使用 VPN
本主题详细介绍了两个站点之间基于路由的 IPSec VPN 的示例配置。 在此示例配置中,服务器 1(站点 A)可与服务器 2(站点 B)通信,每个站点都使用两阶段 IPSEC 身份验证。

在设置 IPSec VPN 隧道时,通常使用 vSRX 的主公用 IP 作为 IKE 网关本地地址。 但是,建议您首先 订购一个公用静态子网/IP,并将其路由到 vSRX 的主公用 IP。 然后,应将该 IP 地址用作 IKE 网关的本地地址。 如果需要迁移 IPSev VPN 通道,可以保留 IP 地址并将其路由到不同的网关设备。
虽然不支持将vSRX或网关设备的主 IP 迁移到不同的设备,但支持在同一数据中心内迁移 辅助静态子网。
站点 A(达拉斯)的样本配置:
# show security address-book global address Network-A
10.84.237.200/29;
[edit]
# show security address-book global address Network-B
10.45.53.48/29;
# show security ike
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text "$9$ewkMLNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address 158.100.100.100;
external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
# show interfaces
ge-0/0/0 {
description PRIVATE_VLANs;
flexible-vlan-tagging;
native-vlan-id 1121;
unit 0 {
vlan-id 1121;
family inet {
address 10.184.108.158/26;
}
}
unit 10 {
vlan-id 1811;
family inet {
address 10.184.237.201/29;
}
}
unit 20 {
vlan-id 1812;
family inet {
address 10.185.48.9/29;
}
}
}
st0 {
unit 1 {
family inet {
address 169.254.200.0/31;
}
}
# show security policies
from-zone CUSTOMER-PRIVATE to-zone VPN {
policy Custprivate-to-VPN {
match {
source-address any;
destination-address Network-B;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone CUSTOMER-PRIVATE {
policy VPN-to-Custprivate {
match {
source-address Network-B;
destination-address any;
application any;
}
then {
permit;
}
}
站点 B(伦敦)的样本配置:
# show interfaces
ge-0/0/0 {
description PRIVATE_VLANs;
flexible-vlan-tagging;
native-vlan-id 822;
unit 0 {
vlan-id 822;
family inet {
address 10.45.165.140/26;
}
}
unit 10 {
vlan-id 821;
family inet {
address 10.45.53.49/29;
}
}
}
st0 {
unit 1 {
family inet {
address 169.254.200.1/31;
}
}
# show security ike
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text "$9$H.fz9A0hSe36SevW-dk.P"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address 169.100.100.100;
external-interface ge-0/0/1.0;
}
# show security ipsec
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
# show security zone security-zone CUSTOMER_PRIVATE
security-zone CUSTOMER-PRIVATE {
interfaces {
ge-0/0/0.10 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone VPN {
interfaces {
st0.1;
}
}
# show security policies from-zone CUSTOMER-PRIVATE to-zone VPN
policy Custprivate-to-VPN {
match {
source-address any;
destination-address Network-A;
application any;
}
then {
permit;
}
}
# show security zones security-zone VPN
interfaces {
st0.1;
}
# show security policies from-zone VPN to-zone CUSTOMER-PRIVATE
policy VPN-to-Custprivate {
match {
source-address Network-A;
destination-address any;
application any;
}
then {
permit;
}
}
性能注意事项
为了实现最佳 IPSEC VPN 性能,请使用 AES-GCM 作为 IKE 和 IPSEC 建议的加密算法。
例如:
set security ike proposal IKE-PROP encryption-algorithm aes-128-gcm
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-gcm
通过将 AES-GCM 作为加密算法,您无需在同一建议中指定认证算法。 AES-GCM 可同时提供加密和认证。
故障排除命令
#show phase 1 status:
show security ike sa
#show phase 2 status:
show security ipsec sa
#show information for any inactive/erroring tunnels
show security ipsec inactive-tunnels
#send ipsec logs to file kmd-logs:
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
#show the contents of the log file created above:
show log kmd-logs
#enabling debug logging and viewing those logs
show security ike debug-status
request security ike debug-enable local <local-ip-address> remote <remote-ip-address> level <1-15>
show log kmd
#disable debug logging - this is important for avoiding performance issues
request security ike debug-disable
故障排除命令示例
admin@siferg0-vsrx-vsrx-vSRX> show security ike sa
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
2859401 UP f514114a799925fe f8de58a2690993d7 IKEv2 128.168.104.229
admin@siferg0-vsrx-vsrx-vSRX> show security ipsec sa
node0:
--------------------------------------------------------------------------
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-gcm-128/None ec78f80e 2528/ unlim - root 500 128.168.104.229
>131073 ESP:aes-gcm-128/None c674a8ac 2528/ unlim - root 500 128.168.104.229
{primary:node0}
admin@siferg0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
Total inactive tunnels: 0
Total inactive tunnels with establish immediately: 0
{primary:node0}
admin@siferg0-vsrx-vsrx-vSRX> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
2859309 DOWN e7753a11ff890094 0000000000000000 IKEv2 128.168.104.229
{primary:node0}
admin@sifergu0-vsrx-vsrx-vSRX> show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Gateway Pending SAs Tunnel Down Reason
131073 500 128.168.104.229 1 No response from peer. Negotiation failed (130 times)
{primary:node0}
其他 VPN 配置
要配置 IPSec VPN、站点到站点、远程访问 VPN 和其他功能,请参阅瞻博网络提供的 配置指南。
有关如何配置基于路由的站点到站点 IPSec VPN 的示例,请参阅瞻博网络提供的 配置指南。