Exemple : Configuration d’un VPN IPsec entre deux instances de pare-feu virtuel vSRX
Cet exemple montre comment configurer un VPN IPsec entre deux instances de pare-feu virtuel vSRX dans Microsoft Azure.
Avant de commencer
Assurez-vous d’avoir installé et lancé une instance de pare-feu virtuel vSRX dans le réseau virtuel Microsoft Azure.
Pour plus d’informations, reportez-vous aux sections SRX Site-to-Site VPN Configuration Generator et How to troubleshoot a VPN in down or not active tunnel in service.
Aperçu
Vous pouvez utiliser un VPN IPsec pour sécuriser le trafic entre deux réseaux virtuels dans Microsoft Azure à l’aide de deux instances de pare-feu virtuel vSRX.
Pare-feu virtuel vSRX Configuration du VPN IPsec
Configuration du VPN vSRX1
Procédure étape par étape
Pour configurer le VPN IPsec sur vSRX1 :
Connectez-vous au vSRX1 en mode d’édition de configuration (voir Configurer vSRX à l’aide de l’interface de ligne de commande).
Définissez les adresses IP des interfaces vSRX1.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Configurez la zone de sécurité untrust.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configurez la zone de sécurité de confiance.
set security zones trust host-inbound-traffic system-services https set security zones trust host-inbound-traffic system-services ssh set security zones trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configurez IKE.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Assurez-vous de remplacer
198.51.100.10dans cet exemple par l’adresse IP publique correcte.Configurez IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configurez le routage.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Configuration du VPN vSRX2
Procédure étape par étape
Pour configurer le VPN IPsec sur vSRX2 :
Connectez-vous au vSRX2 en mode d’édition de la configuration (reportez-vous à la section Configurer vSRX à l’aide de l’interface de ligne de commande.
Définissez les adresses IP des interfaces vSRX2.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
Configurez la zone de sécurité untrust.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configurez la zone de sécurité de confiance.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Configurez IKE.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Assurez-vous de remplacer
203.0.113.10dans cet exemple par l’adresse IP publique correcte. Notez également que l’identité locale et l’identité distante SiteB doivent être en contraste avec l’identité locale et l’identité distante SiteA.Configurez IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configurez le routage.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Vérification
Vérifier les tunnels VPN actifs
But
Vérifiez que le tunnel est actif sur les deux instances du pare-feu virtuel vSRX.
Action
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX