set system root-authentication plain-text-password # vSRX 默认无root密码,会强制要求配置一个。 set system host-name SRX01 # 配置设备的主机名,方便标识。 set system time-zone Asia/Shanghai # 配置设备时区,可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html set system ntp server 1.1.1.1 # 配置NTP服务器地址。如果目标是域名,需要配置DNS服务器。(安全类产品时间很重要) set interfaces ge-0/0/0 description LAN1 set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24 set interfaces ge-0/0/1 description WAN1 set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24 # 配置接口描述、配置IP地址。 set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 # 配置默认路由指向公网出口网关。 set security zones security-zone LAN set security zones security-zone LAN host-inbound-traffic system-services all set security zones security-zone LAN host-inbound-traffic protocols all set security zones security-zone LAN interfaces ge-0/0/0.0 # 内网区域配置允许所有服务、允许所有协议进入,并把 ge-0/0/0.0 加入内网区域。 set security zones security-zone WAN set security zones security-zone WAN host-inbound-traffic system-services ping set security zones security-zone WAN interfaces ge-0/0/1.0 # 外网区域配置只允许ICMP进入区域,并把 ge-0/0/1.0 加入外网区域 set security nat source rule-set LAN_to_WAN_SNAT from zone LAN # 配置NAT源区域 set security nat source rule-set LAN_to_WAN_SNAT to zone WAN # 配置NAT目标区域 set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0 # 不限制源地址 set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface # 配置NAT地址为接口IP。 set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any set security policies from-zone LAN to-zone WAN policy Default-Permit match application any set security policies from-zone LAN to-zone WAN policy Default-Permit then permit # 配置LAN区域到WAN区域允许所有IP和APP。 set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101 set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200 # 配置地址池192.168.0.0/24 配置分配地址范围。 set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114 # 配置DNS服务器 set system services dhcp pool 192.168.0.0/24 router 192.168.0.1 # 配置默认网关 set system services dhcp pool 192.168.0.0/24 default-lease-time 3600 # 配置IP地址保留时间 set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp # 配置LAN区域指定接口允许DHCP服务通过。 PS:接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后,会自动关联。
实验步骤
实验拓扑
site1为 192.168.0.0/24
site2为 192.168.10.0/24
步骤规划
配置 st0 隧道接口,加入到LAN 安全区域。
配置第一阶段 IKE配置
配置第二阶段 IPsec配置
创建st0 隧道虚拟接口和加入安全区域(vSRX-NG01/02)
1 2
set interfaces st0 unit 0 family inet set security zones security-zone LAN interfaces st0.0
安全策略-允许WAN口区域通过IKE(vSRX-NG01/02)
1
set security zones security-zone WAN host-inbound-traffic system-services ike
安全策略-允许IPsec虚拟接口关联访问LAN(vSRX-NG01/02)
1 2 3 4 5
set security policies from-zone LAN to-zone LAN policy default-permit match source-address any set security policies from-zone LAN to-zone LAN policy default-permit match destination-address any set security policies from-zone LAN to-zone LAN policy default-permit match application any set security policies from-zone LAN to-zone LAN policy default-permit then permit # 允许LAN区域的接口访问LAN区域,不限制IP。
set security ike proposal TO_site1_ike_pp authentication-method pre-shared-keys set security ike proposal TO_site1_ike_pp dh-group group19 set security ike proposal TO_site1_ike_pp encryption-algorithm aes-256-gcm set security ike proposal TO_site1_ike_pp lifetime-seconds 86385
set security ike policy TO_site1_ike_pl mode main set security ike policy TO_site1_ike_pl proposals TO_site1_ike_pp set security ike policy TO_site1_ike_pl pre-shared-key ascii-text songxwn.com # 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com
set security ike gateway TO_site1_ike_gw ike-policy TO_site1_ike_pl # 配置IKE网关,关联上面的IKE策略。
set security ike gateway TO_site1_ike_gw address 2.2.2.1 set security ike gateway TO_site1_ike_gw remote-identity hostname site2 # 配置IKE网关对端IP地址和对端ID标识符
