Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/operations.class.php on line 2734

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/operations.class.php on line 2738

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home/safekom/domains/safekom.pl/public_html/blog/wp-content/plugins/revslider/includes/output.class.php on line 3679
LAB - IPSEC SRX PALO - SafeKom Blog

LAB – IPSEC SRX <--> PALO

Dziś przyszedł czas na lab z wykorzystaniem urządzeń Juniper SRX oraz Palo Alto Networks. Skupię się w tym wpisie na skonfigurowaniu połączenia VPN Ipsec pomiędzy tymi urządzeniami.

założenia:

vpn_srx_palo_pb

Faza 1 aes256 sha-1 pfs g2 3600s
Faza 2 aes256 sha-1 pfs g2 3600s
Palo SRX
Sieci które będą podlegały szyfrowaniu 10.20.10.0/24 10.10.10.0/24
Palo SRX
Interfejs z adresem tzw. publicznym 192.168.1.210/24 192.168.1.2/24

Konfiguracja SRX

Faza1

set security ike proposal IKE-phase1-LAB02 authentication-method pre-shared-keys
set security ike proposal IKE-phase1-LAB02 dh-group group2
set security ike proposal IKE-phase1-LAB02 authentication-algorithm sha1
set security ike proposal IKE-phase1-LAB02 encryption-algorithm aes-256-cbc
set security ike proposal IKE-phase1-LAB02 lifetime-seconds 3600

set security ike policy ike-phase1-LAB02 mode main
set security ike policy ike-phase1-LAB02 proposals IKE-phase1-LAB02
set security ike policy ike-phase1-LAB02 pre-shared-key ascii-text Qwert678!


set security ike gateway gw-Palo-lab ike-policy ike-phase1-LAB02
set security ike gateway gw-Palo-lab address 192.168.1.210
set security ike gateway gw-Palo-lab external-interface fe-0/0/7
set security ike gateway gw-Palo-lab local-address 192.168.1.2

Faza 2

set security ipsec proposal ipsec-phase2-lab02 protocol esp
set security ipsec proposal ipsec-phase2-lab02 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-lab02 encryption-algorithm aes-256-cbc


set security ipsec policy ipsec-phase2-lab02-polcy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-lab02-polcy proposals ipsec-phase2-lab01


set security ipsec vpn ike-vpn-palo ike gateway gw-Palo-lab
set security ipsec vpn ike-vpn-palo ike proxy-identity local 10.10.10.0/24
set security ipsec vpn ike-vpn-palo ike proxy-identity remote 10.20.1.0/24
set security ipsec vpn ike-vpn-palo ike proxy-identity service any
set security ipsec vpn ike-vpn-palo ike ipsec-policy ipsec-phase2-lab01-polcy
set security ipsec vpn ike-vpn-palo establish-tunnels immediately

Konfiguracja polityki vpn

Dodanie obiektów

set security address-book global address SRX_LAN_10.10.10.0 10.10.10.0/24
set security address-book global address Palo_LAN_10.20.1.0 10.20.1.0/24

Konfiguracja polityki z Trust do Untrust

set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match source-address SRX_LAN_10.10.10.0
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match destination-address Palo_LAN_10.20.1.0
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match application any
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 then permit tunnel ipsec-vpn ike-vpn-palo

Konfiguracja polityki z Untrust do Trust

set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match source-address Palo_LAN_10.20.1.0
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match destination-address SRX_LAN_10.10.10.0
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match application any
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 then permit tunnel ipsec-vpn ike-vpn-palo

Konfiguracja Palo

Konfiguracja IKE Proposal

Web:

 

palo_ike01

CLI:

set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX hash sha1
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX dh-group group2
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX encryption aes256
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX lifetime hours 1

Konfiguracja IPSEC Propsal

Web:

palo_ipsec02

Cli:

set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX dh-group group2

Konfiguracja Fazy 1

Web:

palo_ipsec03

palo_ipsec04

 

Cli:

set network ike gateway IKE-SRX-GW protocol ikev1 dpd enable no
set network ike gateway IKE-SRX-GW protocol ikev1 ike-crypto-profile IKE-Proposal-SRX
set network ike gateway IKE-SRX-GW protocol ikev1 exchange-mode main
set network ike gateway IKE-SRX-GW local-address interface ethernet1/1
set network ike gateway IKE-SRX-GW local-address ip 192.168.1.210/24
set network ike gateway IKE-SRX-GW authentication pre-shared-key key Qwert678!
set network ike gateway IKE-SRX-GW protocol-common nat-traversal enable no
set network ike gateway IKE-SRX-GW protocol-common fragmentation enable no
set network ike gateway IKE-SRX-GW protocol-common passive-mode yes
set network ike gateway IKE-SRX-GW peer-address ip 192.168.1.2

Konfiguracja Fazy 2:

Konfiguracja zony VPN

Web:

palo_ipsec15

 

Cli

set zone VPN network layer3

Utworzenie interfejsu tunel z przypisaniem do zony VPN

Web:

palo_ipsec05

Cli

set network interface tunnel interface-management-profile mgmnt
set zone VPN network layer3 tunnel

