Shunze 學園 >資訊設備專區 >Sophos XG > 《分享》XG與Juniper SRX做IPsec串接 哈囉,還沒有註冊或者登入。請你[註冊|登入]
« 上一篇主題 下一篇主題 » 顯示成列印模式 | 增加到我的最愛
發表新主題 發表回覆
作者
主題
shunze
工友伯伯


註冊日期: 2002 04
來自: 潮汐終止之地
文章: 2380

shunze 離線
《分享》XG與Juniper SRX做IPsec串接引用回覆 編輯/刪除文章 搜尋由  發表的其他文章 回報給版主 IP 位置 回此頁最上方

順子沒碰過Juniper SRX,但業務帶回來的案子中,有不少需求是與客戶既有的SRX進行串接。
既然這需求備增,那順子也來筆記一下XG如何跟Juniper SRX做IPsec串接。

Juniper上的IPsec VPN有分為route base與policy base兩種,
而Sophos XG為policy base IPsec VPN,所以SRX上的設定自然要以policy base的方式來進行。
SRX與XG兩端的情境配置如下圖。




  • Juniper SRX上的設定
    SRX上Phase1/2的相關組態與放行policy設定可參考如下。
    Configure Phase 1 of the IPsec tunnel.
    [edit security ike]
    user@host# set proposal ike-pshase1-proposal authentication-method pre-shared-keys
    user@host# set proposal ike-pshase1-proposal dh-group group2
    user@host# set proposal ike-pshase1-proposal authentication-algorithm md5
    user@host# set proposal ike-pshase1-proposal encryption-algorithm aes-128-cbc

    Configure the IKE policies, and reference the proposals.
    [edit security ike]
    user@host# set policy ike-phase1-policy mode main
    user@host# set policy ike-phase1-policy ike-pshase1-proposal
    user@host# set policy ike-phase1-policy pre-shared-key ascii-text "12345678"

    Configure the IKE gateway, and reference the policy.
    [edit security ike]
    user@host# set gateway GW_XG ike-policy ike-phase1-policy
    user@host# set gateway GW_XG address 211.1.2.3
    user@host# set gateway GW_XG external-interface ge-0/0/0.0

    Configure Phase 2 of the IPsec tunnel.
    [edit security ipsec]
    user@host# set proposal ipsec-phase2-proposal protocol esp
    user@host# set proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
    user@host# set proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc

    Configure the policies, and reference the proposals.
    [edit security ipsec]
    user@host# set policy ipsec-phase2-polic perfect-forward-secrecy keys group2
    user@host# set policy ipsec-phase2-polic proposals ipsec-phase2-proposal

    Configure AutoKey IKE, and reference the policy and gateway.
    [edit security ipsec]
    user@host# set vpn ike-vpn-XG ike GW_XG
    user@host# set vpn ike-vpn-XG ike ipsec-policy ipsec-phase2-policy

    Configure the security policy from Juniper to Sophos.
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy VPN-XG match source-address addr_10_2_3_0_24
    user@host# set policy VPN-XG match destination-address addr_192_168_0_0_24
    user@host# set policy VPN-XG match application any
    user@host# set policy VPN-XG then permit tunnel ipsec-vpn ike-vpn-XG
    user@host# set policy VPN-XG then permit tunnel pair-policy VPN-SRX

    Configure the security policy from Sophos to Juniper.
    [edit security policies from-zone untrust to-zone trust]
    user@host# set policy VPN-SRX match source-address addr_192_168_0_0_24
    user@host# set policy VPN-SRX match destination-address addr_10_2_3_0_24
    user@host# set policy VPN-SRX match application any
    user@host# set policy VPN-SRX then permit tunnel ipsec-vpn ike-vpn-XG
    user@host# set policy VPN-SRX then permit tunnel pair-policy VPN-XG

    設定完成後,SRX上相關IPsec組態結構顯示如下。
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 123.123.123.123/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 10.2.3.254/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 123.123.123.254;
        }
    }
    security {
        ike {
            proposal ike-pshase1-proposal {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm md5;
                encryption-algorithm aes-128-cbc;
            }
            policy ike-phase1-policy {
                mode main;
                proposals ike-pshase1-proposal;
                pre-shared-key ascii-text "12345678";
            }
            gateway GW-XG {
                ike-policy ike-phase1-policy;
                address 211.1.2.3;
                external-interface ge-0/0/0.0;
            }
        }
        ipsec {
            proposal ipsec-phase2-proposal {
                protocol esp;
                authentication-algorithm hmac-md5-96;
                encryption-algorithm aes-128-cbc;
            }
            policy ipsec-phase2-policy {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposals ipsec-phase2-proposal;
            }
            vpn ike-vpn-XG {
                ike {
                    gateway GW-XG;
                    ipsec-policy ipsec-phase2-policy;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule NO-NAT {
                        match {
                            source-address 10.2.3.0/24;
                            destination-address 192.168.0.0/21;
                        }
                        then {
                            source-nat {
                                off;
                            }
                        }
                    }
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy VPN-XG {
                    match {
                        source-address addr_10_2_3_0_24;
                        destination-address addr_192_168_0_0_24;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn ike-vpn-XG;
                                pair-policy VPN-SRX;
                            }
                        }
                    }
                }
            from-zone untrust to-zone trust {
                policy VPN-SRX {
                    match {
                        source-address addr_192_168_0_0_24;
                        destination-address addr_10_2_3_0_24;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn ike-vpn-XG;
                                pair-policy VPN-XG;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address addr_10_2_3_0_24 10.2.3.0/24;
                }
            }
            security-zone untrust {
                address-book {
                    address addr_192_168_0_0_24 192.168.0.0/24;
                }
            }
        }
    }

  • Sophos XG上的設定
    XG上,以上述的Phase1/2設定,新建一個對應的profile。



    然後在IPsec VPN連線設定中,選用此profile,並選擇動作為Initiate,作為連線的主動發起端。



  • 其它
    若設定正確的話,於XG上啟動該IPsec VPN連線,兩端應該就能順利連接起來了。

    在實作中順子曾遇到一個情況,雖然IPsec成功的介接起來了,
    但這連線頻頻斷線,每兩分鐘就會上下一次...

    檢視SRX設定後,發現是順子把route base組態與policy base組態混淆了,
    在混用設定的情況下,雖然IPsec會通,也可以ping到對端,
    但就是很不穩定,每兩分鐘就會斷一次,讓順子相當困擾...

    最後把SRX組態修改為如上的設定後,IPsec VPN就穩定下來,不再一直上上下下了∼


參考資料
How to troubleshoot a VPN that is up, bu...passing traffic
Configuring a Policy-Based VPN
password-decrypt.com/



♥順子老婆的網拍,請多關照∼

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2017-10-23, 14:54 shunze 的個人資料 把 shunze 加入好友列表 發送Email給 shunze 瀏覽 shunze 的網站 MSN : shunze@gmail.com
  « 上一篇主題 下一篇主題 »
發表新主題 發表回覆
跳到:

Powered by: Burning Board 1.1.1 2001 WoltLab GbR