Juniper SRX IPsec 터널
1.1 인터페이스 IP설정
IP 인터페이스
set interfaces ge-0/0/0 unit 0 family inet address <공인IP>
set interfaces ge-0/0/1 unit 0 family inet address <내부 사설IP>
터널 인터페이스
set interfaces st0 unit 0 family inet
ZONE 정책 설정(ex> any any)
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
인터페이스 zone 할당(ex> all)
-> trust
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
-> untrust
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
1.2 라우팅 설정
외부 라우팅
set routing-options static route 0.0.0.0/0 next-hop <공인 gateway>
내부 라우팅 or traffic-selector
set routing-options static route <내부 사설IP> next-hop <내부 gateway>
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24
peer 터널 사설 라우팅(proxy-id)
set routing-options static route <상대방 사설IP> next-hop st0.0
1.3 IKEv1/2 설정
IKEv1
- 그룹: 2
- 인증 방식: sha1
- 암호화 방식: aes-128
- lifetime: 28800
set security ike proposal <text- proposal 1> authentication-method pre-shared-keys
set security ike proposal <text- proposal 1> dh-group group2
set security ike proposal <text- proposal 1> authentication-algorithm sha1
set security ike proposal <text- proposal 1> encryption-algorithm aes-128-cbc
set security ike proposal <text- proposal 1> lifetime-seconds 28800
set security ike policy <text- policy1> mode main
set security ike policy <text- policy1> proposals <text- proposal 1>
set security ike policy <text- policy1> pre-shared-key ascii-text <key 값>
set security ipsec policy <text- policy1> perfect-forward-secrecy keys group2
set security ipsec vpn <text-vpn1>> ike proxy-identity local <peer 공인 IP>
set security ipsec vpn <text-vpn1> ike proxy-identity remote <Local Network>
set security ipsec vpn <text-vpn1> ike proxy-identity service any
set security ike gateway <text- gateway1> ike-policy <text- policy1>
set security ike gateway <text- gateway1> address <peer 공인 IP>
set security ike gateway <text- gateway1> external-interface ge-0/0/0
set security ike gateway <text- gateway1> version v1-only *(기본 값)
IKEv2
- 프로토콜: esp
- 인증 방식: sha1
- 암호화 방식: aes-128
- lifetime: 3600
set security ipsec proposal <text-proposal 2> protocol esp
set security ipsec proposal <text-proposal 2> authentication-algorithm hmac-sha1-96
set security ipsec proposal <text-proposal 2> encryption-algorithm aes-128-cbc
set security ipsec proposal <text-proposal 2> lifetime-seconds 3600
set security ipsec policy <text- policy 2> proposals <text-proposal 2>
set security ipsec vpn <text-vpn1> bind-interface st0.0
set security ipsec vpn <text-vpn1> ike gateway <text- gateway1>
set security ipsec vpn <text-vpn1> ike ipsec-policy <text- policy 2>
set security ipsec vpn <text-vpn1> establish-tunnels immediately
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24
1.4 IKEv1/2 터널 확인
IKEv1
SRX> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4789230 UP d2a027bc622f8ec6 d79c7b79fab2e1cb Main <peer 공인 IP>
IKEv2
SRX> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 4e82e2b4 3429/4607971 - root 500 <peer 공인 IP>
>131073 ESP:aes-cbc-128/sha1 58407288 3429/4607971 - root 500 <peer 공인 IP>