SUR CETTE PAGE
Exemple : configurer un VPN sur un pare-feu virtuel vSRX entre des VPC Amazon
Cet exemple montre comment configurer le VPN IPsec entre deux instances de pare-feu virtuel vSRX sur différents Amazon VPC.
Avant de commencer
Assurez-vous d’avoir installé et lancé une instance de pare-feu virtuel vSRX dans un Amazon VPC.
Pour plus d’informations, reportez-vous aux sections Générateur de configuration VPN site à site SRX et Dépannage d’un tunnel VPN inactif ou inactif .
Aperçu
Vous pouvez utiliser le VPN IPsec pour sécuriser le trafic entre deux VPC Amazon à l’aide de deux instances de pare-feu virtuel vSRX.
Configuration du VPN vSRX1
Procédure
Procédure étape par étape
Pour configurer le VPN IPsec sur vSRX1 :
Connectez-vous à la console vSRX1 en mode de modification de la configuration (reportez-vous à la section Configurer vSRX à l’aide de l’interface de ligne de commande.
Définissez les adresses IP des interfaces de revenus vSRX1.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Configurez la zone de sécurité untrust.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security security-zone untrust interfaces ge-0/0/0.0 set security security-zone untrust interfaces st0.1
Configurez la zone de sécurité de confiance.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configurez IKE.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 198.51.100.10 set security ike gateway AWS-R local-identity user-at-hostname "source@example.net" set security ike gateway AWS-R remote-identity user-at-hostname "dest@example.net" set security ike gateway AWS-R external-interface ge-0/0/0
Configurez IPsec.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
Configurez le routage.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Configuration du VPN vSRX2
Procédure étape par étape
Pour configurer le VPN IPsec sur vSRX2 :
Connectez-vous à la console vSRX2 en mode d’édition de la configuration (reportez-vous à la section Configurer vSRX à l’aide de l’interface de ligne de commande.
Définissez les adresses IP des interfaces de revenus vSRX2.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
Configurez la zone de sécurité untrust.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configurez la zone de sécurité de confiance.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Configurez IKE.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 203.0.113.10 set security ike gateway AWS-R local-identity user-at-hostname "dest@example.net" set security ike gateway AWS-R remote-identity user-at-hostname "source@example.net" set security ike gateway AWS-R external-interface ge-0/0/0
Configurez IPsec.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
Configurez le routage.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.10.10.0/24 next-hop st0.1 commit
Vérification
Vérifier les tunnels VPN actifs
But
Vérifiez que le tunnel est actif sur les deux instances de pare-feu virtuel vSRX sur AWS.
Action
ec2-user@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX
À partir de Junos OS version 17.4R1, le nom d’utilisateur par défaut est passé de root@ à ec2-user@.