이 페이지에서
예: Amazon VPC 간 vSRX 가상 방화벽 VPN 구성
이 예는 서로 다른 Amazon VPC의 두 vSRX 가상 방화벽 인스턴스 간에 IPsec VPN을 구성하는 방법을 보여줍니다.
시작하기 전에
Amazon VPC에 vSRX 가상 방화벽 인스턴스를 설치하고 시작했는지 확인합니다.
추가 정보는 SRX 사이트 간 VPN 구성 생성기 및 중단되거나 활성화되지 않은 VPN 터널의 문제를 해결하는 방법을 참조하십시오.
개요
IPsec VPN을 사용하여 두 개의 vSRX 가상 방화벽 인스턴스를 사용하여 두 Amazon VPC 간의 트래픽을 보호할 수 있습니다.
vSRX1 VPN 구성
절차
단계별 절차
vSRX1에서 IPsec VPN을 구성하려면 다음을 수행합니다.
구성 편집 모드의 vSRX1 콘솔에 로그인합니다(CLI를 사용하여 vSRX 구성을 참조하십시오.
vSRX1 수익 인터페이스에 대한 IP 주소를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
신뢰할 수 없는 보안 영역을 설정합니다.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security security-zone untrust interfaces ge-0/0/0.0 set security security-zone untrust interfaces st0.1
트러스트 보안 영역을 설정합니다.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
IKE(Internet Internet)를 구성합니다.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 198.51.100.10 set security ike gateway AWS-R local-identity user-at-hostname "source@example.net" set security ike gateway AWS-R remote-identity user-at-hostname "dest@example.net" set security ike gateway AWS-R external-interface ge-0/0/0
IPsec을 구성합니다.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
라우팅을 구성합니다.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN 구성
단계별 절차
vSRX2에서 IPsec VPN을 구성하려면:
구성 편집 모드의 vSRX2 콘솔에 로그인합니다(CLI를 사용하여 vSRX 구성을 참조하십시오.
vSRX2 수익 인터페이스에 대한 IP 주소를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
신뢰할 수 없는 보안 영역을 설정합니다.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
트러스트 보안 영역을 설정합니다.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
IKE(Internet Internet)를 구성합니다.
set security ike proposal AWS_IKE_Proposal authentication-method pre-shared-keys set security ike proposal AWS_IKE_Proposal dh-group group2 set security ike proposal AWS_IKE_Proposal authentication-algorithm sha-256 set security ike proposal AWS_IKE_Proposal encryption-algorithm aes-256-cbc set security ike proposal AWS_IKE_Proposal lifetime-seconds 1800 set security ike policy AWS-R mode aggressive set security ike policy AWS-R proposals AWS_IKE_Proposal set security ike policy AWS-R pre-shared-key ascii-text preshared-key set security ike gateway AWS-R ike-policy AWS-R set security ike gateway AWS-R address 203.0.113.10 set security ike gateway AWS-R local-identity user-at-hostname "dest@example.net" set security ike gateway AWS-R remote-identity user-at-hostname "source@example.net" set security ike gateway AWS-R external-interface ge-0/0/0
IPsec을 구성합니다.
set security ipsec proposal AWS_IPSEC protocol esp set security ipsec proposal AWS_IPSEC authentication-algorithm hmac-sha1-96 set security ipsec proposal AWS_IPSEC encryption-algorithm aes-256-cbc set security ipsec policy AWS_IPSEC_POL proposals AWS_IPSEC set security ipsec vpn aws-aws bind-interface st0.1 set security ipsec vpn aws-aws ike gateway AWS-R set security ipsec vpn aws-aws ike ipsec-policy AWS_IPSEC_POL set security ipsec vpn aws-aws establish-tunnels immediately
라우팅을 구성합니다.
set routing-instances aws instance-type virtual-router set routing-instances aws interface ge-0/0/0.0 set routing-instances aws interface ge-0/0/1.0 set routing-instances aws interface st0.1 set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances aws routing-options static route 10.10.10.0/24 next-hop st0.1 commit
확인
활성 VPN 터널 확인
목적
AWS에서 두 vSRX 가상 방화벽 인스턴스 모두에서 터널이 작동 중인지 확인합니다.
작업
ec2-user@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX
릴리스 17.4R1 Junos OS 시작해 기본 사용자 이름이 에서 root@
으로 ec2-user@
변경되었습니다.