Juniper SRX IPsec 터널

1.1 인터페이스 IP설정

IP 인터페이스

set interfaces ge-0/0/0 unit 0 family inet address <공인IP>
set interfaces ge-0/0/1 unit 0 family inet address <내부 사설IP>

터널 인터페이스

set interfaces st0 unit 0 family inet

ZONE 정책 설정(ex> any any)

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit

인터페이스 zone 할당(ex> all)

-> trust
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0

-> untrust
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0

1.2 라우팅 설정

외부 라우팅

set routing-options static route 0.0.0.0/0 next-hop <공인 gateway>

내부 라우팅 or traffic-selector

set routing-options static route <내부 사설IP> next-hop <내부 gateway>

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24

peer 터널 사설 라우팅(proxy-id)

set routing-options static route <상대방 사설IP> next-hop st0.0

1.3 IKEv1/2 설정

IKEv1

  • 그룹: 2
  • 인증 방식: sha1
  • 암호화 방식: aes-128
  • lifetime: 28800
set security ike proposal <text- proposal 1> authentication-method pre-shared-keys
set security ike proposal <text- proposal 1> dh-group group2
set security ike proposal <text- proposal 1> authentication-algorithm sha1
set security ike proposal <text- proposal 1> encryption-algorithm aes-128-cbc
set security ike proposal <text- proposal 1>  lifetime-seconds 28800

set security ike policy <text- policy1> mode main
set security ike policy <text- policy1> proposals <text- proposal 1>
set security ike policy <text- policy1> pre-shared-key ascii-text <key 값>

set security ipsec policy <text- policy1> perfect-forward-secrecy keys group2
set security ipsec vpn <text-vpn1>> ike proxy-identity local <peer 공인 IP>
set security ipsec vpn <text-vpn1> ike proxy-identity remote <Local Network>
set security ipsec vpn <text-vpn1> ike proxy-identity service any

set security ike gateway <text- gateway1> ike-policy <text- policy1>
set security ike gateway <text- gateway1> address <peer 공인 IP>
set security ike gateway <text- gateway1> external-interface ge-0/0/0
set security ike gateway <text- gateway1> version v1-only *(기본 값)

IKEv2

  • 프로토콜: esp
  • 인증 방식: sha1
  • 암호화 방식: aes-128
  • lifetime: 3600
set security ipsec proposal <text-proposal 2> protocol esp
set security ipsec proposal <text-proposal 2> authentication-algorithm hmac-sha1-96
set security ipsec proposal <text-proposal 2> encryption-algorithm aes-128-cbc
set security ipsec proposal <text-proposal 2> lifetime-seconds 3600
set security ipsec policy <text- policy 2> proposals <text-proposal 2>

set security ipsec vpn <text-vpn1> bind-interface st0.0
set security ipsec vpn <text-vpn1> ike gateway <text- gateway1>
set security ipsec vpn <text-vpn1> ike ipsec-policy <text- policy 2>
set security ipsec vpn <text-vpn1> establish-tunnels immediately

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24

1.4 IKEv1/2 터널 확인

IKEv1

SRX> show security ike security-associations
Index  State  Initiator cookie   Responder cookie  Mode Remote Address
4789230 UP    d2a027bc622f8ec6   d79c7b79fab2e1cb  Main <peer 공인 IP>

IKEv2

SRX> show security ipsec security-associations
 Total active tunnels: 1
ID     Algorithm      SPI      Life:sec/kb     Mon lsys  Port  Gateway
<131073 ESP:aes-cbc-128/sha1 4e82e2b4 3429/4607971 - root 500 <peer 공인 IP>
>131073 ESP:aes-cbc-128/sha1 58407288 3429/4607971 - root 500 <peer 공인 IP>

""에 대한 건이 검색되었습니다.

    ""에 대한 검색 결과가 없습니다.

    처리중...