ネットワーク構成
Test devices
SRX100
JUNOS 10.2
Client
Windows XP SP3
–
Japanese Edition
–
NCP client Ver.9.20 Build 33
Windows 7 Ultimate
–
Japanese Edition
–
NCP client Ver.9.20 Build 33
192.168.1.0/24
vlan.0
fe-0/0/0
100.100.100.0/24
172.27.24.0/24
L3 SW
Hub
SRX100
Policy base VPN
Win XP SP3
Japanese Ed.
NCP IPSec client
Win 2003 SVR
.254
.254
.1
.1
.100
.216
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
PRESHARED-KEY(事前共有鍵方式)で接続する
SRXの設定の流れ
IKE フェーズ1の設定
IKE フェーズ2の設定
VPN接続用ポリシーの設定
Xauth用サーバの設定
設定条件
IKE フェーズ1
Aggressiveモード
Preshared-key
DH group 2
AES128bit 暗号化
SHA1 ハッシュ
IKE フェーズ2
ESPモード
AES128bit 暗号化
SHA1 ハッシュ
PFS DH-group2
Xauth用サーバ
Radius
SRX 設定 - IKE フェーズ1と2 - (PRESHARED-KEY)
ike {
proposal pre-g2-aes128-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy NCP_ike_policy {
mode aggressive;
proposals pre-g2-aes128-sha;
pre-shared-key ascii-text
"$9$jbkmT69pRhrz3hrev7Nik."; ## SECRET-DATA
}
gateway NCP_p1 {
ike-policy NCP_ike_policy;
dynamic {
user-at-hostname "[email protected]";
}
dead-peer-detection;
external-interface fe-0/0/0.0;
xauth access-profile radius-auth;
}
}
ipsec {
proposal g2-esp-aes128-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy NCP_ipsec_policy {
perfect-forward-secrecy {
keys group2;
}
proposals g2-esp-aes128-sha;
}
vpn NCP_p2 {
ike {
gateway NCP_p1;
ipsec-policy NCP_ipsec_policy;
}
}
}
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX 設定 – ポリシーとXAUTH - (PRESHARED-KEY)
policies {
from-zone untrust to-zone trust {
policy NCP_IPSec {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn NCP_p2;
}
}
log {
session-init;
}
}
}
}
access {
profile radius-auth {
authentication-order radius;
radius-server {
172.27.24.201 {
secret "$9$V.sgJikP36AGD6Ap0hcbs2";
## SECRET-DATA
source-address 100.100.100.1;
}
}
}
}
SRX設定 全体 (PRESHARED-KEY)
[edit]
root@SRX100-vpn# show | display set |no-more set version 10.2B3.3
set system host-name SRX100-vpn set system time-zone Asia/Tokyo
set system root-authentication encrypted-password "$1$xDjciVll$zJ38YGxJgNRtlsS77Wdko1" set system name-server 172.27.24.201
"$1$AVWl7szn$EtuXUTHqnLgb1JKK1j/Ob1" set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate set system services web-management https interface vlan.0
set interfaces interface-range interfaces-trust member fe-0/0/1 set interfaces interface-range interfaces-trust member fe-0/0/2 set interfaces interface-range interfaces-trust member fe-0/0/3 set interfaces interface-range interfaces-trust member fe-0/0/4 set interfaces interface-range interfaces-trust member fe-0/0/5 set interfaces interface-range interfaces-trust member fe-0/0/6 set interfaces interface-range interfaces-trust member fe-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust set interfaces fe-0/0/0 unit 0 family inet address 100.100.100.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 100.100.100.254 set protocols stp
set security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keys set security ike proposal pre-g2-aes128-sha dh-group group2
set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1 set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbc set security ike policy NCP_ike_policy mode aggressive
set security ike policy NCP_ike_policy proposals pre-g2-aes128-sha
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX設定 全体 (PRESHARED-KEY)
set security ike gateway NCP_p1 ike-policy NCP_ike_policy set security ike gateway NCP_p1 dynamic
user-at-hostname "[email protected]"
set security ike gateway NCP_p1 dead-peer-detection set security ike gateway NCP_p1 external-interface fe-0/0/0.0
set security ike gateway NCP_p1 xauth access-profile radius-auth
set security ipsec proposal g2-esp-aes128-sha protocol esp set security ipsec proposal g2-esp-aes128-sha
authentication-algorithm hmac-sha1-96
set security ipsec proposal g2-esp-aes128-sha encryption-algorithm aes-128-cbc
set security ipsec policy NCP_ipsec_policy perfect-forward-secrecy keys group2
set security ipsec policy NCP_ipsec_policy proposals g2-esp-aes128-sha
set security ipsec vpn NCP_p2 ike gateway NCP_p1 set security ipsec vpn NCP_p2 ike ipsec-policy
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0 set security zones security-zone untrust address-book address 172.27.24.216 32.0.0.0/32
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy NCP_IPSec match source-address any
set security policies from-zone untrust to-zone trust policy NCP_IPSec match destination-address any
set security policies from-zone untrust to-zone trust policy NCP_IPSec match application any
set security policies from-zone untrust to-zone trust policy NCP_IPSec then permit tunnel ipsec-vpn NCP_p2
set security policies from-zone untrust to-zone trust policy NCP_IPSec then log session-init
set access profile radius-auth authentication-order radius set access profile radius-auth radius-server 172.27.24.201 secret "$9$V.sgJikP36AGD6Ap0hcbs2"
set access profile radius-auth radius-server 172.27.24.201 source-address 100.100.100.1
set vlans vlan-trust vlan-id 2
IPSECクライアント (NCP) 設定例
Profile name
設定プロファイルの名称 (任
意)
Communication Medium
アクセス回線の種別を選択
通常LANを選択
Default Profile after System
Reboot
システム起動時にデフォルト
の設定としたい場合に有効
化する
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP) 設定例
Connection Mode
接続動作の指定と無通信状
態のタイムアウト値を設定
IPSECクライアント (NCP) 設定例
Gateway (Tunnel Endpoint)
接続先のSRXのIPを指定
IKE Policy
IKE P1のプロポーザルを指定
IPSec Policy
IKE P2のプロポーザルを指定
Exch Mode
Main/Aggressive modeを選択
PFS Group
DHグループを指定
Policy Lifetime
P1/P2のライフタイム値を指定
Policy Editor
P1/P2のプロポーザルセットを編集
する場合に利用
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP) 設定例
IPsec Compression
IPsec compressionを有効に
する場合にチェック
Disable DPD (Dead Peer
Detection)
DPDを無効にする場合にチ
ェック
UDP Encapsulation
カスタマイズしたポート番号
で待ち受けている場合に利
用
IPSECクライアント (NCP) 設定例
Local Identity (IKE)
IKE IDの種類とID値を指定
Preshared Key
事前共有鍵を指定
Extend Authentication
(XAUTH)
Xauthで利用するIDとパスワ
ードを指定
毎回入力する場合は空欄に
する
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP) 設定例
Assignment of the Private IP
Address
クライアントに設定するIPアド
レスを指定
modeconfigを利用するには
”IKE config mode”を指定
DNS/WINS serversにて
DNSなどの値を指定
IPSECクライアント (NCP) 設定例
接続成功するとConnection
Establishedになり緑になる
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
