与 Juniper SRX 防火墙建立 IPSec VPN
大约 12 分钟
与 Juniper SRX 防火墙建立 IPSec VPN
网络需求
如图所示,通过 IPsec VPN(接口模式)将 2 个局域网连接起来,实现 10.10.1.0/24 与 10.10.2.0/24 两个网段的通信。与 Juniper SRX 防火墙进行 IPsec VPN(IKE v1)对接。
Juniper SRX 防火墙版本:
root# show version
## Last changed: 2023-04-11 03:02:08 UTC
version 23.1R1.8;网络拓扑
配置要点
- 配置 FortiGate
- 基本上网配置
- 配置 IPsec VPN
- 配置 Juniper SRX 防火墙
- 基本上网配置
- 配置 IPsec VPN
- 说明:如果要删除 IPSEC VPN 第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。
配置步骤
FortiGate
基本上网配置。
配置 IPSec VPN,进入 VPN → IPSec 隧道,点击新建 → IPSec 隧道按钮。
选择 IPsec VPN 自定义模板进行配置,点击下一步。
如图配置网络、认证、第一阶段、第二阶段。
重要
由于 Juniper 的 IPSec 配置向导会创建明细的感兴趣流,FortiGate 与 Juniper 防火墙对接 IPSec 推荐对应使用明细的感兴趣流。
config vpn ipsec phase1-interface edit "VPN-to-Remote" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 202.103.23.2 set psksecret xxxxxxxx next end config vpn ipsec phase2-interface edit "VPN-to-Remote" set phase1name "VPN-to-Remote" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.10.1.0 255.255.255.0 set dst-subnet 10.10.2.0 255.255.255.0 next end配置 VPN 相关的网段地址对象和防火墙策略。
config firewall address edit "Local_10.10.1.0/24" set subnet 10.10.1.0 255.255.255.0 next edit "Remote_10.10.2.0/24" set subnet 10.10.2.0 255.255.255.0 next end config firewall policy edit 2 set name "VPN-Local-to-Remote" set srcintf "port3" set dstintf "VPN-to-Remote" set action accept set srcaddr "Local_10.10.1.0/24" set dstaddr "Remote_10.10.2.0/24" set schedule "always" set service "ALL" next edit 3 set name "VPN-Remote-to-Local" set srcintf "VPN-to-Remote" set dstintf "port3" set action accept set srcaddr "Remote_10.10.2.0/24" set dstaddr "LAN_10.10.1.0/24" set schedule "always" set service "ALL" next end配置 VPN 业务网段的静态路由。
重要
相关 VPN 的路由配置中“黑洞路由的意义:
你可能会遇到以下的 VPN 业务问题:通过 VPN 的 SIP 电话,时不时中断,无法向服务器成功注册 ?通过 VPN 的 Radius 认证无法经常会无法认证成功? 通过 VPN 的 AP 注册到总部时不时会中断?持续的 PRGT 监控 ping 总部的服务器,时不时会显示中断?
VPN 有时候会因为各种原因重新连接,比如互联网不稳定,PPPOE 重新连接更换公网 IP 地址等,VPN tunnel 此时会出现短暂的 DOWN,而去往对方的 VPN 业务网段的路由也会短暂消失,此时 VPN 的业务流量(SIP 注册请求/Radius/Capwap/ICMP)会因为查询到了默认路由而走向了 WAN(Internet),从而产生了错误的 UDP-NAT-Seesion,此时即便 VPN tunnel 再次 UP,VPN 业务网段的路由再次恢复,SIP 等 VPN 旧的业务流量依旧会走到错误的 Session 上去,从而引起该业务异常。
解决方法:
方法一:配置去往 VPN 业务网段的“黑洞路由”,管理距离为 254,VPN 正常的情况下此黑洞路由不生效,而当 VPN 中断的时候,黑洞路由浮起来并且生效,将 VPN 中断时候的 VPN 流量丢弃,避免将流量转发到互联网而产生错误的 session。配置 VPN 的备份黑洞路由的意义在此。
方法二:配置源接口:LAN,目的接口:WAN,源 IP:本地内网网段,目的 IP:对端内网网段,动作:丢包的策略。将此去往 Internet 的私网(无用的)流量丢弃掉,避免 FGT 产生这种错误的 session,从而避免了 UDP 业务时不时中断的问题。
方法三:在全局下开启“set snat-route-change enable”,一旦路由发生变化,将相关的会话 flag 置位为“Dirty”,清除路由缓存并重新查找目的 IP 的下一跳地址,这样 VPN 隧道恢复的时候,流量也会相应的切换到 VPN 隧道里面来。
FortiGate # config system global FortiGate (global) # set snat-route-change enable FortiGate (global) # end
三种方式任意选择一种即可。推荐使用黑洞路由方式。
config router static edit 1 set gateway 202.103.12.1 set device "port2" next edit 2 set dst 10.10.2.0 255.255.255.0 set device "VPN-to-Remote" next edit 3 set dst 10.10.2.0 255.255.255.0 set distance 254 set blackhole enable next end
Juniper SRX
基本 IP 与路由配置。
interfaces { ge-0/0/0 { unit 0 { family inet { address 202.103.23.2/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.10.2.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 202.103.23.1; } }地址对象、上网策略(默认存在)、上网 NAT 配置。
security { address-book { global { address Local 10.10.2.0/24; address Remote 10.10.1.0/24; } } nat { source { rule-set Zone_trust-Zone_untrust { from zone trust; to zone untrust; rule to_Internet { match { source-address-name Local; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy default-permit { match { source-address Local; destination-address any; application any; } then { permit; } } } } }在 IPSec VPN 页面点击“Create VPN”按钮,并选择“Site to Site”模式。
填写 IPSec VPN 名称,“Routing mode”选择“Traffic Selector”(明细感兴趣流,并自动添加到对端 VPN 网段的路由),“Authentication method”选择“Pre-shared Key”,“Auto-create firewall policy”选择“Yes”(自动添加 VPN 网段之间的放通策略)。随后点击左下角的“IKE and IPSec Settings”。
