连接 Juniper vSRX 同级
您可以使用 IBM Cloud VPN for VPC,通过 VPN 通道将 VPC 安全地连接到内部网络。 本主题介绍如何配置瞻博网络 VPN 网关以连接 VPN for VPC。
如果 Juniper vSRX 要求在阶段 2 中启用完美正向保密 (PFS),那么需要创建定制 IPsec 策略以替换 VPC 中 VPN 的缺省策略。 有关更多信息,请参阅 为 Juniper vSRX创建定制 IPsec 策略。
这些说明基于瞻博网络 vSRX, JUNOS 软件版本 [23.2R1-S1 标准 23.2.1.1]。
在继续连接内部对等网络之前,请阅读 VPN 网关的已知问题。
当 Juniper VPN 接收来自 VPN for VPC的连接请求时,Juniper 使用 IPsec 阶段 1 参数来建立安全连接并认证 VPN for VPC 网关。 然后,如果安全策略允许连接,瞻博网络 VPN 将使用 IPsec 第 2 阶段参数建立隧道,并应用 IPsec 安全策略。 密钥管理、认证和安全服务均通过 IKE 协议动态协商。
要支持这些功能,必须在 Juniper vSRX 单元上执行以下操作:
- 定义瞻博网络 vSRX VPN 验证远程对等设备和建立安全连接所需的第 1 阶段参数。
- 定义瞻博网络 vSRX VPN 创建 VPN 通道所需的第 2 阶段参数 VPN for VPC。
常规配置步骤如下所示。
- 在第 1 阶段选择
IKEv2
。 - 设置基于策略的方式。
- 在第一阶段提案中启用
DH-group 19
。 - 在第 1 阶段提案中设置
lifetime = 36000
。 - 在第二阶段建议中启用 PFS。
- 在第 2 阶段提案中设置
lifetime = 10800
。 - 在第 2 阶段建议中输入您的对等网络和子网信息。
- 允许外部接口上的 UDP 500 流量。
Juniper vSRX 的基于策略的配置
下面举例说明如何设置安全性。
-
为基于策略的 VPN 配置 IKE 建议。
set security ike proposal ibm-vpc-ike-proposal authentication-method pre-shared-keys set security ike proposal ibm-vpc-ike-proposal dh-group group19 set security ike proposal ibm-vpc-ike-proposal authentication-algorithm sha-256 set security ike proposal ibm-vpc-ike-proposal encryption-algorithm aes-256-cbc set security ike proposal ibm-vpc-ike-proposal lifetime-seconds 86400 set security ike policy ibm-vpc-ike-policy mode main set security ike policy ibm-vpc-ike-policy proposals ibm-vpc-ike-proposal set security ike policy ibm-vpc-ike-policy pre-shared-key ascii-text <your-psk>
-
将 IKE 网关配置为基于策略的 VPN 网关。
set security ike gateway ibm-vpc-policy-vpn-gateway ike-policy ibm-vpc-ike-policy set security ike gateway ibm-vpc-policy-vpn-gateway address <VPN for VPC Gateway Public IP> set security ike gateway ibm-vpc-policy-vpn-gateway dead-peer-detection interval 2 set security ike gateway ibm-vpc-policy-vpn-gateway dead-peer-detection threshold 3 set security ike gateway ibm-vpc-policy-vpn-gateway local-identity inet <vSRX Public IP> set security ike gateway ibm-vpc-policy-vpn-gateway external-interface ae1.0 set security ike gateway ibm-vpc-policy-vpn-gateway version v2-only
-
为基于策略的 VPN 配置 IPsec 建议。
set security ipsec proposal ibm-vpc-ipsec-proposal protocol esp set security ipsec proposal ibm-vpc-ipsec-proposal authentication-algorithm hmac-sha-256-128 set security ipsec proposal ibm-vpc-ipsec-proposal encryption-algorithm aes-256-cbc set security ipsec proposal ibm-vpc-ipsec-proposal lifetime-seconds 3600 set security ipsec policy ibm-vpc-ipsec-policy perfect-forward-secrecy keys group19 set security ipsec policy ibm-vpc-ipsec-policy proposals ibm-vpc-ipsec-proposal
-
配置与基于策略的 VPN 网关的 VTI 和 VPN 连接。
set interfaces st0 unit 2 description Tunnel-to-IBM-VPC-POLICY-VPN-GATEWAY set interfaces st0 unit 2 family inet set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn bind-interface st0.2 set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn ike gateway ibm-vpc-policy-vpn-gateway set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn ike ipsec-policy ibm-vpc-ipsec-policy set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn traffic-selector pair1 local-ip <on-premise-subnet> set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn traffic-selector pair1 remote-ip <vpc-subnet> set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn establish-tunnels immediately
-
配置控制平面防火墙以允许 IKE/IPsec 协议流量。
set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Public IP>/32 set firewall filter PROTECT-IN term IPSec-IKE from protocol udp set firewall filter PROTECT-IN term IPSec-IKE from port 500 set firewall filter PROTECT-IN term IPSec-IKE then accept set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Public IP>/32 set firewall filter PROTECT-IN term IPSec-ESP from protocol esp set firewall filter PROTECT-IN term IPSec-ESP then accept set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Public IP>/32 set firewall filter PROTECT-IN term IPSec-4500 from protocol udp set firewall filter PROTECT-IN term IPSec-4500 from port 4500 set firewall filter PROTECT-IN term IPSec-4500 then accept
