IBM Cloud Docs
连接 Juniper vSRX 同级

连接 Juniper vSRX 同级

您可以使用 IBM Cloud VPN for VPC,通过 VPN 通道将 VPC 安全地连接到内部网络。 本主题介绍如何配置瞻博网络 VPN 网关以连接 VPN for VPC。

如果 Juniper vSRX 要求在阶段 2 中启用完美正向保密 (PFS),那么需要创建定制 IPsec 策略以替换 VPC 中 VPN 的缺省策略。 有关更多信息,请参阅 为 Juniper vSRX创建定制 IPsec 策略

这些说明基于瞻博网络 vSRX, JUNOS 软件版本 [23.2R1-S1 标准 23.2.1.1]。

在继续连接内部对等网络之前,请阅读 VPN 网关的已知问题

当 Juniper VPN 接收来自 VPN for VPC的连接请求时,Juniper 使用 IPsec 阶段 1 参数来建立安全连接并认证 VPN for VPC 网关。 然后,如果安全策略允许连接,瞻博网络 VPN 将使用 IPsec 第 2 阶段参数建立隧道,并应用 IPsec 安全策略。 密钥管理、认证和安全服务均通过 IKE 协议动态协商。

要支持这些功能,必须在 Juniper vSRX 单元上执行以下操作:

  • 定义瞻博网络 vSRX VPN 验证远程对等设备和建立安全连接所需的第 1 阶段参数。
  • 定义瞻博网络 vSRX VPN 创建 VPN 通道所需的第 2 阶段参数 VPN for VPC。

常规配置步骤如下所示。

  1. 在第 1 阶段选择 IKEv2
  2. 设置基于策略的方式。
  3. 在第一阶段提案中启用 DH-group 19
  4. 在第 1 阶段提案中设置 lifetime = 36000
  5. 在第二阶段建议中启用 PFS。
  6. 在第 2 阶段提案中设置 lifetime = 10800
  7. 在第 2 阶段建议中输入您的对等网络和子网信息。
  8. 允许外部接口上的 UDP 500 流量。

Juniper vSRX 的基于策略的配置

下面举例说明如何设置安全性。

  1. 为基于策略的 VPN 配置 IKE 建议。

    set security ike proposal ibm-vpc-ike-proposal authentication-method pre-shared-keys
    set security ike proposal ibm-vpc-ike-proposal dh-group group19
    set security ike proposal ibm-vpc-ike-proposal authentication-algorithm sha-256
    set security ike proposal ibm-vpc-ike-proposal encryption-algorithm aes-256-cbc
    set security ike proposal ibm-vpc-ike-proposal lifetime-seconds 86400
    set security ike policy ibm-vpc-ike-policy mode main
    set security ike policy ibm-vpc-ike-policy proposals ibm-vpc-ike-proposal
    set security ike policy ibm-vpc-ike-policy pre-shared-key ascii-text <your-psk>
    
  2. 将 IKE 网关配置为基于策略的 VPN 网关。

    set security ike gateway ibm-vpc-policy-vpn-gateway ike-policy ibm-vpc-ike-policy
    set security ike gateway ibm-vpc-policy-vpn-gateway address <VPN for VPC Gateway Public IP>
    set security ike gateway ibm-vpc-policy-vpn-gateway dead-peer-detection interval 2
    set security ike gateway ibm-vpc-policy-vpn-gateway dead-peer-detection threshold 3
    set security ike gateway ibm-vpc-policy-vpn-gateway local-identity inet <vSRX Public IP>
    set security ike gateway ibm-vpc-policy-vpn-gateway external-interface ae1.0
    set security ike gateway ibm-vpc-policy-vpn-gateway version v2-only
    
