Juniper SRX 防火墙IPsec VPN 站点到站点

本文最后更新于 2024年3月26日 下午

简介

基于PNET-LAB模拟器,使用 vSRX-NG 23.4R1.9 镜像进行实验。

实验需求

两台防火墙配置基于路由的 IPsec VPN,打通两边站点内网。

ISP 路由器使用Cisco IOS模拟。

基础配置参考:https://songxwn.com/Juniper-SRX-snat/

SRX的基础配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
set system root-authentication plain-text-password
# vSRX 默认无root密码,会强制要求配置一个。
set system host-name SRX01
# 配置设备的主机名,方便标识。
set system time-zone Asia/Shanghai
# 配置设备时区,可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html
set system ntp server 1.1.1.1
# 配置NTP服务器地址。如果目标是域名,需要配置DNS服务器。(安全类产品时间很重要)
set interfaces ge-0/0/0 description LAN1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
set interfaces ge-0/0/1 description WAN1
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
# 配置接口描述、配置IP地址。
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
# 配置默认路由指向公网出口网关。
set security zones security-zone LAN
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set security zones security-zone LAN interfaces ge-0/0/0.0
# 内网区域配置允许所有服务、允许所有协议进入,并把 ge-0/0/0.0 加入内网区域。
set security zones security-zone WAN
set security zones security-zone WAN host-inbound-traffic system-services ping
set security zones security-zone WAN interfaces ge-0/0/1.0
# 外网区域配置只允许ICMP进入区域,并把 ge-0/0/1.0 加入外网区域
set security nat source rule-set LAN_to_WAN_SNAT from zone LAN
# 配置NAT源区域
set security nat source rule-set LAN_to_WAN_SNAT to zone WAN
# 配置NAT目标区域
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0
# 不限制源地址
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface
# 配置NAT地址为接口IP。
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match application any
set security policies from-zone LAN to-zone WAN policy Default-Permit then permit
# 配置LAN区域到WAN区域允许所有IP和APP。
set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101
set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200
# 配置地址池192.168.0.0/24 配置分配地址范围。
set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114
# 配置DNS服务器
set system services dhcp pool 192.168.0.0/24 router 192.168.0.1
# 配置默认网关
set system services dhcp pool 192.168.0.0/24 default-lease-time 3600
# 配置IP地址保留时间
set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
# 配置LAN区域指定接口允许DHCP服务通过。
PS:接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后,会自动关联。

实验步骤

实验拓扑

site1为 192.168.0.0/24

site2为 192.168.10.0/24

步骤规划

  1. 配置 st0 隧道接口,加入到LAN 安全区域。

  2. 配置第一阶段 IKE配置

  3. 配置第二阶段 IPsec配置

创建st0 隧道虚拟接口和加入安全区域(vSRX-NG01/02)

1
2
set interfaces st0 unit 0 family inet
set security zones security-zone LAN interfaces st0.0

安全策略-允许WAN口区域通过IKE(vSRX-NG01/02)

1
set security zones security-zone WAN host-inbound-traffic system-services ike

安全策略-允许IPsec虚拟接口关联访问LAN(vSRX-NG01/02)

1
2
3
4
5
set security policies from-zone LAN to-zone LAN policy default-permit match source-address any
set security policies from-zone LAN to-zone LAN policy default-permit match destination-address any
set security policies from-zone LAN to-zone LAN policy default-permit match application any
set security policies from-zone LAN to-zone LAN policy default-permit then permit
# 允许LAN区域的接口访问LAN区域,不限制IP。

配置一阶段IKE策略(vSRX-NG01)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
set security ike proposal TO_site1_ike_pp authentication-method pre-shared-keys
set security ike proposal TO_site1_ike_pp dh-group group19
set security ike proposal TO_site1_ike_pp encryption-algorithm aes-256-gcm
set security ike proposal TO_site1_ike_pp lifetime-seconds 86385

# 配置IKE 提议的认证模式为与共享密钥,DH组为19,加密算法为 aes-256-gcm 。生命周期为86385秒。
# 没有配置完整性算法是因为aes-256-gcm 同时支持加密和完整性。

set security ike policy TO_site1_ike_pl mode main
set security ike policy TO_site1_ike_pl proposals TO_site1_ike_pp
set security ike policy TO_site1_ike_pl pre-shared-key ascii-text songxwn.com
# 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com

set security ike gateway TO_site1_ike_gw ike-policy TO_site1_ike_pl
# 配置IKE网关,关联上面的IKE策略。

set security ike gateway TO_site1_ike_gw address 2.2.2.1
set security ike gateway TO_site1_ike_gw remote-identity hostname site2
# 配置IKE网关对端IP地址和对端ID标识符

set security ike gateway TO_site1_ike_gw external-interface ge-0/0/1.0
set security ike gateway TO_site1_ike_gw local-address 1.1.1.1
set security ike gateway TO_site1_ike_gw local-identity hostname site1
# 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。

set security ike gateway TO_site1_ike_gw version v2-only
# 配置IKE版本指定为 v2。

配置一阶段IKE策略(vSRX-NG02)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
set security ike proposal TO_site2_ike_pp authentication-method pre-shared-keys
set security ike proposal TO_site2_ike_pp dh-group group19
set security ike proposal TO_site2_ike_pp encryption-algorithm aes-256-gcm
set security ike proposal TO_site2_ike_pp lifetime-seconds 86385
# 配置IKE 提议的认证模式为与共享密钥,DH组为19,加密算法为 aes-256-gcm 。生命周期为86385秒。
# 没有配置完整性算法是因为aes-256-gcm 同时支持加密和完整性。