-
配置数据平面防火墙以允许内部部署与 IBM VPC 之间的流量。
set security zones security-zone vpn-zone interfaces st0.2 set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match source-address any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match destination-address any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match application any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn then permit set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match source-address any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match destination-address any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match application any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private then permit
-
在 vSRX 上配置 TCP MSS 箝位以避免不必要的分段。
set security flow tcp-mss ipsec-vpn mss 1360
-
配置文件运行完成后,您可以使用以下命令通过 CLI 检查连接状态:
run show security ipsec security-associations
为 Juniper vSRX 创建定制 IPsec 策略
缺省情况下,VPN for VPC 在阶段 2 中禁用 PFS。 如果 Juniper vSRX 要求在阶段 2 中启用 PFS,那么需要创建定制 IPsec 策略以替换 VPC 中 VPN 的缺省策略。
要在 VPN for VPC中使用定制 IPsec 策略,请执行以下步骤:
-
在 IBM Cloud 控制台中的 VPN for VPC 页面上,选择 IPsec 策略 选项卡。
-
单击 新建 IPsec 策略 并指定以下值:
- 对于 认证 字段,选择 sha256。
- 对于 加密 字段,选择 aes256。
- 选择 PFS 选项。
- 对于 DH 组 字段,选择 19。
- 对于 密钥生存期 字段,指定 3600。
-
在 VPC 中创建 VPN 连接时,请选择此定制 IPsec 策略。
为 Juniper vSRX 设置基于路由的配置
以下配置显示如何使用两个隧道的加权首选项在 Juniper vSRX VPN 和 VPN for VPC 之间设置两个基于路由的隧道。
VPN for VPC 网关应该具有对等地址为 vSRX 公共 IP 的连接。
以下是用于设置 vSRX 配置的示例。
-
为基于路由的 VPN 配置 IKE 建议:
set security ike proposal ibm-vpc-ike-proposal authentication-method pre-shared-keys set security ike proposal ibm-vpc-ike-proposal dh-group group19 set security ike proposal ibm-vpc-ike-proposal authentication-algorithm sha-256 set security ike proposal ibm-vpc-ike-proposal encryption-algorithm aes-256-cbc set security ike proposal ibm-vpc-ike-proposal lifetime-seconds 86400 set security ike policy ibm-vpc-ike-policy mode main set security ike policy ibm-vpc-ike-policy proposals ibm-vpc-ike-proposal set security ike policy ibm-vpc-ike-policy pre-shared-key ascii-text <your-psk>
-
配置到主隧道的 IKE 网关:
set security ike gateway ibm-vpc-gateway-primary ike-policy ibm-vpc-ike-policy set security ike gateway ibm-vpc-gateway-primary address <VPN for VPC Gateway Small Public IP> set security ike gateway ibm-vpc-gateway-primary dead-peer-detection interval 2 set security ike gateway ibm-vpc-gateway-primary dead-peer-detection threshold 3 set security ike gateway ibm-vpc-gateway-primary local-identity inet <vSRX Public IP> set security ike gateway ibm-vpc-gateway-primary external-interface ae1.0 set security ike gateway ibm-vpc-gateway-primary version v2-only
-
为基于路由的 VPN 配置 IPsec 建议:
set security ipsec proposal ibm-vpc-ipsec-proposal protocol esp set security ipsec proposal ibm-vpc-ipsec-proposal authentication-algorithm hmac-sha-256-128 set security ipsec proposal ibm-vpc-ipsec-proposal encryption-algorithm aes-256-cbc set security ipsec proposal ibm-vpc-ipsec-proposal lifetime-seconds 3600 set security ipsec policy ibm-vpc-ipsec-policy perfect-forward-secrecy keys group19 set security ipsec policy ibm-vpc-ipsec-policy proposals ibm-vpc-ipsec-proposal
-
配置与主 VPN 通道的 VTI 和 VPN 连接:
创建虚拟隧道接口,并在该接口上配置链路本地地址 (
169.254.0.2/30
)。 请注意选择链接本地地址,并确保该地址与设备上的其他地址不重叠。 在具有 30 位网络掩码的子网中,有两个可用的 IP 地址 (169.254.0.1
和169.254.0.2
)。 第一个 IP 地址169.254.0.1
用作 IBM VPN 网关 VTI 地址; 第二个 IP 地址169.254.0.2
用作 vSRX VTI 地址。 如果 vSRX, 上有多个 VTI,可以选择另一个链路本地子网,如169.254.0.4/30
,169.254.0.8/30
,等等。您无需在 IBM VPN 网关上配置
169.254.0.1