set security ike gateway TO_site1_ike_gw external-interface ge-0/0/1.0 set security ike gateway TO_site1_ike_gw local-address 1.1.1.1 set security ike gateway TO_site1_ike_gw local-identity hostname site1 # 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。
set security ike gateway TO_site1_ike_gw version v2-only # 配置IKE版本指定为 v2。
set security ike proposal TO_site2_ike_pp authentication-method pre-shared-keys set security ike proposal TO_site2_ike_pp dh-group group19 set security ike proposal TO_site2_ike_pp encryption-algorithm aes-256-gcm set security ike proposal TO_site2_ike_pp lifetime-seconds 86385 # 配置IKE 提议的认证模式为与共享密钥,DH组为19,加密算法为 aes-256-gcm 。生命周期为86385秒。 # 没有配置完整性算法是因为aes-256-gcm 同时支持加密和完整性。
set security ike policy TO_site2_ike_pl mode main set security ike policy TO_site2_ike_pl proposals TO_site2_ike_pp set security ike policy TO_site2_ike_pl pre-shared-key ascii-text songxwn.com # 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com
set security ike gateway TO_site2_ike_gw ike-policy TO_site2_ike_pl # 配置IKE网关,关联上面的IKE策略。
set security ike gateway TO_site2_ike_gw address 1.1.1.1 set security ike gateway TO_site2_ike_gw remote-identity hostname site1 # 配置IKE网关对端IP地址和对端ID标识符
set security ike gateway TO_site2_ike_gw external-interface ge-0/0/1.0 set security ike gateway TO_site2_ike_gw local-address 2.2.2.1 set security ike gateway TO_site2_ike_gw local-identity hostname site2 # 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。
set security ike gateway TO_site2_ike_gw version v2-only # 配置IKE版本指定为 v2。
配置二阶段IPsec策略(vSRX-NG01)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
set security ipsec proposal TO_site1_ipsec_pp protocol esp # 配置IPsec提议,指定加密封装类型为ESP。 set security ipsec proposal TO_site1_ipsec_pp encryption-algorithm aes-256-gcm set security ipsec proposal TO_site1_ipsec_pp lifetime-seconds 43200 # 配置IPsec提议,指定加密算法、生存时间。 set security ipsec policy TO_site1_ipsec_pl proposals TO_site1_ipsec_pp set security ipsec policy TO_site1_ipsec_pl perfect-forward-secrecy keys group19 # 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group19. set security ipsec vpn TO_site1_ipsec_vpn bind-interface st0.0 set security ipsec vpn TO_site1_ipsec_vpn ike gateway TO_site1_ike_gw set security ipsec vpn TO_site1_ipsec_vpn ike ipsec-policy TO_site1_ipsec_pl # 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。 set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24 set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24 # 配置流量策略,本地IP段为 192.168.0.0/24 ,远程IP段为 192.186.10.0/24 set security ipsec vpn TO_site1_ipsec_vpn establish-tunnels immediately # 配置隧道在 VPN 配置更改提交后立即协商。
配置二阶段IPsec策略(vSRX-NG02)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
set security ipsec proposal TO_site2_ipsec_pp protocol esp # 配置IPsec提议,指定加密封装类型为ESP。 set security ipsec proposal TO_site2_ipsec_pp encryption-algorithm aes-256-gcm set security ipsec proposal TO_site2_ipsec_pp lifetime-seconds 43200 # 配置IPsec提议,指定加密算法、生存时间。 set security ipsec policy TO_site2_ipsec_pl proposals TO_site2_ipsec_pp set security ipsec policy TO_site2_ipsec_pl perfect-forward-secrecy keys group19 # 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group19. set security ipsec vpn TO_site2_ipsec_vpn bind-interface st0.0 set security ipsec vpn TO_site2_ipsec_vpn ike gateway TO_site2_ike_gw set security ipsec vpn TO_site2_ipsec_vpn ike ipsec-policy TO_site2_ipsec_pl # 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。 set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24 set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24 # 配置流量策略,本地IP段为 192.168.10.0/24 ,远程IP段为 192.186.0.0/24 set security ipsec vpn TO_site2_ipsec_vpn establish-tunnels immediately # 配置隧道在 VPN 配置更改提交后立即协商。