配置 IKE 与 IPSec 协商参数,与 FortiGate 配置为一致,配置完成后,点击“Remote Gateway”配置远程网关。
根据实际情况选择是否修改“Gateway is behind NAT”以及 ID 配置。在“External IP address”中配置 FortiGate 侧的 VPN 网关地址,“Protected networks”选中 FortiGate 侧的 VPN 网段,点击 OK 下发配置。随后点击“Local Gateway”配置本地网关。
点击“Local Gateway”配置本地网关,选择“External interface”为本地网关公网接口,填写预共享密钥,“Protected networks”选择本地的 VPN 网段,随后在“Tunnel interface”右侧点击“Add”。
新建 Tunnel 接口,配置 Unit 号与安全域信息,随后下发本地网关的配置。
点击“Save”保存 IPSec VPN 配置。
interfaces { st0 { unit 0 { family inet; } } } security { ike { proposal to_FortiGate { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 86385; } policy to_FortiGate { mode main; proposals to_FortiGate; pre-shared-key ascii-text "$9$KnSMxNdbs2oJx7Dikqf51REcev"; ## SECRET-DATA } gateway to_FortiGate { ike-policy to_FortiGate; address 202.103.13.2; dead-peer-detection { optimized; interval 10; threshold 5; } external-interface ge-0/0/0; local-address 202.103.23.2; version v1-only; } } ipsec { proposal to_FortiGate { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 43200; } policy to_FortiGate { perfect-forward-secrecy { keys group14; } proposals to_FortiGate; } vpn to_FortiGate { bind-interface st0.0; df-bit clear; copy-outer-dscp; ike { gateway to_FortiGate; ipsec-policy to_FortiGate; } traffic-selector ts-1 { local-ip 10.10.2.0/24; remote-ip 10.10.1.0/24; } establish-tunnels immediately; } } }查看自动添加的 VPN 网段安全策略。
security { policies { policy to_FortiGate-1 { match { source-address Local; destination-address Remote; application any; } then { permit; log { session-close; } } } } from-zone junos-host to-zone untrust { policy to_FortiGate-1 { match { source-address Local; destination-address Remote; application any; } then { permit; log { session-close; } } } } from-zone untrust to-zone junos-host { policy to_FortiGate-2 { match { source-address Remote; destination-address Local; application any; } then { permit; log { session-close; } } } } from-zone untrust to-zone trust { policy to_FortiGate-2 { match { source-address Remote; destination-address Local; application any; } then { permit; log { session-close; } } } } } }最后,点击页面右上角的 Commit 按钮提交所有配置。
结果验证
FortiGate 上查看 IPSec 隧道建立,在仪表盘新建 IPSec 监控,可以看到 IPSec 建立成功。
FortiGate # diagnose vpn ike gateway list vd: root/0 name: VPN-to-Remote version: 1 interface: port2 4 addr: 202.103.13.2:500 -> 202.103.23.2:500 tun_id: 202.103.23.2/::202.103.23.2 remote_location: 0.0.0.0 network-id: 0 created: 3s ago IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms id/spi: 84 81f7935c958dc231/0d50274a3603ed0c direction: initiator status: established 3-3s ago = 10ms proposal: aes256-sha256 key: 7617c0e9088a38f0-ba9b72527df54344-75a4f0b475a5c89a-ea60570f9f6a7f36 lifetime/rekey: 86400/86096 DPD sent/recv: 00000000/00000000 FortiGate # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=VPN-to-Remote ver=1 serial=1 202.103.13.2:0->202.103.23.2:0 tun_id=202.103.23.2 tun_id6=::202.103.23.2 dst_mtu=1500 dpd-link=on weig1 bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overla0 proxyid_num=1 child_num=0 refcnt=4 ilast=2 olast=2 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=65 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=VPN-to-Remote proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:10.10.1.0-10.10.1.255:0 dst: 0:10.10.2.0-10.10.2.255:0 SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42888/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42902/43200 dec: spi=0f3295e9 esp=aes key=32 1ef676bbce325c056b2bd2e7bdcc04b53d5493123ffff37734b92d7f0be650dc ah=sha256 key=32 1e0dd4317b3cf00168dad8528b820aadae59a09dac665d094324210b22abcadf enc: spi=06cf5a4d esp=aes key=32 06d4be5946563a9b7db6ad62c12625e61c18f83807abf62dbdf96d62f4dd2856 ah=sha256 key=32 a11616829e581b70f3ec1e4fbecde7efb85a6da8cdb1718e34b40e12fbc5779f dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=202.103.23.2 npu_lgwy=202.103.13.2 npu_selid=1 dec_npuid=0 enc_npuid=0 run_tally=0查看 FortiGate 的路由表。
