Dziś przyszedł czas na lab z wykorzystaniem urządzeń Juniper SRX oraz Palo Alto Networks. Skupię się w tym wpisie na skonfigurowaniu połączenia VPN Ipsec pomiędzy tymi urządzeniami.
założenia:
Faza 1 | aes256 sha-1 pfs g2 3600s |
Faza 2 | aes256 sha-1 pfs g2 3600s |
Palo | SRX | |
Sieci które będą podlegały szyfrowaniu | 10.20.10.0/24 | 10.10.10.0/24 |
Palo | SRX | |
Interfejs z adresem tzw. publicznym | 192.168.1.210/24 | 192.168.1.2/24 |
Konfiguracja SRX
Faza1
set security ike proposal IKE-phase1-LAB02 authentication-method pre-shared-keys set security ike proposal IKE-phase1-LAB02 dh-group group2 set security ike proposal IKE-phase1-LAB02 authentication-algorithm sha1 set security ike proposal IKE-phase1-LAB02 encryption-algorithm aes-256-cbc set security ike proposal IKE-phase1-LAB02 lifetime-seconds 3600 set security ike policy ike-phase1-LAB02 mode main set security ike policy ike-phase1-LAB02 proposals IKE-phase1-LAB02 set security ike policy ike-phase1-LAB02 pre-shared-key ascii-text Qwert678! set security ike gateway gw-Palo-lab ike-policy ike-phase1-LAB02 set security ike gateway gw-Palo-lab address 192.168.1.210 set security ike gateway gw-Palo-lab external-interface fe-0/0/7 set security ike gateway gw-Palo-lab local-address 192.168.1.2
Faza 2
set security ipsec proposal ipsec-phase2-lab02 protocol esp set security ipsec proposal ipsec-phase2-lab02 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-lab02 encryption-algorithm aes-256-cbc set security ipsec policy ipsec-phase2-lab02-polcy perfect-forward-secrecy keys group2 set security ipsec policy ipsec-phase2-lab02-polcy proposals ipsec-phase2-lab01 set security ipsec vpn ike-vpn-palo ike gateway gw-Palo-lab set security ipsec vpn ike-vpn-palo ike proxy-identity local 10.10.10.0/24 set security ipsec vpn ike-vpn-palo ike proxy-identity remote 10.20.1.0/24 set security ipsec vpn ike-vpn-palo ike proxy-identity service any set security ipsec vpn ike-vpn-palo ike ipsec-policy ipsec-phase2-lab01-polcy set security ipsec vpn ike-vpn-palo establish-tunnels immediately
Konfiguracja polityki vpn
Dodanie obiektów
set security address-book global address SRX_LAN_10.10.10.0 10.10.10.0/24 set security address-book global address Palo_LAN_10.20.1.0 10.20.1.0/24
Konfiguracja polityki z Trust do Untrust
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match source-address SRX_LAN_10.10.10.0 set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match destination-address Palo_LAN_10.20.1.0 set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match application any set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 then permit tunnel ipsec-vpn ike-vpn-palo
Konfiguracja polityki z Untrust do Trust
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match source-address Palo_LAN_10.20.1.0 set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match destination-address SRX_LAN_10.10.10.0 set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match application any set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 then permit tunnel ipsec-vpn ike-vpn-palo
Konfiguracja Palo
Konfiguracja IKE Proposal
Web:
CLI:
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX hash sha1 set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX dh-group group2 set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX encryption aes256 set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX lifetime hours 1
Konfiguracja IPSEC Propsal
Web:
Cli:
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp authentication sha1 set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp encryption aes256 set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX lifetime hours 1 set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX dh-group group2
Konfiguracja Fazy 1
Web:
Cli:
set network ike gateway IKE-SRX-GW protocol ikev1 dpd enable no set network ike gateway IKE-SRX-GW protocol ikev1 ike-crypto-profile IKE-Proposal-SRX set network ike gateway IKE-SRX-GW protocol ikev1 exchange-mode main set network ike gateway IKE-SRX-GW local-address interface ethernet1/1 set network ike gateway IKE-SRX-GW local-address ip 192.168.1.210/24 set network ike gateway IKE-SRX-GW authentication pre-shared-key key Qwert678! set network ike gateway IKE-SRX-GW protocol-common nat-traversal enable no set network ike gateway IKE-SRX-GW protocol-common fragmentation enable no set network ike gateway IKE-SRX-GW protocol-common passive-mode yes set network ike gateway IKE-SRX-GW peer-address ip 192.168.1.2
Konfiguracja Fazy 2:
Konfiguracja zony VPN
Web:
Cli
set zone VPN network layer3
Utworzenie interfejsu tunel z przypisaniem do zony VPN
Web:
Cli
set network interface tunnel interface-management-profile mgmnt set zone VPN network layer3 tunnel
Utworzenie profilu IPSEC
Web:
Dodanie proxy id
Cli:
