本页内容
示例:在两个 vSRX 虚拟防火墙实例之间配置 IPsec VPN
此示例说明如何在 Microsoft Azure 中的两个 vSRX 虚拟防火墙实例之间配置 IPsec VPN。
准备工作
确保已在 Microsoft Azure 虚拟网络中安装并启动 vSRX 虚拟防火墙实例。
有关更多信息,请参阅 SRX 站点到站点 VPN 配置生成器 以及如何 对已关闭或非活动的 VPN 隧道进行故障排除 。
概述
可以使用 IPsec VPN 通过两个 vSRX 虚拟防火墙实例保护 Microsoft Azure 中两个 VNET 之间的流量。
vSRX 虚拟防火墙 IPsec VPN 配置
vSRX1 VPN 配置
分步过程
要在 vSRX1 上配置 IPsec VPN,请执行以下作:
在配置编辑模式下登录到 vSRX1(请参阅 使用 CLI 配置 vSRX)。
设置 vSRX1 接口的 IP 地址。
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
设置不信任安全区域。
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
设置信任安全区域。
set security zones trust host-inbound-traffic system-services https set security zones trust host-inbound-traffic system-services ssh set security zones trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
配置 IKE。
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
注意:请务必在此示例中替换
198.51.100.10为正确的公共 IP 地址。配置 IPsec。
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
配置路由。
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN 配置
分步过程
要在 vSRX2 上配置 IPsec VPN,请执行以下作:
在配置编辑模式下登录到 vSRX2(请参阅 使用 CLI 配置 vSRX。
设置 vSRX2 接口的 IP 地址。
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
设置不信任安全区域。
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
设置信任安全区域。
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
配置 IKE。
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
注意:请务必在此示例中替换
203.0.113.10为正确的公共 IP 地址。另请注意,SiteB 本地身份和远程身份应与 SiteA 本地身份和远程身份形成对比。配置 IPsec。
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
配置路由。
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
验证
验证活动 VPN 隧道
目的
验证隧道是否在两个 vSRX 虚拟防火墙实例上都已启动。
行动
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX