ポータルのショートカット NAVERクラウドプラットフォームのマニュアル

IPsec トンネル

1.1 インターフェース IP設定

IP インターフェース

set network interface ethernet 1/1 layer3 ip <公認IP>
set network interface ethernet 1/2 layer3 ip<内部プライベートIP>

インターフェース zone 割当

-> trust
set zone trust network layer3 ethernet1/2

-> untrust
set zone Untrust network layer3 ethernet1/1

トンネルインターフェース

set network interface tunnel units tunnel.1

ZONE作成

set zone [ZONE-NAME] network layer3 tunnel.1

ZONE ルール(rule) 設定(ex> any any)

set rulebase security rules [RULE-NAME] from [ZONE-NAME]
set rulebase security rules [RULE-NAME] to trust
set rulebase security rules [RULE-NAME] source any
set rulebase security rules [RULE-NAME] destination any
set rulebase security rules [RULE-NAME] service any
set rulebase security rules [RULE-NAME] application any
set rulebase security rules [RULE-NAME] action allow
set rulebase security rules [RULE-NAME] log-end yes

※ move rulebase security rules [RULE-NAME] top (ルール修正時)

1.2 ルーティング設定

ルーティング用インターフェース宣言

set network virtual-router default interface [ ethernet1/1 ethernet1/2 tunnel.1 ]

外部ルーティング

set network virtual-router default routing-table ip static-route default nexthop ip-address <公認 IP GW>
set network virtual-router default routing-table ip static-route default interface (外部インターフェース) ex> Ethernet 1/1
set network virtual-router default routing-table ip static-route default metric 10
set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route default route-table unicast

内部ルーティング or traffic-selector

set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] metric 10
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] destination  172.16.1.0/24 [ローカルプライベートIP 目的地]
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] nexthop ip-address <プライベート IP peer>
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] route-table unicast

peer トンネルプライベートルーティング(proxy-id)

set network virtual-router default routing-table ip static-route [IPSEC-NAME] interface tunnel.1
set network virtual-router default routing-table ip static-route [IPSEC-NAME] metric 10
set network virtual-router default routing-table ip static-route [IPSEC-NAME] destination [Peer 内部帯域]
set network virtual-router default routing-table ip static-route [IPSEC-NAME] route-table unicast

1.3 IKEv1/2 設定

IKEv1

• グループ: 2
• 認証方式: sha-1
• 暗号化方式: aes-128
• lifetime: 28800

set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] hash sha1
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] dh-group group2
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] lifetime seconds 28800

set network ike gateway [IPSEC-GWNAME] authentication pre-shared-key key 1234567890
set network ike gateway [IPSEC-GWNAME] protocol ikev1 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol ikev1 ike-crypto-profile [IPSECv1-NAME]
set network ike gateway [IPSEC-GWNAME] protocol ikev2 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol version ikev1
set network ike gateway [IPSEC-GWNAME] local-address ip [Local 公認IP]
set network ike gateway [IPSEC-GWNAME] local-address interface ethernet1/1
set network ike gateway [IPSEC-GWNAME] protocol-common nat-traversal enable no
set network ike gateway [IPSEC-GWNAME] protocol-common fragmentation enable no
set network ike gateway [IPSEC-GWNAME] peer-address ip [Peer 公認IP]

IKEv2

• プロトコル: esp
• 認証方式: sha-1
• 暗号化方式: aes-128
• lifetime: 3600

set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp encryption aes-128-cbc
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] dh-group no-pfs

set network tunnel ipsec [IPSEC-TNAME] auto-key ike-gateway [IPSEC-GWNAME]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] protocol any
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] local [Local 内部帯域]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] remote [Peer 内部帯域]
set network tunnel ipsec [IPSEC-TNAME] auto-key ipsec-crypto-profile [IPSECv2-NAME]
set network tunnel ipsec [IPSEC-TNAME] tunnel-monitor enable no
set network tunnel ipsec [IPSEC-TNAME] tunnel-interface tunnel.1

トンネル作成 (phase-1)

test vpn ike-sa gateway [IPSEC-GWNAME]

トンネル作成 (phase-2)

test vpn ipsec-sa tunnel [IPSEC-TNAME]:[PROXY-ID-NAME]

1.4 IKEv1/2 トンネル確認

IKEv1/2 確認

show vpn flow name [IPSEC-NAME]:[PROXY-ID-NAME]

コンピグモード進入

newen@PA-220-Active(active)> configure
Entering configuration mode
[edit]

設定完了

newen@PA-220-Active(active)# commit