Juniper SRX IPsec トンネル

1.1 IP インターフェース

IP インターフェース

set interfaces ge-0/0/0 unit 0 family inet address <公認IP>
set interfaces ge-0/0/1 unit 0 family inet address <内部プライベートIP>

トンネルインターフェース

set interfaces st0 unit 0 family inet

ZONE ポリシー設定(ex> any any)

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit

インターフェースへのゾーン割り当て(例>all)

-> trust
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0

-> untrust
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0

1.2 ルーティング設定

外部ルーティング

set routing-options static route 0.0.0.0/0 next-hop <公認 gateway>

内部ルーティング or traffic-selector

set routing-options static route <内部 プライベートIP> next-hop <内部 gateway>

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24

peer トンネルプライベートルーティング(proxy-id)

set routing-options static route <相手プライベートIP> next-hop st0.0

1.3 IKEv1/2 設定

IKEv1

  • グループ: 2
  • 認証方式: sha-1
  • 暗号化方式: aes-128
  • lifetime: 28800
set security ike proposal <text- proposal 1> authentication-method pre-shared-keys
set security ike proposal <text- proposal 1> dh-group group2
set security ike proposal <text- proposal 1> authentication-algorithm sha1
set security ike proposal <text- proposal 1> encryption-algorithm aes-128-cbc
set security ike proposal <text- proposal 1>  lifetime-seconds 28800

set security ike policy <text- policy1> mode main
set security ike policy <text- policy1> proposals <text- proposal 1>
set security ike policy <text- policy1> pre-shared-key ascii-text <key 값>

set security ike gateway <text- gateway1> ike-policy <text- policy1>
set security ike gateway <text- gateway1> address <peer 公認 IP>
set security ike gateway <text- gateway1> external-interface ge-0/0/0
set security ike gateway <text- gateway1> version v1-only *(基本値)

IKEv2

  • プロトコル: esp
  • 認証方式: sha-1
  • 暗号化方式: aes-128
  • lifetime: 3600
set security ipsec proposal <text-proposal 2> protocol esp
set security ipsec proposal <text-proposal 2> authentication-algorithm hmac-sha1-96
set security ipsec proposal <text-proposal 2> encryption-algorithm aes-128-cbc
set security ipsec proposal <text-proposal 2> lifetime-seconds 3600
set security ipsec policy <text- policy 2> proposals <text-proposal 2>

set security ipsec vpn <text-vpn1> bind-interface st0.0
set security ipsec vpn <text-vpn1> ike gateway <text- gateway1>
set security ipsec vpn <text-vpn1> ike ipsec-policy <text- policy 2>
set security ipsec vpn <text-vpn1> establish-tunnels immediately

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24

1.4 IKEv1/2 トンネル確認

IKEv1

SRX> show security ike security-associations
Index  State  Initiator cookie   Responder cookie  Mode Remote Address
4789230 UP    d2a027bc622f8ec6   d79c7b79fab2e1cb  Main <peer 公認 IP>

IKEv2

SRX> show security ipsec security-associations
 Total active tunnels: 1
ID     Algorithm      SPI      Life:sec/kb     Mon lsys  Port  Gateway
<131073 ESP:aes-cbc-128/sha1 4e82e2b4 3429/4607971 - root 500 <peer 公認 IP>
>131073 ESP:aes-cbc-128/sha1 58407288 3429/4607971 - root 500 <peer 公認 IP>

に対する検索結果は~件です。 ""

    に対する検索結果がありません。 ""

    処理中...