Ejemplo: Configurar una VPN IPsec entre dos instancias de firewall virtual vSRX
En este ejemplo, se muestra cómo configurar una VPN IPsec entre dos instancias del firewall virtual vSRX en Microsoft Azure.
Antes de empezar
Asegúrese de que ha instalado y lanzado una instancia de firewall virtual vSRX en la red virtual de Microsoft Azure.
Consulte Generador de configuración de sitio a sitio DE SRX y Cómo solucionar problemas de un túnel VPN que está inactivo o no activo para obtener información adicional.
Visión general
Puede usar una VPN IPsec para proteger el tráfico entre dos VNET en Microsoft Azure mediante dos instancias de firewall virtual vSRX.
Configuración vpn IPsec del firewall virtual vSRX
Configuración de VPN vSRX1
Procedimiento paso a paso
Para configurar VPN IPsec en vSRX1:
Inicie sesión en vSRX1 en modo de edición de configuración (consulte Configurar vSRX mediante la CLI).
Establezca las direcciones IP para interfaces vSRX1.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Configure la zona de seguridad de no confianza.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configure la zona de seguridad de confianza.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configure ICR.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Nota:Asegúrese de reemplazar
198.51.100.10
en este ejemplo con la dirección IP pública correcta.Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure el enrutamiento.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Configuración vpn vSRX2
Procedimiento paso a paso
Para configurar VPN IPsec en vSRX2:
Inicie sesión en vSRX2 en modo de edición de configuración (consulte Configurar vSRX mediante la CLI.
Establezca las direcciones IP para las interfaces vSRX2.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
Configure la zona de seguridad de no confianza.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configure la zona de seguridad de confianza.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Configure ICR.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Nota:Asegúrese de reemplazar
203.0.113.10
en este ejemplo con la dirección IP pública correcta. También tenga en cuenta que la identidad local y la identidad remota de SiteB deben estar en contraste con la identidad local de SiteA y la identidad remota.Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure el enrutamiento.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Verificación
Verificar túneles VPN activos
Propósito
Verifique que el túnel esté activo en ambas instancias del firewall virtual vSRX.
Acción
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX