Phase1 の設定 - IKE Proposal の設定

-

事前共有鍵の設定（Pre-shared Key）

- VPN

ピアのアドレス設定

3 ． Phase2

の設定

- IPsec Proposal の設定

- PFS

の設定

-

トンネルインタフェースの紐付け

8-3 ．トンネルインタフェースの設定（ 1/2 ）

SSG

と

SRX

は共にゾーンにトンネルインタフェースを割り宛て、

IP

アドレスを設定

• SSG

• SRX

SSG5-> set zone name zone-name

SSG5-> set interface tunnel.number zone zone-name SSG5-> set interface tunnel.number ip ip-address

root@SRX300# set security zones security-zone zone-name

root@SRX300# set security zones security-zone zone-name interfaces st0.number root@SRX300# set interfaces st0 unit number family inet address ip-address

8-3 ．トンネルインタフェースの設定（ 2/2 ）

SSG

と

SRX

は共にスタティックルートの設定で

VPN

通信の宛先ネットワークの ルーティング先にトンネルインタフェースを指定

• SSG

• SRX

SSG5-> set route dst-network interface tunnel.number

root@SRX300# set routing-options static route dst-network next-hop st0.number

8-4 ． Phase1 設定（ 1/2 ）

SSG

と

SRX

は共に

Phase1

の設定に下記項目を使用：

IKE Proposal、Pre-shared-key、外部インタフェース、ピアアドレス、動作モード

• SSG

IKE Gateway の設定内で指定

• SRX

３つの設定項目内で指定

- set security ike proposal

（認証方式、鍵交換方式、暗号化アルゴリズム、認証アルゴリズム）

- set security ike policy

（動作モード、IKE Proposalの指定、Pre-shared-key）

- set security ike gateway

（IKE Policyの指定、ピアアドレス、外部インタフェース）

SSG5-> set ike gateway gateway-name address peer-address mode outgoing-interface interface-name preshare pre-shared-key proposal proposal-name

8-4 ． Phase1 設定（ 2/2 ）

• SRX

＜設定例＞

root@SRX300# set security ike proposal IKE-Proposal authentication-method pre-shared-keys root@SRX300# set security ike proposal IKE-Proposal dh-group group14

root@SRX300# set security ike proposal IKE-Proposal encryption-algorithm aes-256-cbc root@SRX300# set security ike proposal IKE-Proposal authentication-algorithm sha-256 root@SRX300# set security ike policy IKE-Policy mode main

root@SRX300# set security ike policy IKE-Policy proposals IKE-Proposal

root@SRX300# set security ike policy IKE-Policy pre-shared-key ascii-text Juniper@2018 root@SRX300# set security ike gateway IKE-Gateway ike-policy IKE-Policy

root@SRX300# set security ike proposal proposal-name authentication-method method root@SRX300# set security ike proposal proposal-name dh-group group

root@SRX300# set security ike proposal proposal-name encryption-algorithm algorithm root@SRX300# set security ike proposal proposal-name authentication-algorithm algorithm root@SRX300# set security ike policy policy-name mode mode

root@SRX300# set security ike policy policy-name proposals proposal-name

root@SRX300# set security ike policy policy-name pre-shared-key ascii-text pre-shared-key root@SRX300# set security ike gateway gateway-name ike-policy policy-name

root@SRX300# set security ike gateway gateway-name address address

root@SRX300# set security ike gateway gateway-name external-interface interface-name

8-5 ． Phase2 設定（ 1/2 ）

SSG

と

SRX

は共に

Phase2

の設定に下記項目を使用：

IPsec Proposal、IPsec ポリシー、PFS、トンネルインタフェース、IKE

ゲートウェイ

• SSG

VPN

設定内で指定（IPsec ポリシー設定は無い）

• SRX

3つの設定項目内で指定

- set security ipsec proposal

（プロトコル、暗号化アルゴリズム、認証アルゴリズム）

- set security ipsec policy

（IPsec Proposal の指定、PFS）

- set security vpn

（トンネルインタフェースの指定、IPsec ポリシーの指定、IKE ゲートウェイの指定）

SSG5-> set vpn vpn-name gateway gateway-name mode proposal proposal-name

8-5 ． Phase2 設定（ 2/2 ）

• SRX

＜設定例＞

root@SRX300# set security ipsec proposal proposal-name protocol protocol

root@SRX300# set security ipsec proposal proposal-name encryption-algorithm algorithm root@SRX300# set security ipsec proposal proposal-name authentication-algorithm algorithm root@SRX300# set security ipsec policy policy-name proposals proposal-name

root@SRX300# set security ipsec policy policy-name perfect-forward-secrecy keys dh-group root@SRX300# set security ipsec vpn vpn-name bind-interface tunnel-interface

root@SRX300# set security ipsec vpn vpn-name ike ipsec-policy policy-name root@SRX300# set security ipsec vpn vpn-name ike gateway gateway-name

root@SRX300# set security ipsec proposal IPsec-Proposal protocol esp

root@SRX300# set security ipsec proposal IPsec-Proposal encryption-algorithm aes-256-cbc root@SRX300# set security ipsec proposal IPsec-Proposal authentication-algorithm hmac-sha-256-128

root@SRX300# set security ipsec policy IPsec-Policy proposals IPsec-Proposal

root@SRX300# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group14 root@SRX300# set security ipsec vpn Route-VPN bind-interface st0.0

root@SRX300# set security ipsec vpn Route-VPN ike ipsec-policy IPsec-Policy root@SRX300# set security ipsec vpn Route-VPN ike gateway IKE-Gateway

8-6 ．参考設定： ポリシーベース VPN 設定

SSG

と

SRX

は共にセキュリティポリシーのアクションに使用する

Phase2

（

VPN

）設定を指定

• SSG

• SRX

root@SRX300# set security policies from-zone src-zone-name to-zone dst-zone-name policy policy-name then permit tunnel ipsec-vpn vpn-name

SSG5-> set policy from src-zone-name to dst-zone-name src-address dst-address service tunnel vpn vpn-name

8-6 ．参考設定： モニタリング設定

SSG

と

SRX

は共に

Dead Peer Detection

（

Phase1

）と

VPN Monitor

（

Phase2

） のモニタリング機能が設定可能

• SSG

• SRX

root@SRX300# set security ike gateway gateway-name dead-peer-detection interval seconds root@SRX300# set security ike gateway gateway-name dead-peer-detection threshold threshold root@SRX300# set security ipsec vpn vpn-name vpn-monitor

root@SRX300# set security ipsec vpn-monitor-options interval seconds root@SRX300# set security ipsec vpn-monitor-options threshold threshold SSG5-> set vpn vpn-name monitor

SSG5-> set vpnmonitor interval seconds SSG5-> set vpnmonitor threshold threshold

SSG5-> set ike gateway gateway-name dpd interval seconds SSG5-> set ike gateway gateway-name dpd retry threshold

8-7 ．動作の確認（ 1/5 ）

Phase1

動作の確認

• SSG

SSG5-> get ike cookies

IKEv1 SA -- Active: 1, Dead: 0, Total 1

80522f/0003, 10.254.1.1:500->10.254.1.2:500, PRESHR/grp2/3DES/MD5, xchg(2) (RouteBasePhase1/grp-1/usr-1)

resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28779 cert-expire 0 initiator, err cnt 0, send dir 0, cond 0x0

nat-traversal map not available

ike heartbeat : disabled ike heartbeat last rcv time: 0

ike heartbeat last snd time: 0 XAUTH status: 0

DPD seq local 0, peer 0

8-7 ．動作の確認（ 2/5 ）

• SRX

root@SRX300> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address 3375269 UP c0ff87663b7eefdc b498d5c7975e79f3 Main 192.168.100.254 root@SRX300> show security ike security-associations detail

IKE peer 192.168.100.254, Index 3375269, Gateway Name: IKE-Gateway Role: Initiator, State: UP

Initiator cookie: c0ff87663b7eefdc, Responder cookie: b498d5c7975e79f3 Exchange type: Main, Authentication method: Pre-shared-keys

Local: 192.168.100.1:500, Remote: 192.168.100.254:500 Lifetime: Expires in 28355 seconds

snip ---Algorithms:

Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 snip

---8-7 ．動作の確認（ 3/5 ）

Phase

２ 動作の確認

• SSG

SSG5-> get sa active Total active sa: 1 total configured sa: 1

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000001< 10.254.1.2 500 esp:a128/sha1 c0146f1a 2815 unlim A/U -1 0 00000001> 10.254.1.2 500 esp:a128/sha1 22663cdf 2815 unlim A/U -1 0

8-7 ．動作の確認（ 4/5 ）

• SRX

root@SRX300> show security ipsec security-associations Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:aes-cbc-256/sha256 b51ab8de 3392/ unlim - root 500 192.168.100.254

>131073 ESP:aes-cbc-256/sha256 a74b07fb 3392/ unlim - root 500 192.168.100.254 root@SRX300> show security ipsec security-associations detail

ID: 131073 Virtual-system: root, VPN Name: Route-VPN

Local Gateway: 192.168.100.1, Remote Gateway: 192.168.100.254 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1

DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 snip

---Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64

snip

---8-7 ．動作の確認（ 5/5 ）

• SRX

root@SRX300> show security ipsec statistics ESP Statistics:

Encrypted bytes: 6899736 Decrypted bytes: 3809192 Encrypted packets: 45473 Decrypted packets: 45450 AH Statistics:

Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0

ドキュメント内 SRX Migration Full Ver. (ページ 124-138)