示例:在 Microsoft Azure 中的 vSRX 虚拟防火墙和虚拟网络网关之间配置 IPsec VPN
此示例说明如何在 Microsoft Azure 中的 vSRX 虚拟防火墙实例和虚拟网络网关之间配置 IPsec VPN。
开始之前
确保您已在 Microsoft Azure 虚拟网络中安装和启动 vSRX 虚拟防火墙实例。
有关更多信息,请参阅 SRX 站点到站点 VPN 配置生成器 以及如何 对已关闭或未处于活动状态的 VPN 隧道进行故障排除 。
概述
您可以使用 IPsec VPN 保护 Microsoft Azure 中两个 VNET 之间的流量,其中一个 vSRX 虚拟防火墙保护一个 VNet,而 Azure 虚拟网络网关保护另一个 VNet。
vSRX 虚拟防火墙 IPsec VPN 配置
程序
逐步过程
在 vSRX 虚拟防火墙上配置 IPsec VPN:
在配置编辑模式下登录到 vSRX 虚拟防火墙(请参阅 使用 CLI 配置 vSRX)。
设置 vSRX 虚拟防火墙接口的 IP 地址。
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
设置不信任安全区域。
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
设置信任安全区域。
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
配置 IKE。
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike policy ike-phase1-policyA mode main set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 52.175.210.65 set security ike gateway gw-siteB version v2-only set security ike gateway gw-siteB external-interface ge-0/0/0.0
注意:请务必将此示例中的 IP 地址替换为
52.175.210.65正确的公共 IP 地址。配置 IPsec。
以下示例说明了使用 CBC 加密算法的 vSRX 虚拟防火墙 IPsec 配置:
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposalA lifetime-seconds 7200 set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000 set security ipsec policy ike-phase1-policyA proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
如果需要,您可以使用 AES-GCM 作为 vSRX 虚拟防火墙 IPsec 配置中的加密算法,而不是 CBC:
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-proposalA lifetime-seconds 7200 set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000 set security ipsec policy ike-phase1-policyA proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
配置路由。
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Microsoft Azure 虚拟网络网关配置
程序
逐步过程
要配置 Microsoft Azure 虚拟网络网关,请参阅以下 Microsoft Azure 过程:
为 S2S VPN 或 VNet-to-VNet 连接配置 IPsec/IKE 策略
当形成站点到站点 VPN 连接时,请确保 Microsoft Azure 虚拟网络网关中的 IPSec IKE 参数与 vSRX 虚拟防火墙 IPSec IKE 参数匹配。
验证活动 VPN 隧道。
验证 vSRX 虚拟防火墙实例和 Azure 虚拟网络网关之间的隧道是否正常运行。
root@> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address 8290401 UP b1adf15fc3dfe0b0 89cc2a12cb7e3cd7 IKEv2 52.175.210.65
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None c0e154e2 5567/ 102399997 - root 4500 52.175.210.65 >131073 ESP:aes-gcm-256/None 383bd606 5567/ 102399997 - root 4500 52.175.210.65