IBM Cloud Docs
使用 VPN

使用 VPN

本主题详细介绍了两个站点之间基于路由的 IPSec VPN 的示例配置。 在此示例配置中,服务器 1(站点 A)可与服务器 2(站点 B)通信,每个站点都使用两阶段 IPSEC 身份验证。

站点到站点 VPN
站点到站点 VPN

在设置 IPSec VPN 隧道时,通常使用 vSRX 的主公用 IP 作为 IKE 网关本地地址。 但是,建议您首先 订购一个公用静态子网/IP,并将其路由到 vSRX 的主公用 IP。 然后,应将该 IP 地址用作 IKE 网关的本地地址。 如果需要迁移 IPSev VPN 通道,可以保留 IP 地址并将其路由到不同的网关设备。

虽然不支持将vSRX或网关设备的主 IP 迁移到不同的设备,但支持在同一数据中心内迁移 辅助静态子网

站点 A(达拉斯)的样本配置:

# show security address-book global address Network-A
10.84.237.200/29;
[edit]
# show security address-book global address Network-B
10.45.53.48/29;
# show security ike
proposal IKE-PROP {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy IKE-POL {
    mode main;
    proposals IKE-PROP;
    pre-shared-key ascii-text "$9$ewkMLNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA
}
gateway IKE-GW {
    ike-policy IKE-POL;
    address 158.100.100.100;
    external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy IPSEC-POL {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
    bind-interface st0.1;
    vpn-monitor;
    ike {
        gateway IKE-GW;
        ipsec-policy IPSEC-POL;
    }
    establish-tunnels immediately;
}
# show interfaces
ge-0/0/0 {
    description PRIVATE_VLANs;
    flexible-vlan-tagging;
    native-vlan-id 1121;
    unit 0 {
        vlan-id 1121;
        family inet {
            address 10.184.108.158/26;
        }
    }
    unit 10 {
        vlan-id 1811;
        family inet {
            address 10.184.237.201/29;
        }
    }
    unit 20 {
        vlan-id 1812;
        family inet {
            address 10.185.48.9/29;
        }
    }
}
st0 {
    unit 1 {
        family inet {
            address 169.254.200.0/31;
        }
    }
# show security policies
from-zone CUSTOMER-PRIVATE to-zone VPN {
    policy Custprivate-to-VPN {
        match {
            source-address any;
            destination-address Network-B;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone VPN to-zone CUSTOMER-PRIVATE {
    policy VPN-to-Custprivate {
        match {
            source-address Network-B;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }

站点 B(伦敦)的样本配置:

# show interfaces
ge-0/0/0 {
    description PRIVATE_VLANs;
    flexible-vlan-tagging;
    native-vlan-id 822;
    unit 0 {
        vlan-id 822;
        family inet {
            address 10.45.165.140/26;
        }
    }
    unit 10 {
        vlan-id 821;
        family inet {
            address 10.45.53.49/29;
        }
    }
}
st0 {
    unit 1 {
        family inet {
            address 169.254.200.1/31;
        }
    }
# show security ike
proposal IKE-PROP {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy IKE-POL {
    mode main;
    proposals IKE-PROP;
    pre-shared-key ascii-text "$9$H.fz9A0hSe36SevW-dk.P"; ## SECRET-DATA
}
gateway IKE-GW {
    ike-policy IKE-POL;
    address 169.100.100.100;
    external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy IPSEC-POL {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
    bind-interface st0.1;
    vpn-monitor;
    ike {
        gateway IKE-GW;
        ipsec-policy IPSEC-POL;
    }
    establish-tunnels immediately;
}
# show security zone security-zone CUSTOMER_PRIVATE
security-zone CUSTOMER-PRIVATE {
    interfaces {
        ge-0/0/0.10 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
security-zone VPN {
    interfaces {
        st0.1;
    }
}
# show security policies from-zone CUSTOMER-PRIVATE to-zone VPN
policy Custprivate-to-VPN {
    match {
        source-address any;
        destination-address Network-A;
        application any;
    }
    then {
        permit;
    }
}
 # show security zones security-zone VPN
interfaces {
    st0.1;
}
# show security policies from-zone VPN to-zone CUSTOMER-PRIVATE
policy VPN-to-Custprivate {
    match {
        source-address Network-A;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

性能注意事项

为了实现最佳 IPSEC VPN 性能,请使用 AES-GCM 作为 IKE 和 IPSEC 建议的加密算法。

例如:

set security ike proposal IKE-PROP encryption-algorithm aes-128-gcm
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-gcm

通过将 AES-GCM 作为加密算法,您无需在同一建议中指定认证算法。 AES-GCM 可同时提供加密和认证。

故障排除命令

#show phase 1 status:
show security ike sa

#show phase 2 status:
show security ipsec sa

#show information for any inactive/erroring tunnels
show security ipsec inactive-tunnels

#send ipsec logs to file kmd-logs:
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD

#show the contents of the log file created above:
show log kmd-logs

#enabling debug logging and viewing those logs
show security ike debug-status
request security ike debug-enable local <local-ip-address> remote <remote-ip-address> level <1-15>
show log kmd

#disable debug logging - this is important for avoiding performance issues
request security ike debug-disable

故障排除命令示例

admin@siferg0-vsrx-vsrx-vSRX> show security ike sa
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
2859401 UP     f514114a799925fe  f8de58a2690993d7  IKEv2          128.168.104.229

admin@siferg0-vsrx-vsrx-vSRX> show security ipsec sa
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-gcm-128/None ec78f80e 2528/ unlim - root 500 128.168.104.229
  >131073 ESP:aes-gcm-128/None c674a8ac 2528/ unlim - root 500 128.168.104.229

{primary:node0}

admin@siferg0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
  Total inactive tunnels: 0
  Total inactive tunnels with establish immediately: 0

{primary:node0}
admin@siferg0-vsrx-vsrx-vSRX> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
2859309 DOWN   e7753a11ff890094  0000000000000000  IKEv2          128.168.104.229

{primary:node0}
admin@sifergu0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
  Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 1
  ID           Port   Gateway          Pending SAs   Tunnel Down Reason
  131073       500    128.168.104.229  1             No response from peer. Negotiation failed (130 times)

{primary:node0}

其他 VPN 配置

要配置 IPSec VPN、站点到站点、远程访问 VPN 和其他功能,请参阅瞻博网络提供的 配置指南

有关如何配置基于路由的站点到站点 IPSec VPN 的示例,请参阅瞻博网络提供的 配置指南