IPsec トンネル
1.1 インターフェース IP設定
IP インターフェース
set network interface ethernet 1/1 layer3 ip <公認IP>
set network interface ethernet 1/2 layer3 ip<内部プライベートIP>
インターフェース zone 割当
-> trust
set zone trust network layer3 ethernet1/2
-> untrust
set zone Untrust network layer3 ethernet1/1
トンネルインターフェース
set network interface tunnel units tunnel.1
ZONE作成
set zone [ZONE-NAME] network layer3 tunnel.1
ZONE ルール(rule) 設定(ex> any any)
set rulebase security rules [RULE-NAME] from [ZONE-NAME]
set rulebase security rules [RULE-NAME] to trust
set rulebase security rules [RULE-NAME] source any
set rulebase security rules [RULE-NAME] destination any
set rulebase security rules [RULE-NAME] service any
set rulebase security rules [RULE-NAME] application any
set rulebase security rules [RULE-NAME] action allow
set rulebase security rules [RULE-NAME] log-end yes
※ move rulebase security rules [RULE-NAME] top (ルール修正時)
1.2 ルーティング設定
ルーティング用インターフェース宣言
set network virtual-router default interface [ ethernet1/1 ethernet1/2 tunnel.1 ]
外部ルーティング
set network virtual-router default routing-table ip static-route default nexthop ip-address <公認 IP GW>
set network virtual-router default routing-table ip static-route default interface (外部インターフェース) ex> Ethernet 1/1
set network virtual-router default routing-table ip static-route default metric 10
set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route default route-table unicast
内部ルーティング or traffic-selector
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] metric 10
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] destination 172.16.1.0/24 [ローカルプライベートIP 目的地]
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] nexthop ip-address <プライベート IP peer>
set network virtual-router default routing-table ip static-route [ローカルプライベートIP-NAME] route-table unicast
peer トンネルプライベートルーティング(proxy-id)
set network virtual-router default routing-table ip static-route [IPSEC-NAME] interface tunnel.1
set network virtual-router default routing-table ip static-route [IPSEC-NAME] metric 10
set network virtual-router default routing-table ip static-route [IPSEC-NAME] destination [Peer 内部帯域]
set network virtual-router default routing-table ip static-route [IPSEC-NAME] route-table unicast
1.3 IKEv1/2 設定
IKEv1
- グループ: 2
- 認証方式: sha-1
- 暗号化方式: aes-128
- lifetime: 28800
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] hash sha1
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] dh-group group2
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles [IPSECv1-NAME] lifetime seconds 28800
set network ike gateway [IPSEC-GWNAME] authentication pre-shared-key key 1234567890
set network ike gateway [IPSEC-GWNAME] protocol ikev1 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol ikev1 ike-crypto-profile [IPSECv1-NAME]
set network ike gateway [IPSEC-GWNAME] protocol ikev2 dpd enable yes
set network ike gateway [IPSEC-GWNAME] protocol version ikev1
set network ike gateway [IPSEC-GWNAME] local-address ip [Local 公認IP]
set network ike gateway [IPSEC-GWNAME] local-address interface ethernet1/1
set network ike gateway [IPSEC-GWNAME] protocol-common nat-traversal enable no
set network ike gateway [IPSEC-GWNAME] protocol-common fragmentation enable no
set network ike gateway [IPSEC-GWNAME] peer-address ip [Peer 公認IP]
IKEv2
- プロトコル: esp
- 認証方式: sha-1
- 暗号化方式: aes-128
- lifetime: 3600
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] esp encryption aes-128-cbc
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] lifetime seconds 3600
set network ike crypto-profiles ipsec-crypto-profiles [IPSECv2-NAME] dh-group no-pfs
set network tunnel ipsec [IPSEC-TNAME] auto-key ike-gateway [IPSEC-GWNAME]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] protocol any
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] local [Local 内部帯域]
set network tunnel ipsec [IPSEC-TNAME] auto-key proxy-id [PROXY-ID-NAME] remote [Peer 内部帯域]
set network tunnel ipsec [IPSEC-TNAME] auto-key ipsec-crypto-profile [IPSECv2-NAME]
set network tunnel ipsec [IPSEC-TNAME] tunnel-monitor enable no
set network tunnel ipsec [IPSEC-TNAME] tunnel-interface tunnel.1
トンネル作成 (phase-1)
test vpn ike-sa gateway [IPSEC-GWNAME]
トンネル作成 (phase-2)
test vpn ipsec-sa tunnel [IPSEC-TNAME]:[PROXY-ID-NAME]
1.4 IKEv1/2 トンネル確認
IKEv1/2 確認
show vpn flow name [IPSEC-NAME]:[PROXY-ID-NAME]
コンピグモード進入
newen@PA-220-Active(active)> configure
Entering configuration mode
[edit]
設定完了
newen@PA-220-Active(active)# commit