  3. 为基于策略的 VPN 配置 IPsec 建议。

    set security ipsec proposal ibm-vpc-ipsec-proposal protocol esp
    set security ipsec proposal ibm-vpc-ipsec-proposal authentication-algorithm hmac-sha-256-128
    set security ipsec proposal ibm-vpc-ipsec-proposal encryption-algorithm aes-256-cbc
    set security ipsec proposal ibm-vpc-ipsec-proposal lifetime-seconds 3600
    set security ipsec policy ibm-vpc-ipsec-policy perfect-forward-secrecy keys group19
    set security ipsec policy ibm-vpc-ipsec-policy proposals ibm-vpc-ipsec-proposal
    
  4. 配置与基于策略的 VPN 网关的 VTI 和 VPN 连接。

    set interfaces st0 unit 2 description Tunnel-to-IBM-VPC-POLICY-VPN-GATEWAY
    set interfaces st0 unit 2 family inet
    
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn bind-interface st0.2
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn ike gateway ibm-vpc-policy-vpn-gateway
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn ike ipsec-policy ibm-vpc-ipsec-policy
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn traffic-selector pair1 local-ip <on-premise-subnet>
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn traffic-selector pair1 remote-ip <vpc-subnet>
    set security ipsec vpn ibm-vpc-policy-vpn-gateway-vpn establish-tunnels immediately
    
  5. 配置控制平面防火墙以允许 IKE/IPsec 协议流量。

    set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Public IP>/32
    set firewall filter PROTECT-IN term IPSec-IKE from protocol udp
    set firewall filter PROTECT-IN term IPSec-IKE from port 500
    set firewall filter PROTECT-IN term IPSec-IKE then accept
    set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Public IP>/32
    set firewall filter PROTECT-IN term IPSec-ESP from protocol esp
    set firewall filter PROTECT-IN term IPSec-ESP then accept
    set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Public IP>/32
    set firewall filter PROTECT-IN term IPSec-4500 from protocol udp
    set firewall filter PROTECT-IN term IPSec-4500 from port 4500
    set firewall filter PROTECT-IN term IPSec-4500 then accept
    
  6. 配置数据平面防火墙以允许内部部署与 IBM VPC 之间的流量。

    set security zones security-zone vpn-zone interfaces st0.2
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match source-address any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match destination-address any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match application any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn then permit
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match source-address any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match destination-address any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match application any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private then permit
    
  7. 在 vSRX 上配置 TCP MSS 箝位以避免不必要的分段。

    set security flow tcp-mss ipsec-vpn mss 1360
    
  8. 配置文件运行完成后,您可以使用以下命令通过 CLI 检查连接状态:

    run show security ipsec security-associations
    

为 Juniper vSRX 创建定制 IPsec 策略

缺省情况下,VPN for VPC 在阶段 2 中禁用 PFS。 如果 Juniper vSRX 要求在阶段 2 中启用 PFS,那么需要创建定制 IPsec 策略以替换 VPC 中 VPN 的缺省策略。

要在 VPN for VPC中使用定制 IPsec 策略,请执行以下步骤:

  1. IBM Cloud 控制台中的 VPN for VPC 页面上,选择 IPsec 策略 选项卡。

  2. 单击 新建 IPsec 策略 并指定以下值:

    • 对于 认证 字段,选择 sha256
    • 对于 加密 字段,选择 aes256
    • 选择 PFS 选项。
    • 对于 DH 组 字段,选择 19
    • 对于 密钥生存期 字段,指定 3600
  3. 在 VPC 中创建 VPN 连接时,请选择此定制 IPsec 策略。

为 Juniper vSRX 设置基于路由的配置

以下配置显示如何使用两个隧道的加权首选项在 Juniper vSRX VPN 和 VPN for VPC 之间设置两个基于路由的隧道。

VPN for VPC 网关应该具有对等地址为 vSRX 公共 IP 的连接。

以下是用于设置 vSRX 配置的示例。

  1. 为基于路由的 VPN 配置 IKE 建议:

    set security ike proposal ibm-vpc-ike-proposal authentication-method pre-shared-keys
    set security ike proposal ibm-vpc-ike-proposal dh-group group19
    set security ike proposal ibm-vpc-ike-proposal authentication-algorithm sha-256
    set security ike proposal ibm-vpc-ike-proposal encryption-algorithm aes-256-cbc
    set security ike proposal ibm-vpc-ike-proposal lifetime-seconds 86400
    set security ike policy ibm-vpc-ike-policy mode main
    set security ike policy ibm-vpc-ike-policy proposals ibm-vpc-ike-proposal
    set security ike policy ibm-vpc-ike-policy pre-shared-key ascii-text <your-psk>
    
  2. 配置到主隧道的 IKE 网关:

    set security ike gateway ibm-vpc-gateway-primary ike-policy ibm-vpc-ike-policy
    set security ike gateway ibm-vpc-gateway-primary address <VPN for VPC Gateway Small Public IP>
    set security ike gateway ibm-vpc-gateway-primary dead-peer-detection interval 2
    set security ike gateway ibm-vpc-gateway-primary dead-peer-detection threshold 3
    set security ike gateway ibm-vpc-gateway-primary local-identity inet <vSRX Public IP>
    set security ike gateway ibm-vpc-gateway-primary external-interface ae1.0
    set security ike gateway ibm-vpc-gateway-primary version v2-only
    
  3. 为基于路由的 VPN 配置 IPsec 建议:

    set security ipsec proposal ibm-vpc-ipsec-proposal protocol esp
    set security ipsec proposal ibm-vpc-ipsec-proposal authentication-algorithm hmac-sha-256-128
    set security ipsec proposal ibm-vpc-ipsec-proposal encryption-algorithm aes-256-cbc
    set security ipsec proposal ibm-vpc-ipsec-proposal lifetime-seconds 3600
    set security ipsec policy ibm-vpc-ipsec-policy perfect-forward-secrecy keys group19
    set security ipsec policy ibm-vpc-ipsec-policy proposals ibm-vpc-ipsec-proposal
    
  4. 配置与主 VPN 通道的 VTI 和 VPN 连接:

    创建虚拟隧道接口,并在该接口上配置链路本地地址 (169.254.0.2/30)。 请注意选择链接本地地址,并确保该地址与设备上的其他地址不重叠。 在具有 30 位网络掩码的子网中,有两个可用的 IP 地址 (169.254.0.1169.254.0.2)。 第一个 IP 地址 169.254.0.1 用作 IBM VPN 网关 VTI 地址; 第二个 IP 地址 169.254.0.2 用作 vSRX VTI 地址。 如果 vSRX, 上有多个 VTI,可以选择另一个链路本地子网,如 169.254.0.4/30, 169.254.0.8/30,等等。

    您无需在 IBM VPN 网关上配置 169.254.0.1。 仅当您在 vSRX上配置路由时,才会引用此参数。

    set interfaces st0 unit 2 multipoint
    set interfaces st0 unit 2 family inet next-hop-tunnel 169.254.0.1 ipsec-vpn ibm-vpc-gateway-primary-vpn
    set interfaces st0 unit 2 family inet address 169.254.0.2/30
    
    set security ipsec vpn ibm-vpc-gateway-primary-vpn bind-interface st0.2
    set security ipsec vpn ibm-vpc-gateway-primary-vpn ike gateway ibm-vpc-gateway-primary
    set security ipsec vpn ibm-vpc-gateway-primary-vpn ike ipsec-policy ibm-vpc-ipsec-policy
    set security ipsec vpn ibm-vpc-gateway-primary-vpn establish-tunnels immediately
    
  5. 配置到主 VPN 隧道的路由:

    set routing-options static route <your-VPC-subnet> next-hop 169.254.0.1
    
  6. 配置控制平面防火墙以允许基于路由的 VPN 的 IKE/IPsec 协议流量:

    set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Small Public IP>/32
    set firewall filter PROTECT-IN term IPSec-IKE from protocol udp
    set firewall filter PROTECT-IN term IPSec-IKE from port 500
    set firewall filter PROTECT-IN term IPSec-IKE then accept
    set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Small Public IP>/32
    set firewall filter PROTECT-IN term IPSec-ESP from protocol esp
    set firewall filter PROTECT-IN term IPSec-ESP then accept
    set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Small Public IP>/32
    set firewall filter PROTECT-IN term IPSec-4500 from protocol udp
    set firewall filter PROTECT-IN term IPSec-4500 from port 4500
    set firewall filter PROTECT-IN term IPSec-4500 then accept
    
  7. 针对基于路由的 VPN,配置数据平面防火墙以允许内部部署与 IBM VPC 之间的流量:

    set security zones security-zone vpn-zone interfaces st0.2
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match source-address any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match destination-address any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn match application any
    set security policies from-zone SL-PRIVATE to-zone vpn-zone policy private_to_vpn then permit
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match source-address any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match destination-address any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private match application any
    set security policies from-zone vpn-zone to-zone SL-PRIVATE policy vpn_to_private then permit
    
  8. 在 vSRX 上配置 TCP MSS 箝位,以避免对基于路由的 VPN 进行不必要的分段:

    set security flow tcp-mss ipsec-vpn mss 1360
    
  9. 配置到辅助隧道的 IKE 网关:

    set security ike gateway ibm-vpc-gateway-secondary ike-policy ibm-vpc-ike-policy
    set security ike gateway ibm-vpc-gateway-secondary address <VPN for VPC Gateway Big Public IP>
    set security ike gateway ibm-vpc-gateway-secondary dead-peer-detection interval 2
    set security ike gateway ibm-vpc-gateway-secondary dead-peer-detection threshold 3
    set security ike gateway ibm-vpc-gateway-secondary local-identity inet <vSRX Public IP>
    set security ike gateway ibm-vpc-gateway-secondary external-interface ae1.0
    set security ike gateway ibm-vpc-gateway-secondary version v2-only
    
  10. 配置与辅助 VPN 隧道的 VTI 和 VPN 连接:

    set interfaces st0 unit 3 multipoint
    set interfaces st0 unit 3 family inet next-hop-tunnel 169.254.0.5 ipsec-vpn ibm-vpc-gateway-secondary-vpn
    set interfaces st0 unit 3 family inet address 169.254.0.6/30
    
    set security ipsec vpn ibm-vpc-gateway-secondary-vpn bind-interface st0.3
    
    set security ipsec vpn ibm-vpc-gateway-secondary-vpn ike gateway ibm-vpc-gateway-secondary
    set security ipsec vpn ibm-vpc-gateway-secondary-vpn ike ipsec-policy ibm-vpc-ipsec-policy
    set security ipsec vpn ibm-vpc-gateway-secondary-vpn establish-tunnels immediately
    
  11. 配置控制平面防火墙以允许来自辅助隧道的 IKE/IPsec 协议流量:

    set firewall filter PROTECT-IN term IPSec-IKE from source-address <VPN for VPC Gateway Big Public IP>/32
    set firewall filter PROTECT-IN term IPSec-ESP from source-address <VPN for VPC Gateway Big Public IP>/32
    set firewall filter PROTECT-IN term IPSec-4500 from source-address <VPN for VPC Gateway Big Public IP>/32
    
  12. 将 VTI 添加到安全区域中:

    set security zones security-zone vpn-zone interfaces st0.3
    
  13. 向辅助隧道添加路由:

    set routing-options static route <your-VPC-subnet> qualified-next-hop 169.254.0.5 preference 30
    

验证配置

请按照以下步骤验证配置:

  1. 验证 IKE 阶段 1 是否对两个隧道都有效: run show security ike sa

  2. 验证 IKE 阶段 2 是否对两个隧道都有效: run show security ipsec sa

  3. 显示路径: run show route <static route>