Dziś postanowiłem opisać trochę labowania, temat ostatnio bardzo mocno przerabiany IPSEC. Poniżej opiszę wariant policy base vpn, który jest bardzo elastyczny.
Założenia:
Faza 1 | aes256 sha-1 pfs g2 3600s |
Faza 2 | aes256 sha-1 pfs g2 3600s |
Cisco | Juniper SRX | |
Sieci które będą podlegały szyfrowaniu | 172.16.10.0/24 | 10.10.10.0/24 |
Cisco | Juniper SRX | |
Interfejs z adresem tzw. publicznym | 192.168.1.201/24 | 192.168.1.2/24 |
Konfiguracja Cisco
Logujemy się do Cisco:
r_cisco_safekom>en r_cisco_safekom#conf t Enter configuration commands, one per line. End with CNTL/Z.
konfiguracja fazy 1
r_cisco_safekom(config)#crypto isakmp policy 1 r_cisco_safekom(config-isakmp)#encryption aes 256 r_cisco_safekom(config-isakmp)#hash sha r_cisco_safekom(config-isakmp)#authentication pre-share r_cisco_safekom(config-isakmp)#group 2 r_cisco_safekom(config-isakmp)#lifetime 3600 r_cisco_safekom(config-isakmp)#exit r_cisco_safekom(config)#crypto isakmp key Qwert67890! address 192.168.1.2
konfiguracja fazy 2
r_cisco_safekom(config)#ip access-list extended VPN-SRX r_cisco_safekom(config-ext-nacl)#permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255 r_cisco_safekom(config-ext-nacl)#exit r_cisco_safekom(config)#crypto ipsec transform-set Phase2-SRX esp-sha-hmac esp-aes 256 r_cisco_safekom(cfg-crypto-trans)#exit r_cisco_safekom(config)#crypto map cryptomap01 10 ipsec-isakmp r_cisco_safekom(config-crypto-map)#set peer 192.168.1.2 r_cisco_safekom(config-crypto-map)#set transform-set Phase2-SRX r_cisco_safekom(config-crypto-map)#match address VPN-SRX r_cisco_safekom(config-crypto-map)#set security-association lifetime seconds 3600 r_cisco_safekom(config-crypto-map)#set pfs group2 r_cisco_safekom(config-crypto-map)#exit
przypięcie kryptomapy do interfejsu “publicznego”
r_cisco_safekom(config)#interface GigabitEthernet0/1 r_cisco_safekom(config-if)#crypto map cryptomap01 r_cisco_safekom(config-if)#exit r_cisco_safekom(config)#exit
Konfiguracja Juniper
Logujemy się na urządzenie:
--- JUNOS 12.1X46-D35.1 built 2015-05-14 23:19:08 UTC root@srx_lab% root@srx_lab% cli root@srx_lab> configure Entering configuration mode [edit] root@srx_lab#
włączenie IKE na interfejsie “publicznym” w mym przypadku będzie to fe-0/0/7.0 który należy do zony untrust
set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services ike
Konfiguracja fazy 1
set security ike proposal IKE-phase1-LAB01 authentication-method pre-shared-keys set security ike proposal IKE-phase1-LAB01 dh-group group2 set security ike proposal IKE-phase1-LAB01 authentication-algorithm sha1 set security ike proposal IKE-phase1-LAB01 encryption-algorithm aes-256-cbc set security ike proposal IKE-phase1-LAB01 lifetime-seconds 3600 set security ike policy ike-phase1-LAB01 mode main set security ike policy ike-phase1-LAB01 proposals IKE-phase1-LAB01 set security ike policy ike-phase1-LAB01 pre-shared-key ascii-text Qwert67890! set security ike gateway gw-Cisco-lab ike-policy ike-phase1-LAB01 set security ike gateway gw-Cisco-lab address 192.168.1.201 set security ike gateway gw-Cisco-lab external-interface fe-0/0/7 set security ike gateway gw-Cisco-lab local-address 192.168.1.2
Konfiguracja fazy 2
set security ipsec proposal ipsec-phase2-lab01 protocol esp set security ipsec proposal ipsec-phase2-lab01 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-lab01 encryption-algorithm aes-256-cbc set security ipsec policy ipsec-phase2-lab01-polcy perfect-forward-secrecy keys group2 set security ipsec policy ipsec-phase2-lab01-polcy proposals ipsec-phase2-lab01 set security ipsec vpn ike-vpn-cisco ike gateway gw-Cisco-lab set security ipsec vpn ike-vpn-cisco ike proxy-identity local 10.10.10.0/24 set security ipsec vpn ike-vpn-cisco ike proxy-identity remote 172.16.10.0/24 set security ipsec vpn ike-vpn-cisco ike proxy-identity service any set security ipsec vpn ike-vpn-cisco ike ipsec-policy ipsec-phase2-lab01-polcy set security ipsec vpn ike-vpn-cisco establish-tunnels immediately
Utworzenie wpisów w adres booku, od wersji 11 jest dostępny globalny adress book który jest wygodniejszy.
set security address-book global address Cisco_LAN_172.16.10.0 172.16.10.0/24 set security address-book global address SRX_LAN_10.10.10.0 10.10.10.0/24
polityka fw puszczająca ruch z trust do untrust do VPN
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address SRX_LAN_10.10.10.0 set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address Cisco_LAN_172.16.10.0 set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-cisco
polityka fw puszczająca ruch z untrust (VPN) do trust
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address Cisco_LAN_172.16.10.0 set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address SRX_LAN_10.10.10.0 set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-cisco
przsuwamy politykę tak aby polityka any from trust to untrust nie przykrywała polityki na ruch vpn
edit security policies from-zone trust to-zone untrust insert policy vpn-tr-untr before policy trust-to-untrust
Sprawdzenie
Sprawdzenie fazy 1 na SRX’e
root@srx_lab> show security ike security-associations detail IKE peer 192.168.1.201, Index 2255662, Gateway Name: gw-Cisco-lab Role: Initiator, State: UP Initiator cookie: 0b89dcdf6361b9e9, Responder cookie: 304cf2052afd6dd1 Exchange type: Main, Authentication method: Pre-shared-keys Local: 192.168.1.2:500, Remote: 192.168.1.201:500 Lifetime: Expires in 3349 seconds Peer ike-id: 192.168.1.201 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 816 Output bytes : 1256 Input packets: 4 Output packets: 6 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.201:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.201 Flags: IKE SA is created
Sprawdzenie fazy 1 na Cisco
r_cisco_safekom#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.1.201 192.168.1.2 QM_IDLE 1001 ACTIVE
Sprawdzenie komunikacji na Cisco
r_cisco_safekom#ping 10.10.10.1 source 172.16.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: Packet sent with a source address of 172.16.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
sprawdzenie komunikacji z pc który jest podłączony do SRX w sieci 10.10.10.0/24
C:\Users\admin>ping 172.16.10.1 Badanie 172.16.10.1 z 32 bajtami danych: Odpowiedź z 172.16.10.1: bajtów=32 czas=2ms TTL=254 Odpowiedź z 172.16.10.1: bajtów=32 czas=2ms TTL=254 Statystyka badania ping dla 172.16.10.1: Pakiety: Wysłane = 2, Odebrane = 2, Utracone = 0 (0% straty), Szacunkowy czas błądzenia pakietów w millisekundach: Minimum = 2 ms, Maksimum = 2 ms, Czas średni = 2 ms Control-C ^C