Juniper SRX IPsec トンネル
1.1 IP インターフェース
IP インターフェース
set interfaces ge-0/0/0 unit 0 family inet address <公認IP>
set interfaces ge-0/0/1 unit 0 family inet address <内部プライベートIP>
トンネルインターフェース
set interfaces st0 unit 0 family inet
ZONE ポリシー設定(ex> any any)
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
インターフェースへのゾーン割り当て(例>all)
-> trust
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
-> untrust
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
1.2 ルーティング設定
外部ルーティング
set routing-options static route 0.0.0.0/0 next-hop <公認 gateway>
内部ルーティング or traffic-selector
set routing-options static route <内部 プライベートIP> next-hop <内部 gateway>
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24
peer トンネルプライベートルーティング(proxy-id)
set routing-options static route <相手プライベートIP> next-hop st0.0
1.3 IKEv1/2 設定
IKEv1
- グループ: 2
- 認証方式: sha-1
- 暗号化方式: aes-128
- lifetime: 28800
set security ike proposal <text- proposal 1> authentication-method pre-shared-keys
set security ike proposal <text- proposal 1> dh-group group2
set security ike proposal <text- proposal 1> authentication-algorithm sha1
set security ike proposal <text- proposal 1> encryption-algorithm aes-128-cbc
set security ike proposal <text- proposal 1> lifetime-seconds 28800
set security ike policy <text- policy1> mode main
set security ike policy <text- policy1> proposals <text- proposal 1>
set security ike policy <text- policy1> pre-shared-key ascii-text <key 값>
set security ike gateway <text- gateway1> ike-policy <text- policy1>
set security ike gateway <text- gateway1> address <peer 公認 IP>
set security ike gateway <text- gateway1> external-interface ge-0/0/0
set security ike gateway <text- gateway1> version v1-only *(基本値)
IKEv2
- プロトコル: esp
- 認証方式: sha-1
- 暗号化方式: aes-128
- lifetime: 3600
set security ipsec proposal <text-proposal 2> protocol esp
set security ipsec proposal <text-proposal 2> authentication-algorithm hmac-sha1-96
set security ipsec proposal <text-proposal 2> encryption-algorithm aes-128-cbc
set security ipsec proposal <text-proposal 2> lifetime-seconds 3600
set security ipsec policy <text- policy 2> proposals <text-proposal 2>
set security ipsec vpn <text-vpn1> bind-interface st0.0
set security ipsec vpn <text-vpn1> ike gateway <text- gateway1>
set security ipsec vpn <text-vpn1> ike ipsec-policy <text- policy 2>
set security ipsec vpn <text-vpn1> establish-tunnels immediately
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24
1.4 IKEv1/2 トンネル確認
IKEv1
SRX> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4789230 UP d2a027bc622f8ec6 d79c7b79fab2e1cb Main <peer 公認 IP>
IKEv2
SRX> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 4e82e2b4 3429/4607971 - root 500 <peer 公認 IP>
>131073 ESP:aes-cbc-128/sha1 58407288 3429/4607971 - root 500 <peer 公認 IP>