Настройка Site-to-Site VPN между Edge gateway и Juniper SRX
Схема:
С подробным описанием параметров туннеля можно ознакомиться в отдельной статье
Настройка на стороне виртуального датацентра:
- Нажмите правой кнопкой на Edge Gateway и выберите Edge Gateway Services.
- На вкладке VPN включите Enable VPN (IPsec VPN service status для advanced gateway).
- Нажмите Add для добавления туннеля (”+” на вкладке IPsec VPN Sites для advanced gateway).
- Укажите название туннеля, в поле Establish VPN to: выберите a remote network, в Loca lNetworks выберите сеть виртуального дата-центра, в Peer Networks укажите внутренние сети удаленного датацентра, в Local ID адрес Edge, в Peer ID/ Peer IP - адрес удаленного маршрутизатора, выберите Encryption Protocol.
Настройка на стороне Juniper SRX:
- Создание туннельного интерфейса, зоны безопасности и статического маршрута на сеть VDC:
# set interfaces st0 unit 1 description CLOUD
# set security zones security-zone VPN interfaces st0.1
# set routing-options static route 192.168.3.0/24 next-hop st0.1 - Настройка IKE phase 1:
# set security ike proposal PRP-IKE-EDGE authentication-method pre-shared-keys
# set security ike proposal PRP-IKE-EDGE dh-group group14
# set security ike proposal PRP-IKE-EDGE authentication-algorithm sha1
# set security ike proposal PRP-IKE-EDGE encryption-algorithm aes-128-cbc
# set security ike proposal PRP-IKE-EDGE lifetime-seconds 28800
# set security ike policy POL-IKE-EDGE mode main
# set security ike policy POL-IKE-EDGE proposals PRP-IKE-EDGE
# set security ike policy POL-IKE-EDGE pre-shared-key ascii-text <pre-shared-key>
# set security ike gateway GWY-EDGE ike-policy POL-IKE-EDGE
# set security ike gateway GWY-EDGE address 178.170.172.165
# set security ike gateway GWY-EDGE external-interface ge0/0.1
# set security ike gateway GWY-EDGE local-address 212.232.58.14 - Настройка IKE phase 2:
# set security ipsec proposal PRP-IPS-EDGE protocol esp
# set security ipsec proposal PRP-IPS-EDGE authentication-algorithm hmac-sha1-96
# set security ipsec proposal PRP-IPS-EDGE encryption-algorithm aes-128-cbc
# set security ipsec proposal PRP-IPS-EDGE lifetime-seconds 3600
# set security ipsec policy POL-IPS-EDGE perfect-forward-secrecy keys group14
# set security ipsec policy POL-IPS-EDGE proposals PRP-IPS-EDGE
# set security ipsec vpn VPN-EDGE bind-interface st0.1
# set security ipsec vpn VPN-EDGE ike gateway GWY-EDGE;
# set security ipsec vpn VPN-EDGE ike proxy-identity local 192.168.1.0/24 remote 192.168.3.0/24 service any
# set security ipsec vpn VPN-EDGE ike ipsec-policy POL-IPS-EDGE
# set security ipsec vpn VPN-EDGE establish-tunnels immediately - Настройка разрешающих правил политик безопасности и применение изменений:
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match source-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match destination-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY then permit
# set security policies from-zone LAN to-zone VPN policy Allow_ANY match source-address any
# set security policies from-zone LAN to-zone VPN policy Allow_ANY match destination-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
# set security policies from-zone LAN to-zone VPN policy Allow_ANY then permit
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match source-address 178.170.172.165/32
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match destination-address any
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match application junos-ike
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE then permit
# commit - Проверка настроенного туннеля:
> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2889938 UP cd87ba170d9fd401 978fbcb18f5feb82 Main 178.170.172.165
> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-128/sha1 b81ee807 258/ unlim - root 500 178.170.172.165
>131074 ESP:aes-cbc-128/sha1 c0bc14ab 258/ unlim - root 500 178.170.172.165
<131074 ESP:aes-cbc-128/sha1 5c13c32b 3124/ unlim - root 500 178.170.172.165
>131074 ESP:aes-cbc-128/sha1 c5d7bd1c 3124/ unlim - root 500 178.170.172.165
Примечание:
При необходимости создания множественных security-associations между более чем 2 сетями, вместо директивы ipsec vpn ike proxy-identity используется ipsec vpn traffic-selector по количеству необходимых SA. Пример: добавим подсеть 192.168.4.0/24 со стороны виртуального датацентра:
deactivate set security ipsec vpn VPN-EDGE ike proxy-identity
set security ipsec vpn VPN-EDGE traffic-selector ts1 local-ip 192.168.1.0/24 remote-ip 192.168.3.0/24
set security ipsec vpn VPN-EDGE traffic-selector ts2 local-ip 192.168.1.0/24 remote-ip 192.168.4.0/24