第 8 章: IPsec
2. Phase1 の設定 - IKE Proposal の設定
-
事前共有鍵の設定(Pre-shared Key)- VPN
ピアのアドレス設定3 . Phase2
の設定- IPsec Proposal の設定
- PFS
の設定-
トンネルインタフェースの紐付け8-3 .トンネルインタフェースの設定( 1/2 )
SSG
とSRX
は共にゾーンにトンネルインタフェースを割り宛て、IP
アドレスを設定• SSG
• SRX
SSG5-> set zone name zone-name
SSG5-> set interface tunnel.number zone zone-name SSG5-> set interface tunnel.number ip ip-address
root@SRX300# set security zones security-zone zone-name
root@SRX300# set security zones security-zone zone-name interfaces st0.number root@SRX300# set interfaces st0 unit number family inet address ip-address
8-3 .トンネルインタフェースの設定( 2/2 )
SSG
とSRX
は共にスタティックルートの設定でVPN
通信の宛先ネットワークの ルーティング先にトンネルインタフェースを指定• SSG
• SRX
SSG5-> set route dst-network interface tunnel.number
root@SRX300# set routing-options static route dst-network next-hop st0.number
8-4 . Phase1 設定( 1/2 )
SSG
とSRX
は共にPhase1
の設定に下記項目を使用:IKE Proposal、Pre-shared-key、外部インタフェース、ピアアドレス、動作モード
• SSG
IKE Gateway の設定内で指定
• SRX
3つの設定項目内で指定
- set security ike proposal
(認証方式、鍵交換方式、暗号化アルゴリズム、認証アルゴリズム)- set security ike policy
(動作モード、IKE Proposalの指定、Pre-shared-key)- set security ike gateway
(IKE Policyの指定、ピアアドレス、外部インタフェース)SSG5-> set ike gateway gateway-name address peer-address mode outgoing-interface interface-name preshare pre-shared-key proposal proposal-name
8-4 . Phase1 設定( 2/2 )
• SRX
<設定例>
root@SRX300# set security ike proposal IKE-Proposal authentication-method pre-shared-keys root@SRX300# set security ike proposal IKE-Proposal dh-group group14
root@SRX300# set security ike proposal IKE-Proposal encryption-algorithm aes-256-cbc root@SRX300# set security ike proposal IKE-Proposal authentication-algorithm sha-256 root@SRX300# set security ike policy IKE-Policy mode main
root@SRX300# set security ike policy IKE-Policy proposals IKE-Proposal
root@SRX300# set security ike policy IKE-Policy pre-shared-key ascii-text Juniper@2018 root@SRX300# set security ike gateway IKE-Gateway ike-policy IKE-Policy
root@SRX300# set security ike proposal proposal-name authentication-method method root@SRX300# set security ike proposal proposal-name dh-group group
root@SRX300# set security ike proposal proposal-name encryption-algorithm algorithm root@SRX300# set security ike proposal proposal-name authentication-algorithm algorithm root@SRX300# set security ike policy policy-name mode mode
root@SRX300# set security ike policy policy-name proposals proposal-name
root@SRX300# set security ike policy policy-name pre-shared-key ascii-text pre-shared-key root@SRX300# set security ike gateway gateway-name ike-policy policy-name
root@SRX300# set security ike gateway gateway-name address address
root@SRX300# set security ike gateway gateway-name external-interface interface-name
8-5 . Phase2 設定( 1/2 )
SSG
とSRX
は共にPhase2
の設定に下記項目を使用:IPsec Proposal、IPsec ポリシー、PFS、トンネルインタフェース、IKE
ゲートウェイ• SSG
VPN
設定内で指定(IPsec ポリシー設定は無い)• SRX
3つの設定項目内で指定
- set security ipsec proposal
(プロトコル、暗号化アルゴリズム、認証アルゴリズム)- set security ipsec policy
(IPsec Proposal の指定、PFS)- set security vpn
(トンネルインタフェースの指定、IPsec ポリシーの指定、IKE ゲートウェイの指定)SSG5-> set vpn vpn-name gateway gateway-name mode proposal proposal-name
8-5 . Phase2 設定( 2/2 )
• SRX
<設定例>
root@SRX300# set security ipsec proposal proposal-name protocol protocol
root@SRX300# set security ipsec proposal proposal-name encryption-algorithm algorithm root@SRX300# set security ipsec proposal proposal-name authentication-algorithm algorithm root@SRX300# set security ipsec policy policy-name proposals proposal-name
root@SRX300# set security ipsec policy policy-name perfect-forward-secrecy keys dh-group root@SRX300# set security ipsec vpn vpn-name bind-interface tunnel-interface
root@SRX300# set security ipsec vpn vpn-name ike ipsec-policy policy-name root@SRX300# set security ipsec vpn vpn-name ike gateway gateway-name