FortiGate # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 202.103.13.1, port2, [1/0] C 10.10.1.0/24 is directly connected, port3 S 10.10.2.0/24 [10/0] via VPN-to-Remote tunnel 202.103.23.2, [1/0] C 192.168.100.0/24 is directly connected, port1 C 202.103.13.0/24 is directly connected, port2FortiGate 侧 PC1 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.1.2/24 10.10.1.1 fe80::250:79ff:fe66:6805/64 VPCS> ping 10.10.2.2 84 bytes from 10.10.2.2 icmp_seq=1 ttl=62 time=4.768 ms 84 bytes from 10.10.2.2 icmp_seq=2 ttl=62 time=1.770 ms 84 bytes from 10.10.2.2 icmp_seq=3 ttl=62 time=1.698 ms 84 bytes from 10.10.2.2 icmp_seq=4 ttl=62 time=2.116 ms 84 bytes from 10.10.2.2 icmp_seq=5 ttl=62 time=1.780 msJuniper 防火墙查看 IPSec 连接状态。
root@Juniper-SRX> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 7667814 UP 81f7935c958dc231 0d50274a3603ed0c Main 202.103.13.2 root@Juniper-SRX> show security ike security-associations 202.103.13.2 detail IKE peer 202.103.13.2, Index 7667814, Gateway Name: to_FortiGate Role: Responder, State: UP Initiator cookie: 81f7935c958dc231, Responder cookie: 0d50274a3603ed0c Exchange type: Main, Authentication method: Pre-shared-keys Local: 202.103.23.2:500, Remote: 202.103.13.2:500 Lifetime: Expires in 86162 seconds Reauth Lifetime: Disabled IKE Fragmentation: Disabled, Size: 0 Remote Access Client Info: Unknown Client Peer ike-id: 202.103.13.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 Traffic statistics: Input bytes : 2996 Output bytes : 2196 Input packets: 15 Output packets: 14 Input fragmentated packets: 0 Output fragmentated packets: 0 IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 202.103.23.2:500, Remote: 202.103.13.2:500 Local identity: 202.103.23.2 Remote identity: 202.103.13.2 Flags: IKE SA is createdroot@Juniper-SRX> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <67108865 ESP:aes-cbc-256/sha256 6cf5a4d 42899/ unlim - root 500 202.103.13.2 ::: important 67108865 ESP:aes-cbc-256/sha256 f3295e9 42899/ unlim - root 500 202.103.13.2 ::: root@Juniper-SRX> show security ipsec security-associations vpn-name to_FortiGate detail ID: 67108865 Virtual-system: root, VPN Name: to_FortiGate Local Gateway: 202.103.23.2, Remote Gateway: 202.103.13.2 Traffic Selector Name: ts-1 Local Identity: ipv4(10.10.2.0-10.10.2.255) Remote Identity: ipv4(10.10.1.0-10.10.1.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Enabled, Bind-interface: st0.0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Tunnel events: Tue Apr 11 2023 15:42:30 : IPSec SA negotiation successfully completed (1 times) Tue Apr 11 2023 15:42:30 : IKE SA negotiation successfully completed (4 times) Tue Apr 11 2023 15:42:29 : IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Apr 11 2023 15:42:25 : IPSec SA negotiation successfully completed (1 times) Tue Apr 11 2023 15:42:25 : IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Apr 11 2023 15:20:00 : IPSec SA negotiation successfully completed (1 times) Tue Apr 11 2023 15:20:00 : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Direction: inbound, SPI: 6cf5a4d, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 42865 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 42302 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: f3295e9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 42865 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 42302 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64查看 Juniper 防火墙的路由表,可以看到包含了自动注入的到 FortiGate 内网的路由,出接口为 Tunnel 接口。
