以下作:
以下示例输出显示了 IKE 策略的配置:
[edit services ipsec-vpn]
user@host# show ike
policy test-IKE-policy {
mode main;
proposals test-IKE-proposal;
local-id ipv4_addr 192.168.255.2;
pre-shared-key ascii-text TEST;
}
配置 IPsec 提议
IPsec 提议配置定义与远程 IPsec 对等方协商所需的协议和算法(安全服务)。有关 IPsec 提议的详细信息,请参阅 配置 IPsec 提议。
要定义 IPsec 提议,请执行以下作:
以下示例输出显示了 IPsec 提议的配置:
[edit services ipsec-vpn]
user@host# show ike
proposal test-IPsec-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
}
另见
配置 IPsec 策略(并引用 IPsec 提议)
IPsec 策略配置定义 IPsec 协商期间使用的安全参数(IPsec 提议)组合。它定义了 PFS 和连接所需的建议。有关 IPsec 策略的详细信息,请参阅 配置 IPsec 策略。
要定义 IPsec 策略并参考 IPsec 提议,请执行以下作:
以下示例输出显示了 IPsec 策略的配置:
[edit services ipsec-vpn]
user@host# show ipsec policy test-IPsec-policy
perfect-forward-secrecy {
keys group1;
}
proposals test-IPsec-proposal;
另见
配置 IPsec 规则(并引用 IKE 和 IPsec 策略)
IPsec 规则配置定义一个方向,用于指定是在接口的输入端还是输出端应用匹配。该配置还包含一组术语,用于指定包含和排除的匹配条件和应用,并指定路由器软件要执行的作和作修饰符。有关 IPsec 规则的详细信息,请参阅 配置 IPsec 规则。
要定义 IPsec 规则并引用 IKE 和 IPsec 策略,请执行以下作:
以下示例输出显示了 IPsec 规则的配置:
[edit services ipsec-vpn]
user@host# show rule test-IPsec-rule
term 10 {
from {
destination-address {
192.168.255.2/32;
}
}
then {
remote-gateway 0.0.0.0;
dynamic {
ike-policy test-IKE-policy;
ipsec-policy test-IPsec-policy;
}
}
}
match-direction input;
配置 IPsec 追踪选项
IPsec 追踪选项配置可跟踪 IPsec 事件,并将其记录在 /var/log 目录下的日志文件中。默认情况下,此文件名为 /var/log/kmd。有关 IPsec 规则的详细信息,请参阅 跟踪 Junos VPN Site Secure作。
要定义 IPsec 追踪选项,请执行以下作:
以下示例输出显示了 IPsec 追踪选项的配置:
[edit services ipsec-vpn] user@host# show traceoptions file ipsec.log; flag all;
配置访问配置文件(并引用 IKE 和 IPsec 策略)
访问配置文件配置定义访问配置文件并引用 IKE 和 IPsec 策略。有关访问配置文件的详细信息,请参阅 配置 IKE 访问配置文件。
要定义访问配置文件并引用 IKE 和 IPsec 策略,请执行以下作:
以下示例输出显示了访问配置文件的配置:
[edit access]
user@host# show
profile IKE-profile-TEST {
client * {
ike {
allowed-proxy-pair local 10.0.0.0/24 remote 10.0.1.0/24;
ike-policy test-IKE-policy;
ipsec-policy test-IPsec-policy; # new statement
interface-id TEST-intf;
}
}
}
另见
配置服务集(并引用 IKE 配置文件和 IPsec 规则)
服务集配置定义需要其他规范的 IPsec 服务集,并引用 IKE 配置文件和 IPsec 规则。有关 IPsec 服务集的详细信息,请参阅 配置 IPsec 服务集。
要使用下一跃点服务集和 IPsec VPN 选项定义服务集配置,请执行以下作:
以下示例输出显示了引用 IKE 配置文件和 IPsec 规则的服务集配置的配置:
[edit services]user@host# show service-set TEST
next-hop-service {
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}
ipsec-vpn-options {
local-gateway 192.168.255.2;
ike-access-profile IKE-profile-TEST;
}
ipsec-vpn-rules test-IPsec-rule;
另见
禁用 MX 系列路由器上的 NAT-T,以便处理带有 IPsec 保护数据包的 NAT
在 Junos OS 17.4R1 版之前,MX 系列路由器上的 Junos VPN Site Secure IPsec 功能套件不支持网络地址转换-遍历 (NAT-T)。默认情况下,Junos OS 会检测 NAT 设备后面是否存在任何一个 IPsec 隧道,并自动切换到对受保护的流量使用 NAT-T。为避免在 17.4R1 之前的 Junos OS 版本中运行不受支持的 NAT-T,必须通过在[edit services ipsec-vpn]层次结构级别上包含disable-natt语句来禁用 NAT-T。禁用 NAT-T 时,NAT-T 功能将全局关闭。禁用 NAT-T 且两个 IPsec 网关之间存在 NAT 设备时,将使用 UDP 端口 500 协商 ISAKMP 消息,并使用封装安全有效负载 (ESP) 封装数据包。
