Juniper Networks SRX100とSSG5のIPsec VPN接続をテストしたのでメモ。
前のRTX1000との接続の続きです。
SRX100の基本設定は前回のRTX1000の設定と同じです。
ですので、RTX1000とSSG5間も同じ設定でつながると思います。
(IPなどは除く)
IPsecのパラメータ
SRX100のグローバルIP:1.2.3.1
SSG5のグローバルIP:1.2.3.3
Phase1の設定
認証方法:Pre-shared-key
フェーズ1の交換モード:メインモード
DH-Group 2
SHA-1
AES128bit-CBC
ライフタイム:3600秒
Phase2の設定
ESP
AES126bit-CBC
HMAC-SHA1
PFS無し
ライフタイム:3600秒
トンネルモード
Pre-shared-keyは「password1234」
SRX100をセンターとして構築しました。
SRX100のConfig
set interfaces st0 unit 2 family inet set security ike proposal test-p1-proposal set security ike proposal test-p1-proposal authentication-method pre-shared-keys set security ike proposal test-p1-proposal dh-group group2 set security ike proposal test-p1-proposal authentication-algorithm sha1 set security ike proposal test-p1-proposal encryption-algorithm aes-128-cbc set security ike proposal test-p1-proposal lifetime-seconds 3600 set security ike policy test-p1-policy set security ike policy test-p1-policy mode main set security ike policy test-p1-policy proposals test-p1-proposal set security ike policy test-p1-policy proposals pre-shared-key ascii-text password1234 set security ike gateway test-p1-gw2 set security ike gateway test-p1-gw2 ike-policy test-p1-policy set security ike gateway test-p1-gw2 address 1.2.3.3 set security ike gateway test-p1-gw2 external-interface fe-0/0/0 set security ipsec proposal test-p2-proposal set security ipsec proposal test-p2-proposal protpcol esp set security ipsec proposal test-p2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal test-p2-proposal encryption-algorithm aes-128-cbc set security ipsec proposal test-p2-proposal lifetime-seconds 3600 set security ipsec policy test-p2-policy set security ipsec policy test-p2-policy proposals test-p2-proposal set security ipsec vpn test-vpn2 set security ipsec vpn test-vpn2 bind-interface st0.2 set security ipsec vpn test-vpn2 ike gateway test-p1-gw2 set security ipsec vpn test-vpn2 ike proxy-identity local 172.16.1.0/24 set security ipsec vpn test-vpn2 ike proxy-identity remote 172.16.10.0/24 set security ipsec vpn test-vpn2 ike ipsec-policy test-p2-policy set security ipsec vpn test-vpn2 establish-tunnels immediately set security zones security-zone trust address-book address net3 172.16.10.0/24 set security policies from-zone trust to-zone trust policy n1-n3-poli set security policies from-zone trust to-zone trust policy n1-n3-poli match source-address net1 set security policies from-zone trust to-zone trust policy n1-n3-poli match destination-address net2 set security policies from-zone trust to-zone trust policy n1-n3-poli match application any set security policies from-zone trust to-zone trust policy n1-n3-poli then permit set security policies from-zone trust to-zone trust policy n3-n1-poli set security policies from-zone trust to-zone trust policy n3-n1-poli match source-address net2 set security policies from-zone trust to-zone trust policy n3-n1-poli match destination-address net1 set security policies from-zone trust to-zone trust policy n3-n1-poli match application any set security policies from-zone trust to-zone trust policy n3-n1-poli then permit set security zones security-zone trust interfaces st0.2 set routing-options static route 172.16.10.0/24 next-hop st0.2
SSG5のConfig
set interface ethernet0/0 ip 1.2.3.3/27 set interface bgroup0 ip 172.16.10.254/24 set interface "tunnel.1" zone "Trust" set interface tunnel.1 ip unnumbered interface ethernet0/0 set flow tcp-mss 1350 set ike p1-proposal "pre-g2-aes128cbc-sha1-3600" preshare group2 esp aes128 sha-1 second 3600 set ike p2-proposal "p2-srx100" no-pfs esp aes128 sha-1 second 3600 set ike gateway "gw-test" address 1.2.3.1 Main outgoing-interface "ethernet0/0" preshare password1234 proposal "pre-g2-aes128cbc-sha1-3600" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 set vpn "vpn-test" gateway "gw-test" no-replay tunnel idletime 0 proposal "p2-srx100" set vpn "vpn-test" monitor rekey set vpn "vpn-test" id 0x1 bind interface tunnel.1 set vpn "vpn-test" proxy-id local-ip 172.16.10.0/24 remote-ip 172.16.1.0/24 "ANY" set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit set route 172.16.1.0/24 interface tunnel.1
確認コマンド
SRX100用
show log kmd
show security ike security-associations
show security ipsec security-associations
show security ipsec statistics
SSG5用
get sa active
SSG5はGUIで確認しながら設定したほうがいいかもしれない