set network tunnel ipsec IPSEC-PALO_SRX auto-key ike-gateway IKE-SRX-GW set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx protocol any set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx local 10.20.1.0/24 set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx remote 10.10.10.0/24 set network tunnel ipsec IPSEC-PALO_SRX auto-key ipsec-crypto-profile IPSEC-Proposal-SRX set network tunnel ipsec IPSEC-PALO_SRX tunnel-monitor enable no set network tunnel ipsec IPSEC-PALO_SRX tunnel-interface tunnel
Dodanie routingu w kierunku SRX na Palo
set network virtual-router default routing-table ip static-route vpn-srx interface tunnel set network virtual-router default routing-table ip static-route vpn-srx metric 10 set network virtual-router default routing-table ip static-route vpn-srx destination 10.10.10.0/24
Dodanie polityk fw na Palo
Polityka z Trust to VPN
Cli:
set rulebase security rules vpn-srx to VPN set rulebase security rules vpn-srx from trust set rulebase security rules vpn-srx source any set rulebase security rules vpn-srx destination any set rulebase security rules vpn-srx source-user any set rulebase security rules vpn-srx category any set rulebase security rules vpn-srx application any set rulebase security rules vpn-srx service application-default set rulebase security rules vpn-srx hip-profiles any set rulebase security rules vpn-srx action allow
Polityka z VPN to Trust
set rulebase security rules vpn-to-palo to trust set rulebase security rules vpn-to-palo from VPN set rulebase security rules vpn-to-palo source any set rulebase security rules vpn-to-palo destination any set rulebase security rules vpn-to-palo source-user any set rulebase security rules vpn-to-palo category any set rulebase security rules vpn-to-palo application any set rulebase security rules vpn-to-palo service application-default set rulebase security rules vpn-to-palo hip-profiles any set rulebase security rules vpn-to-palo action allow set rulebase security rules vpn-to-palo log-start yes
Sprawdzenie działania VPN
SRX:
Faza 1
root@srx_lab> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2430487 UP 51c22bb643895b79 afa9078ec7b25980 Main 192.168.1.210 root@srx_lab> show security ike security-associations detail IKE peer 192.168.1.210, Index 2430487, Gateway Name: gw-Palo-lab Role: Initiator, State: UP Initiator cookie: 51c22bb643895b79, Responder cookie: afa9078ec7b25980 Exchange type: Main, Authentication method: Pre-shared-keys Local: 192.168.1.2:500, Remote: 192.168.1.210:500 Lifetime: Expires in 1966 seconds Peer ike-id: 192.168.1.210 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 672 Output bytes : 1208 Input packets: 4 Output packets: 6 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.210:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.210 Flags: IKE SA is created
Faza 2
root@srx_lab> show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <3 ESP:aes-cbc-256/sha1 6ac39d90 2004/ 4607995 - root 500 192.168.1.201 >3 ESP:aes-cbc-256/sha1 3d8b1728 2004/ 4607995 - root 500 192.168.1.201 <2 ESP:aes-cbc-256/sha1 197758a2 1994/ unlim - root 500 192.168.1.210 >2 ESP:aes-cbc-256/sha1 9c6bae7b 1994/ unlim - root 500 192.168.1.210 root@srx_lab> show security ipsec security-associations index 2 ID: 2 Virtual-system: root, VPN Name: ike-vpn-palo Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.210 Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24) Remote Identity: ipv4_subnet(any:0,[0..7]=10.20.1.0/24) Version: IKEv1 DF-bit: clear Policy-name: vpn-tr-untr02 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829 Last Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 197758a2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1988 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1366 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9c6bae7b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1988 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1366 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
Palo
Faza 1
admin@PA-VM> show vpn ike-sa gateway IKE-SRX-GW phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 --------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 1 192.168.1.2 IKE-SRX-GW Resp Main PSK/DH2/A256/SHA1 Aug.30 14:26:34 Aug.30 15:26:34 v1 12 2 1 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found. phase-2 SAs GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in) SPI(out) MsgID ST Xt --------------- ------------ ------------ ---- --------- ------- -------- ----- -- -- 1 192.168.1.2 IKE-SRX-GW Resp DH2 /tunl/ESP/A256/SHA1 9C6BAE7B 197758A2 552A3DCF 9 1 Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
Faza 2
admin@PA-VM> show vpn ipsec-sa tunnel IPSEC-PALO_SRX:palo-srx GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) --------------- ---- ------------ --------------- --------- ------- -------- ------------ 1 1 192.168.1.2 IPSEC-PALO_SRX:palo-srx(IKE-SRX-GW) ESP/A256/SHA1 9C6BAE7B 197758A2 1650/0 Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.