set security ike policy TO_site2_ike_pl mode main
set security ike policy TO_site2_ike_pl proposals TO_site2_ike_pp
set security ike policy TO_site2_ike_pl pre-shared-key ascii-text songxwn.com
# 配置IKE策略为主模式,关联上面的提议,配置预共享密钥为 songxwn.com

set security ike gateway TO_site2_ike_gw ike-policy TO_site2_ike_pl
# 配置IKE网关,关联上面的IKE策略。

set security ike gateway TO_site2_ike_gw address 1.1.1.1
set security ike gateway TO_site2_ike_gw remote-identity hostname site1
# 配置IKE网关对端IP地址和对端ID标识符

set security ike gateway TO_site2_ike_gw external-interface ge-0/0/1.0
set security ike gateway TO_site2_ike_gw local-address 2.2.2.1
set security ike gateway TO_site2_ike_gw local-identity hostname site2
# 配置IKE网关本端源P地址和ID标识符。还有建立连接的接口。

set security ike gateway TO_site2_ike_gw version v2-only
# 配置IKE版本指定为 v2。

配置二阶段IPsec策略(vSRX-NG01)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
set security ipsec proposal TO_site1_ipsec_pp protocol esp
# 配置IPsec提议,指定加密封装类型为ESP。
set security ipsec proposal TO_site1_ipsec_pp encryption-algorithm aes-256-gcm
set security ipsec proposal TO_site1_ipsec_pp lifetime-seconds 43200
# 配置IPsec提议,指定加密算法、生存时间。
set security ipsec policy TO_site1_ipsec_pl proposals TO_site1_ipsec_pp
set security ipsec policy TO_site1_ipsec_pl perfect-forward-secrecy keys group19
# 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group19.
set security ipsec vpn TO_site1_ipsec_vpn bind-interface st0.0
set security ipsec vpn TO_site1_ipsec_vpn ike gateway TO_site1_ike_gw
set security ipsec vpn TO_site1_ipsec_vpn ike ipsec-policy TO_site1_ipsec_pl
# 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。
set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24
set security ipsec vpn TO_site1_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24
# 配置流量策略,本地IP段为 192.168.0.0/24 ,远程IP段为 192.186.10.0/24
set security ipsec vpn TO_site1_ipsec_vpn establish-tunnels immediately
# 配置隧道在 VPN 配置更改提交后立即协商。

配置二阶段IPsec策略(vSRX-NG02)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
set security ipsec proposal TO_site2_ipsec_pp protocol esp
# 配置IPsec提议,指定加密封装类型为ESP。
set security ipsec proposal TO_site2_ipsec_pp encryption-algorithm aes-256-gcm
set security ipsec proposal TO_site2_ipsec_pp lifetime-seconds 43200
# 配置IPsec提议,指定加密算法、生存时间。
set security ipsec policy TO_site2_ipsec_pl proposals TO_site2_ipsec_pp
set security ipsec policy TO_site2_ipsec_pl perfect-forward-secrecy keys group19
# 配置IPsec策略,关联上面的IPsec提议。并配置PFS使用group19.
set security ipsec vpn TO_site2_ipsec_vpn bind-interface st0.0
set security ipsec vpn TO_site2_ipsec_vpn ike gateway TO_site2_ike_gw
set security ipsec vpn TO_site2_ipsec_vpn ike ipsec-policy TO_site2_ipsec_pl
# 配置IPsec VPN,关联虚拟隧道接口为st0.0,关联IKE 网关为TO_site2_ike_gw。关联IPsec策略。
set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 local-ip 192.168.0.0/24
set security ipsec vpn TO_site2_ipsec_vpn traffic-selector ts-1 remote-ip 192.168.10.0/24
# 配置流量策略,本地IP段为 192.168.10.0/24 ,远程IP段为 192.186.0.0/24
set security ipsec vpn TO_site2_ipsec_vpn establish-tunnels immediately
# 配置隧道在 VPN 配置更改提交后立即协商。

PS:如果增加新的网段,只需要增加traffic-selector ts-2 即可,但需要注意放通安全策略。

配置验证

Web管理验证

命令验证

1
2
3
4
5
6
7
8
show security ike security-associations
# 查看IKE SA 当前状态
show security ipsec security-associations
# 查看IPsec SA当前状态
show security ipsec statistics
# 查看IPsec 统计信息
restart ipsec-key-management
# 重启IPsec进程

实际Ping验证

官方文档

官方VPN配置生成器

https://support.juniper.net/support/tools/vpnconfig/

DH-Group

group1—768-bit Modular Exponential (MODP) algorithm.

group2—1024-bit MODP algorithm.

group5—1536-bit MODP algorithm.

group14—2048-bit MODP group.

group15—3072-bit MODP algorithm.

group16—4096-bit MODP algorithm.

group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.

group20—384-bit random ECP groups algorithm.

group21—521-bit random ECP groups algorithm.

group24—2048-bit MODP Group with 256-bit prime order subgroup.


Juniper SRX 防火墙IPsec VPN 站点到站点
https://songxwn.com/Juniper-SRX-IPsec/
作者
Song
发布于
2024年3月22日
更新于
2024年3月26日
许可协议