Utworzenie profilu IPSEC

Web:

palo_ipsec06

Dodanie proxy id

palo_ipsec07

Cli:

set network tunnel ipsec IPSEC-PALO_SRX auto-key ike-gateway IKE-SRX-GW 
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx protocol any 
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx local 10.20.1.0/24
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx remote 10.10.10.0/24
set network tunnel ipsec IPSEC-PALO_SRX auto-key ipsec-crypto-profile IPSEC-Proposal-SRX
set network tunnel ipsec IPSEC-PALO_SRX tunnel-monitor enable no
set network tunnel ipsec IPSEC-PALO_SRX tunnel-interface tunnel

Dodanie routingu w kierunku SRX na Palo

palo_ipsec08Cli:

set network virtual-router default routing-table ip static-route vpn-srx interface tunnel
set network virtual-router default routing-table ip static-route vpn-srx metric 10
set network virtual-router default routing-table ip static-route vpn-srx destination 10.10.10.0/24

Dodanie polityk fw na Palo

Polityka z Trust to VPN

Cli:

set rulebase security rules vpn-srx to VPN
set rulebase security rules vpn-srx from trust
set rulebase security rules vpn-srx source any
set rulebase security rules vpn-srx destination any
set rulebase security rules vpn-srx source-user any
set rulebase security rules vpn-srx category any
set rulebase security rules vpn-srx application any
set rulebase security rules vpn-srx service application-default
set rulebase security rules vpn-srx hip-profiles any
set rulebase security rules vpn-srx action allow

Polityka z VPN to Trust

set rulebase security rules vpn-to-palo to trust
set rulebase security rules vpn-to-palo from VPN
set rulebase security rules vpn-to-palo source any
set rulebase security rules vpn-to-palo destination any
set rulebase security rules vpn-to-palo source-user any
set rulebase security rules vpn-to-palo category any
set rulebase security rules vpn-to-palo application any
set rulebase security rules vpn-to-palo service application-default
set rulebase security rules vpn-to-palo hip-profiles any
set rulebase security rules vpn-to-palo action allow
set rulebase security rules vpn-to-palo log-start yes

Sprawdzenie działania VPN

SRX:

Faza 1

root@srx_lab> show security ike security-associations               
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2430487 UP     51c22bb643895b79  afa9078ec7b25980  Main           192.168.1.210   

root@srx_lab> show security ike security-associations detail 
IKE peer 192.168.1.210, Index 2430487, Gateway Name: gw-Palo-lab
  Role: Initiator, State: UP
  Initiator cookie: 51c22bb643895b79, Responder cookie: afa9078ec7b25980
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 192.168.1.2:500, Remote: 192.168.1.210:500
  Lifetime: Expires in 1966 seconds
  Peer ike-id: 192.168.1.210
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                  672
   Output bytes  :                 1208
   Input  packets:                    4
   Output packets:                    6
  Flags: IKE SA is created 
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 192.168.1.2:500, Remote: 192.168.1.210:500
    Local identity: 192.168.1.2         
    Remote identity: 192.168.1.210
    Flags: IKE SA is created   

Faza 2

root@srx_lab> show security ipsec security-associations            
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <3    ESP:aes-cbc-256/sha1 6ac39d90 2004/  4607995 - root 500 192.168.1.201   
  >3    ESP:aes-cbc-256/sha1 3d8b1728 2004/  4607995 - root 500 192.168.1.201   
  <2    ESP:aes-cbc-256/sha1 197758a2 1994/ unlim - root 500  192.168.1.210   
  >2    ESP:aes-cbc-256/sha1 9c6bae7b 1994/ unlim - root 500  192.168.1.210   

root@srx_lab> show security ipsec security-associations index 2 
  ID: 2 Virtual-system: root, VPN Name: ike-vpn-palo
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.210
  Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.20.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy-name: vpn-tr-untr02
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 197758a2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1988 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1366 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 9c6bae7b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1988 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1366 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

Palo

Faza 1

admin@PA-VM> show vpn ike-sa gateway IKE-SRX-GW 

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
              1 192.168.1.2            IKE-SRX-GW             Resp Main PSK/DH2/A256/SHA1 Aug.30 14:26:34 Aug.30 15:26:34 v1 12  2      1 

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               -------  -------- -----    -- --
              1 192.168.1.2            IKE-SRX-GW             Resp DH2 /tunl/ESP/A256/SHA1 9C6BAE7B 197758A2 552A3DCF  9  1 

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

Faza 2

admin@PA-VM> show vpn ipsec-sa tunnel IPSEC-PALO_SRX:palo-srx 

GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm     SPI(in)  SPI(out) life(Sec/KB)
--------------- ---- ------------           ---------------                                ---------     -------  -------- ------------
              1    1 192.168.1.2            IPSEC-PALO_SRX:palo-srx(IKE-SRX-GW)            ESP/A256/SHA1 9C6BAE7B 197758A2   1650/0

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

 

 

 

Pasjonat komputerowy od zawsze oraz maniak w zakresie sieci, wirtualizacji oraz bezpieczeństwa IT. Kompetentny inżynier z dużym doświadczeniem w realizacji projektów informatycznych i telekomunikacyjnych. Wieloletni administrator IT, który utrzymuje systemy informatyczne dostosowując je do wymogów biznesowych z zapewnieniem dostępności 24/7/365.
Posts created 126

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top