root@Juniper-SRX> show route inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:58:27 ::: important to 202.103.23.1 via ge-0/0/0.0 ::: [Access-internal/12] 00:59:24, metric 0 ::: important to 192.168.100.99 via fxp0.0 ::: 10.10.1.0/24 *[Static/5] 00:19:34 ::: important via st0.0 ::: 10.10.2.0/24 *[Direct/0] 00:58:27 ::: important via ge-0/0/1.0 ::: 10.10.2.1/32 *[Local/0] 00:58:27 Local via ge-0/0/1.0 192.168.100.0/24 *[Direct/0] 00:59:24 ::: important via fxp0.0 ::: 192.168.100.4/32 *[Local/0] 00:59:24 Local via fxp0.0 202.103.23.0/24 *[Direct/0] 00:58:27 ::: important via ge-0/0/0.0 ::: 202.103.23.2/32 *[Local/0] 00:58:27 Local via ge-0/0/0.0Juniper 防火墙侧 PC2 业务测试。
VPCS> show NAME IP/MASK GATEWAY GATEWAY VPCS1 10.10.2.2/24 10.10.2.1 fe80::250:79ff:fe66:6806/64 VPCS> ping 10.10.1.2 84 bytes from 10.10.1.2 icmp_seq=1 ttl=62 time=1.410 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=62 time=1.547 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=62 time=1.624 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=62 time=2.176 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=62 time=1.661 msFortiGate 侧抓包查看。
FortiGate # diagnose sniffer packet any 'host 10.10.2.2 and host 10.10.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.10.2.2 and host 10.10.1.2 and icmp] 2023-04-11 15:49:30.598552 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:30.598585 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:30.598754 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:30.598761 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:31.601426 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:31.601457 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:31.601769 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:31.601774 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:32.604474 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:32.604508 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:32.604694 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:32.604701 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:33.607589 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:33.607647 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:33.608105 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:33.608124 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:34.609922 VPN-to-Remote in 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:34.609955 port3 out 10.10.2.2 -> 10.10.1.2: icmp: echo request 2023-04-11 15:49:34.610140 port3 in 10.10.1.2 -> 10.10.2.2: icmp: echo reply 2023-04-11 15:49:34.610153 VPN-to-Remote out 10.10.1.2 -> 10.10.2.2: icmp: echo reply
说明
关于 sniffer 抓 VPN 业务和 ESP 的包:
抓取 IPsec VPN 的 IKE 协商包:
diagnose sniffer packet any "host 101.1.1.1 and (port 500 or port 4500)" 4抓取 IPsec VPN 的 ESP 加密数据包:
diagnose sniffer packet any "host 101.1.1.1 and esp" 4抓取 IPsec VPN 的明文业务数据包:
diagnose sniffer packet any "host 192.168.112.100 and icmp" 4注意:由于硬件设备存在 IPsec VPN 芯片加速,因此可能数据包会抓不完全,主要指“ESP 数据和明文业务数据”抓不全,因此有时候需要将 VPN 隧道的 NP 加速关闭:
FortiGate # config vpn ipsec phase1-interface FortiGate (phase1-interface) # edit BJ-OSPF-TO-SH FortiGate (BJ-OSPF-TO-SH) # set npu-offload disable FortiGate (BJ-OSPF-TO-SH) # end
juniper 防火墙相关:
juniper 防火墙 IPsec VPN Debug:
# set system syslog file kmd-logs daemon info # set system syslog file kmd-logs match KMD # commit show log kmd-logs参考文档:
- https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels
- https://supportportal.juniper.net/s/article/SRX-How-to-configure-syslog-to-display-VPN-status-messages
- https://supportportal.juniper.net/s/article/SRX-IKE-Phase-1-VPN-status-messages
- https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-2-VPN-connection-issues