网络地址转换-遍历 (NAT-T) 是一种解决 IP 地址转换问题的方法,当受 IPsec 保护的数据通过 NAT 设备进行地址转换时,会遇到 IP 地址转换问题。对 IP 寻址(NAT 的功能)所做的任何更改都会导致 IKE 丢弃数据包。在第 1 阶段交换期间,NAT-T 检测到数据路径上的一个或多个 NAT 设备后,会向 IPsec 数据包添加一层用户数据报协议 (UDP) 封装,以便在地址转换后不会丢弃这些数据包。NAT-T 将 IKE 和 ESP 流量封装在 UDP 中,端口 4500 用作源端口和目标端口。由于 NAT 设备会让过时的 UDP 转换过时,因此对等方之间需要激活消息。
NAT 设备的位置可以是这样的:
NAT 设备后面只有 IKEv1 或 IKEv2 发起程序。多个启动器可以位于不同的 NAT 设备后面。发起方还可以通过多个 NAT 设备连接到响应方。
NAT 设备后面只有 IKEv1 或 IKEv2 响应方。
IKEv1 或 IKEv2 发起方和响应方均位于 NAT 设备后面。
动态端点 VPN 涵盖发起方的 IKE 外部地址不固定,因此响应方不知道的情况。当发起方的地址由 ISP 动态分配时,或者发起方的连接穿过从动态地址池中分配地址的动态 NAT 设备时,可能会发生这种情况。
对于只有响应方位于 NAT 设备后面的拓扑,以及发起方和响应方都位于 NAT 设备后面的拓扑,提供了 NAT-T 的配置示例。发起方和响应方均支持 NAT-T 的站点到站点 IKE 网关配置。远程 IKE ID 用于在 IKE 隧道协商第 1 阶段验证对等方的本地 IKE ID。发起方和响应方都需要本地标识和远程身份字符串。
另见
跟踪 Junos VPN Site Secure作
Junos VPN Site Secure 是一套在多服务线卡(MS-DPC、MS-MPC 和 MS-MIC)上受支持的 IPsec 功能,以前称为 IPsec 服务。
跟踪作可跟踪 IPsec 事件, /var/log 并将其记录在目录下的日志文件中。默认情况下,此文件名为 /var/log/kmd。
要跟踪 IPsec作,请在[edit services ipsec-vpn]层次结构级别包含以下traceoptions语句:
[edit services ipsec-vpn] traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>; flag flag; level level; no-remote-trace; }
您可以指定以下 IPsec 跟踪标志:
all- 跟踪所有内容。certificates- 跟踪证书事件。database- 跟踪安全关联数据库事件。general- 跟踪常规事件。ike- 跟踪 IKE 模块处理过程。parse- 跟踪配置处理。policy-manager- 跟踪策略管理器处理。routing-socket—跟踪路由套接字消息。snmp- 跟踪 SNMP作。timer- 跟踪内部计时器事件。
该 level 语句设置密钥管理进程 (kmd) 跟踪级别。支持以下值:
all- 匹配所有级别。error- 匹配错误条件。info–匹配信息性消息。notice- 匹配应特殊处理的条件。verbose- 匹配详细消息。warning- 匹配警告消息。
本节包含以下主题:
在 Traceroute 中禁用 IPsec 隧道端点
如果在[edit services ipsec-vpn]层次结构级别包含该no-ipsec-tunnel-in-traceroute语句,则 IPsec 隧道不会被视为下一跃点,并且生存时间 (TTL) 也不会递减。此外,如果 TTL 达到零,则不会生成 ICMP 超时消息。
[edit services ipsec-vpn] no-ipsec-tunnel-in-traceroute;
此功能也由 passive-mode-tunneling 语句提供。您可以在不应将 IPsec 隧道视为下一跃点且不需要被动模式的特定场景中使用该 no-ipsec-tunnel-in-traceroute 语句。
跟踪 IPsec PKI作
跟踪作可跟踪 IPsec PKI 事件, /var/log 并将其记录在目录的日志文件中。默认情况下,此文件名为 /var/log/pkid。
要跟踪 IPsec PKI作,请在[edit security pki]层次结构级别包含以下traceoptions语句:
[edit security pki] traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag (all | certificate-verification | enrollment | online-crl-check); }
您可以指定以下 PKI 跟踪标志:
all- 跟踪所有内容。certificates- 跟踪证书事件。database- 跟踪安全关联数据库事件。general- 跟踪常规事件。ike- 跟踪 IKE 模块处理过程。parse- 跟踪配置处理。policy-manager- 跟踪策略管理器处理。routing-socket—跟踪路由套接字消息。snmp- 跟踪 SNMP作。timer- 跟踪内部计时器事件。
变更历史表
是否支持某项功能取决于您使用的平台和版本。使用 功能浏览器 查看您使用的平台是否支持某项功能。
gw-interface 语句来启用 IKE 触发器以及 IKE 和 IPsec SA 的清理。
[edit services ipsec-vpn rule rule-name term term-name from]层次结构级别将
ipsec-inside-interface interface-name AMS 逻辑接口配置为 IPsec 内部接口。
header-integrity-check MS-MIC 和 MS-MPC 支持的选项用于验证数据包标头中 IP、TCP、UDP 和 ICMP 信息中的异常并标记此类异常和错误,其功能与被动模式隧道引起的功能相反。