root@SRX300# set security ipsec proposal IPsec-Proposal protocol esp
root@SRX300# set security ipsec proposal IPsec-Proposal encryption-algorithm aes-256-cbc root@SRX300# set security ipsec proposal IPsec-Proposal authentication-algorithm hmac-sha-256-128
root@SRX300# set security ipsec policy IPsec-Policy proposals IPsec-Proposal
root@SRX300# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group14 root@SRX300# set security ipsec vpn Route-VPN bind-interface st0.0
root@SRX300# set security ipsec vpn Route-VPN ike ipsec-policy IPsec-Policy root@SRX300# set security ipsec vpn Route-VPN ike gateway IKE-Gateway
8-6 .参考設定: ポリシーベース VPN 設定
SSG
とSRX
は共にセキュリティポリシーのアクションに使用するPhase2
(VPN
)設定を指定• SSG
• SRX
root@SRX300# set security policies from-zone src-zone-name to-zone dst-zone-name policy policy-name then permit tunnel ipsec-vpn vpn-name
SSG5-> set policy from src-zone-name to dst-zone-name src-address dst-address service tunnel vpn vpn-name
8-6 .参考設定: モニタリング設定
SSG
とSRX
は共にDead Peer Detection
(Phase1
)とVPN Monitor
(Phase2
) のモニタリング機能が設定可能• SSG
• SRX
root@SRX300# set security ike gateway gateway-name dead-peer-detection interval seconds root@SRX300# set security ike gateway gateway-name dead-peer-detection threshold threshold root@SRX300# set security ipsec vpn vpn-name vpn-monitor
root@SRX300# set security ipsec vpn-monitor-options interval seconds root@SRX300# set security ipsec vpn-monitor-options threshold threshold SSG5-> set vpn vpn-name monitor
SSG5-> set vpnmonitor interval seconds SSG5-> set vpnmonitor threshold threshold
SSG5-> set ike gateway gateway-name dpd interval seconds SSG5-> set ike gateway gateway-name dpd retry threshold
8-7 .動作の確認( 1/5 )
Phase1
動作の確認• SSG
SSG5-> get ike cookies
IKEv1 SA -- Active: 1, Dead: 0, Total 1
80522f/0003, 10.254.1.1:500->10.254.1.2:500, PRESHR/grp2/3DES/MD5, xchg(2) (RouteBasePhase1/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28779 cert-expire 0 initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat : disabled ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0 XAUTH status: 0
DPD seq local 0, peer 0
8-7 .動作の確認( 2/5 )
• SRX
root@SRX300> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address 3375269 UP c0ff87663b7eefdc b498d5c7975e79f3 Main 192.168.100.254 root@SRX300> show security ike security-associations detail
IKE peer 192.168.100.254, Index 3375269, Gateway Name: IKE-Gateway Role: Initiator, State: UP
Initiator cookie: c0ff87663b7eefdc, Responder cookie: b498d5c7975e79f3 Exchange type: Main, Authentication method: Pre-shared-keys
Local: 192.168.100.1:500, Remote: 192.168.100.254:500 Lifetime: Expires in 28355 seconds
snip ---Algorithms:
Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 snip
---8-7 .動作の確認( 3/5 )
Phase
2 動作の確認• SSG
SSG5-> get sa active Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000001< 10.254.1.2 500 esp:a128/sha1 c0146f1a 2815 unlim A/U -1 0 00000001> 10.254.1.2 500 esp:a128/sha1 22663cdf 2815 unlim A/U -1 0
8-7 .動作の確認( 4/5 )
• SRX
root@SRX300> show security ipsec security-associations Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha256 b51ab8de 3392/ unlim - root 500 192.168.100.254
>131073 ESP:aes-cbc-256/sha256 a74b07fb 3392/ unlim - root 500 192.168.100.254 root@SRX300> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: Route-VPN
Local Gateway: 192.168.100.1, Remote Gateway: 192.168.100.254 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 snip
---Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
snip
---8-7 .動作の確認( 5/5 )
• SRX
root@SRX300> show security ipsec statistics ESP Statistics:
Encrypted bytes: 6899736 Decrypted bytes: 3809192 Encrypted packets: 45473 Decrypted packets: 45450 AH Statistics:
Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0