。 仅当您在 vSRX上配置路由时,才会引用此参数。set interfaces st0 unit 2 multipoint set interfaces st0 unit 2 family inet next-hop-tunnel 169.254.0.1 ipsec-vpn ibm-vpc-gateway-primary-vpn set interfaces st0 unit 2 family inet address 169.254.0.2/30 set security ipsec vpn ibm-vpc-gateway-primary-vpn bind-interface st0.2 set security ipsec vpn ibm-vpc-gateway-primary-vpn ike gateway ibm-vpc-gateway-primary set security ipsec vpn ibm-vpc-gateway-primary-vpn ike ipsec-policy ibm-vpc-ipsec-policy set security ipsec vpn ibm-vpc-gateway-primary-vpn establish-tunnels immediately
-
配置到主 VPN 隧道的路由:
set routing-options static route <your-VPC-subnet> next-hop 169.254.0.1
-
配置控制平面防火墙以允许基于路由的 VPN 的 IKE/IPsec 协议流量:
set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Small Public IP>/32 set firewall filter PROTECT-IN term IPSec-IKE from protocol udp set firewall filter PROTECT-IN term IPSec-IKE from port 500 set firewall filter PROTECT-IN term IPSec-IKE then accept set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Small Public IP>/32 set firewall filter PROTECT-IN term IPSec-ESP from protocol esp set firewall filter PROTECT-IN term IPSec-ESP then accept set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Small Public IP>/32 set firewall filter PROTECT-IN term IPSec-4500 from protocol udp set firewall filter PROTECT-IN term IPSec-4500 from port 4500 set firewall filter PROTECT-IN term IPSec-4500 then accept
-
针对基于路由的 VPN,配置数据平面防火墙以允许内部部署与 IBM VPC 之间的流量:
set security zones security-zone vpn-zone interfaces st0.2 set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match source-address any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match destination-address any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match application any set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn then permit set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match source-address any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match destination-address any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match application any set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private then permit
-
在 vSRX 上配置 TCP MSS 箝位,以避免对基于路由的 VPN 进行不必要的分段:
set security flow tcp-mss ipsec-vpn mss 1360
-
配置到辅助隧道的 IKE 网关:
set security ike gateway ibm-vpc-gateway-secondary ike-policy ibm-vpc-ike-policy set security ike gateway ibm-vpc-gateway-secondary address <VPN for VPC Gateway Big Public IP> set security ike gateway ibm-vpc-gateway-secondary dead-peer-detection interval 2 set security ike gateway ibm-vpc-gateway-secondary dead-peer-detection threshold 3 set security ike gateway ibm-vpc-gateway-secondary local-identity inet <vSRX Public IP> set security ike gateway ibm-vpc-gateway-secondary external-interface ae1.0 set security ike gateway ibm-vpc-gateway-secondary version v2-only
-
配置与辅助 VPN 隧道的 VTI 和 VPN 连接:
set interfaces st0 unit 3 multipoint set interfaces st0 unit 3 family inet next-hop-tunnel 169.254.0.5 ipsec-vpn ibm-vpc-gateway-secondary-vpn set interfaces st0 unit 3 family inet address 169.254.0.6/30 set security ipsec vpn ibm-vpc-gateway-secondary-vpn bind-interface st0.3 set security ipsec vpn ibm-vpc-gateway-secondary-vpn ike gateway ibm-vpc-gateway-secondary set security ipsec vpn ibm-vpc-gateway-secondary-vpn ike ipsec-policy ibm-vpc-ipsec-policy set security ipsec vpn ibm-vpc-gateway-secondary-vpn establish-tunnels immediately
-
配置控制平面防火墙以允许来自辅助隧道的 IKE/IPsec 协议流量:
set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Big Public IP>/32 set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Big Public IP>/32 set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Big Public IP>/32
-
将 VTI 添加到安全区域中:
set security zones security-zone vpn-zone interfaces st0.3
-
向辅助隧道添加路由:
set routing-options static route <your-VPC-subnet> qualified-next-hop 169.254.0.5 preference 30
验证配置
请按照以下步骤验证配置:
-
验证 IKE 阶段 1 是否对两个隧道都有效:
run show security ike sa
-
验证 IKE 阶段 2 是否对两个隧道都有效:
run show security ipsec sa
-
显示路径:
run show route <static route>