IPsec 터널

1.1 인터페이스 IP설정

IP 인터페이스

set network interface ethernet 1/1 layer3 ip <공인IP>
set network interface ethernet 1/2 layer3 ip<내부 사설IP>

인터페이스 zone 할당

-> trust
set zone trust network layer3 ethernet1/2

-> untrust
set zone Untrust network layer3 ethernet1/1

터널 인터페이스

set network interface tunnel units tunnel.1

ZONE 생성

set zone [ZONE-NAME] network layer3 tunnel.1

ZONE 정책(rule) 설정(ex> any any)

set rulebase security rules [RULE-NAME] from [ZONE-NAME]
set rulebase security rules [RULE-NAME] to trust
set rulebase security rules [RULE-NAME] source any
set rulebase security rules [RULE-NAME] destination any
set rulebase security rules [RULE-NAME] service any
set rulebase security rules [RULE-NAME] application any
set rulebase security rules [RULE-NAME] action allow
set rulebase security rules [RULE-NAME] log-end yes

※ move rulebase security rules [RULE-NAME] top (룰 수정시)

1.2 라우팅 설정

라우팅용 인터페이스 선언

set network virtual-router default interface [ ethernet1/1 ethernet1/2 tunnel.1 ]

외부 라우팅

set network virtual-router default routing-table ip static-route default nexthop ip-address <공인 IP GW>
set network virtual-router default routing-table ip static-route default interface (외부 인터페이스) ex> Ethernet 1/1
set network virtual-router default routing-table ip static-route default metric 10
set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route default route-table unicast

내부 라우팅 or traffic-selector

set network virtual-router default routing-table ip static-route [로컬사설IP-NAME] metric 10
set network virtual-router default routing-table ip static-route [로컬사설IP-NAME] destination  172.16.1.0/24 [로컬 사설IP 목적지]
set network virtual-router default routing-table ip static-route [로컬사설IP-NAME] nexthop ip-address <사설 IP peer>
set network virtual-router default routing-table ip static-route [로컬사설IP-NAME] route-table unicast

peer 터널 사설 라우팅(proxy-id)

set network virtual-router default routing-table ip static-route [IPSEC-NAME] interface tunnel.1
set network virtual-router default routing-table ip static-route [IPSEC-NAME] metric 10
set network virtual-router default routing-table ip static-route [IPSEC-NAME] destination [Peer 내부 대역]
set network virtual-router default routing-table ip static-route [IPSEC-NAME] route-table unicast

1.3 IKEv1/2 설정

IKEv1

  • 그룹: 2
  • 인증 방식: sha1
  • 암호화 방식: aes-128
  • lifetime: 28800
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] hash sha1
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] dh-group group2
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] lifetime seconds 28800

set network ike gateway [IPSEC-GWNAME] authentication pre-shared-key key 1234567890
set network ike gateway [IPSEC-GWNAME] protocol ikev1 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol ikev1 ike-crypto-profile [IPSECv1-NAME]
set network ike gateway [IPSEC-GWNAME] protocol ikev2 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol version ikev1
set network ike gateway [IPSEC-GWNAME] local-address ip [Local 공인IP]
set network ike gateway [IPSEC-GWNAME] local-address interface ethernet1/1
set network ike gateway [IPSEC-GWNAME] protocol-common nat-traversal enable no
set network ike gateway [IPSEC-GWNAME] protocol-common fragmentation enable no
set network ike gateway [IPSEC-GWNAME] peer-address ip [Peer 공인IP]

IKEv2

  • 프로토콜: esp
  • 인증 방식: sha1
  • 암호화 방식: aes-128
  • lifetime: 3600
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp encryption aes-128-cbc
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] dh-group no-pfs

set network tunnel ipsec [IPSEC-TNAME] auto-key ike-gateway [IPSEC-GWNAME]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] protocol any
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] local [Local 내부 대역]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] remote [Peer 내부 대역]
set network tunnel ipsec [IPSEC-TNAME] auto-key ipsec-crypto-profile [IPSECv2-NAME]
set network tunnel ipsec [IPSEC-TNAME] tunnel-monitor enable no
set network tunnel ipsec [IPSEC-TNAME] tunnel-interface tunnel.1

터널 생성 (phase-1)

test vpn ike-sa gateway [IPSEC-GWNAME]

터널 생성 (phase-2)

test vpn ipsec-sa tunnel [IPSEC-TNAME]:[PROXY-ID-NAME]

1.4 IKEv1/2 터널 확인

IKEv1/2 확인

show vpn flow name [IPSEC-NAME]:[PROXY-ID-NAME]

컨피그 모드 진입

newen@PA-220-Active(active)> configure
Entering configuration mode
[edit]

설정완료

newen@PA-220-Active(active)# commit

""에 대한 건이 검색되었습니다.

    ""에 대한 검색 결과가 없습니다.

    처리중...