이 페이지에서
예: 두 vSRX 가상 방화벽 인스턴스 간에 IPSec VPN 구성
이 예는 Microsoft Azure에서 두 개의 vSRX 가상 방화벽 인스턴스 간에 IPSec VPN을 구성하는 방법을 보여줍니다.
시작하기 전에
Microsoft Azure 가상 네트워크에 vSRX 가상 방화벽 인스턴스를 설치하고 시작했는지 확인합니다.
추가 정보는 SRX 사이트 간 VPN 구성 생성기 및 중단되거나 활성화되지 않은 VPN 터널의 문제를 해결하는 방법을 참조하십시오.
개요
IPsec VPN을 사용하여 두 개의 vSRX 가상 방화벽 인스턴스를 사용하여 Microsoft Azure의 두 VNET 사이의 트래픽을 보호할 수 있습니다.
vSRX 가상 방화벽 IPSec VPN 구성
vSRX1 VPN 구성
단계별 절차
vSRX1에서 IPsec VPN을 구성하려면 다음을 수행합니다.
구성 편집 모드의 vSRX1에 로그인합니다(CLI를 사용하여 vSRX 구성 참조).
vSRX1 인터페이스에 대한 IP 주소를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
신뢰할 수 없는 보안 영역을 설정합니다.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
트러스트 보안 영역을 설정합니다.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
IKE(Internet Internet)를 구성합니다.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
참고:이 예에서 올바른 공용 IP 주소로 대체
198.51.100.10
해야 합니다.IPsec을 구성합니다.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
라우팅을 구성합니다.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN 구성
단계별 절차
vSRX2에서 IPsec VPN을 구성하려면:
구성 편집 모드의 vSRX2에 로그인합니다(CLI를 사용하여 vSRX 구성을 참조하십시오.
vSRX2 인터페이스에 대한 IP 주소를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
신뢰할 수 없는 보안 영역을 설정합니다.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
트러스트 보안 영역을 설정합니다.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
IKE(Internet Internet)를 구성합니다.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
참고:이 예에서 올바른 공용 IP 주소로 대체
203.0.113.10
해야 합니다. 또한 SiteB 로컬 ID 및 원격 ID는 SiteA 로컬 ID 및 원격 ID와는 대조적이어야 합니다.IPsec을 구성합니다.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
라우팅을 구성합니다.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
확인
활성 VPN 터널 확인
목적
두 vSRX 가상 방화벽 인스턴스 모두에서 터널이 작동 중인지 확인합니다.
작업
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX