Utilizzo della VPN
Questo argomento illustra una configurazione di esempio per una IPSec VPN basata su rotte tra due siti. In questa configurazione di esempio, il server 1 (sito A) può comunicare con il server 2 (sito B) e ogni sito utilizza l'autenticazione IPSEC a due fasi.
Quando si configurano i tunnel IPSec VPN, è comune utilizzare l'IP pubblico primario del vSRX come indirizzo locale del gateway IKE. Tuttavia, si consiglia di ordinare prima una subnet/IP statica pubblica e di instradarla verso l'IP pubblico primario del vSRX. Si deve quindi usare quell'indirizzo IP come indirizzo locale del gateway IKE. Se poi è necessario migrare i tunnel VPN IPSev, è possibile mantenere l'indirizzo IP e instradarlo verso un'altra appliance gateway.
Mentre la migrazione dell'IP primario di un dispositivo vSRX o gateway a un altro non è supportata, lo è invece la migrazione di una subnet statica secondaria all'interno dello stesso datacenter.
Configurazione di esempio per il sito A (Dallas):
# show security address-book global address Network-A
10.84.237.200/29;
[edit]
# show security address-book global address Network-B
10.45.53.48/29;
# show security ike
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text "$9$ewkMLNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address 158.100.100.100;
external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
# show interfaces
ge-0/0/0 {
description PRIVATE_VLANs;
flexible-vlan-tagging;
native-vlan-id 1121;
unit 0 {
vlan-id 1121;
family inet {
address 10.184.108.158/26;
}
}
unit 10 {
vlan-id 1811;
family inet {
address 10.184.237.201/29;
}
}
unit 20 {
vlan-id 1812;
family inet {
address 10.185.48.9/29;
}
}
}
st0 {
unit 1 {
family inet {
address 169.254.200.0/31;
}
}
# show security policies
from-zone CUSTOMER-PRIVATE to-zone VPN {
policy Custprivate-to-VPN {
match {
source-address any;
destination-address Network-B;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone CUSTOMER-PRIVATE {
policy VPN-to-Custprivate {
match {
source-address Network-B;
destination-address any;
application any;
}
then {
permit;
}
}
Configurazione di esempio per il sito B (Londra):
# show interfaces
ge-0/0/0 {
description PRIVATE_VLANs;
flexible-vlan-tagging;
native-vlan-id 822;
unit 0 {
vlan-id 822;
family inet {
address 10.45.165.140/26;
}
}
unit 10 {
vlan-id 821;
family inet {
address 10.45.53.49/29;
}
}
}
st0 {
unit 1 {
family inet {
address 169.254.200.1/31;
}
}
# show security ike
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text "$9$H.fz9A0hSe36SevW-dk.P"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address 169.100.100.100;
external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
# show security zone security-zone CUSTOMER_PRIVATE
security-zone CUSTOMER-PRIVATE {
interfaces {
ge-0/0/0.10 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone VPN {
interfaces {
st0.1;
}
}
# show security policies from-zone CUSTOMER-PRIVATE to-zone VPN
policy Custprivate-to-VPN {
match {
source-address any;
destination-address Network-A;
application any;
}
then {
permit;
}
}
# show security zones security-zone VPN
interfaces {
st0.1;
}
# show security policies from-zone VPN to-zone CUSTOMER-PRIVATE
policy VPN-to-Custprivate {
match {
source-address Network-A;
destination-address any;
application any;
}
then {
permit;
}
}
Considerazioni sulle prestazioni
Per ottenere le migliori prestazioni VPN IPSEC, utilizza AES-GCM come algoritmo di codifica per le proposte IKE e IPSEC.
Ad esempio:
set security ike proposal IKE-PROP encryption-algorithm aes-128-gcm
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-gcm
Con AES-GCM come algoritmo di codifica, non devi specificare l'algoritmo di autenticazione nella stessa proposta. AES-GCM fornisce la codifica e l'autenticazione.
Comandi per la risoluzione dei problemi
#show phase 1 status:
show security ike sa
#show phase 2 status:
show security ipsec sa
#show information for any inactive/erroring tunnels
show security ipsec inactive-tunnels
#send ipsec logs to file kmd-logs:
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
#show the contents of the log file created above:
show log kmd-logs
#enabling debug logging and viewing those logs
show security ike debug-status
request security ike debug-enable local <local-ip-address> remote <remote-ip-address> level <1-15>
show log kmd
#disable debug logging - this is important for avoiding performance issues
request security ike debug-disable
Esempi di comandi per la risoluzione dei problemi
admin@siferg0-vsrx-vsrx-vSRX> show security ike sa
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
2859401 UP f514114a799925fe f8de58a2690993d7 IKEv2 128.168.104.229
admin@siferg0-vsrx-vsrx-vSRX> show security ipsec sa
node0:
--------------------------------------------------------------------------
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-gcm-128/None ec78f80e 2528/ unlim - root 500 128.168.104.229
>131073 ESP:aes-gcm-128/None c674a8ac 2528/ unlim - root 500 128.168.104.229
{primary:node0}
admin@siferg0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
Total inactive tunnels: 0
Total inactive tunnels with establish immediately: 0
{primary:node0}
admin@siferg0-vsrx-vsrx-vSRX> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
2859309 DOWN e7753a11ff890094 0000000000000000 IKEv2 128.168.104.229
{primary:node0}
admin@sifergu0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Gateway Pending SAs Tunnel Down Reason
131073 500 128.168.104.229 1 No response from peer. Negotiation failed (130 times)
{primary:node0}
Ulteriori configurazioni VPN
Per configurare IPSec VPN, site to site, VPN ad accesso remoto e altre funzioni, consultare questa guida alla configurazione di Juniper.
Per un esempio di configurazione di una VPN site to site IPSec VPN basata su route, consultare questa guida alla configurazione di Juniper.