SRX dial-up VPN (NCP編)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SRX dial-up VPN (NCP編)
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ネットワーク構成
Test devicesSRX100
JUNOS 10.2Client
Windows XP SP3 – Japanese Edition– NCP client Ver.9.20 Build 33
Windows 7 Ultimate– Japanese Edition– NCP client Ver.9.20 Build 33
192.168.1.0/24
vlan.0fe-0/0/0
100.100.100.0/24172.27.24.0/24
L3 SWHub
SRX100Policy base VPN
Win XP SP3 Japanese Ed.
NCP IPSec client Win 2003 SVR
.254 .254 .1 .1 .100.216
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
PRESHARED-KEY(事前共有鍵方式)で接続する
SRXの設定の流れIKE フェーズ1の設定IKE フェーズ2の設定VPN接続用ポリシーの設定Xauth用サーバの設定
設定条件IKE フェーズ1
AggressiveモードPreshared-keyDH group 2AES128bit 暗号化SHA1 ハッシュ
IKE フェーズ2ESPモードAES128bit 暗号化SHA1 ハッシュPFS DH-group2
Xauth用サーバRadius
4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX 設定 - IKE フェーズ1と2 - (PRESHARED-KEY)
ike {proposal pre-g2-aes128-sha {
authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;
}policy NCP_ike_policy {
mode aggressive;proposals pre-g2-aes128-sha;pre-shared-key ascii-text
"$9$jbkmT69pRhrz3hrev7Nik."; ## SECRET-DATA}gateway NCP_p1 {
ike-policy NCP_ike_policy;dynamic {
user-at-hostname "[email protected]";}dead-peer-detection;external-interface fe-0/0/0.0;xauth access-profile radius-auth;
}}
ipsec {proposal g2-esp-aes128-sha {
protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;
}policy NCP_ipsec_policy {
perfect-forward-secrecy {keys group2;
}proposals g2-esp-aes128-sha;
}vpn NCP_p2 {
ike {gateway NCP_p1;ipsec-policy NCP_ipsec_policy;
}}
}
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX 設定 –ポリシーとXAUTH - (PRESHARED-KEY)
policies {from-zone untrust to-zone trust {
policy NCP_IPSec {match {
source-address any;destination-address any;application any;
}then {
permit {tunnel {
ipsec-vpn NCP_p2;}
}log {
session-init;}
}}
}
access {profile radius-auth {
authentication-order radius;radius-server {
172.27.24.201 {secret "$9$V.sgJikP36AGD6Ap0hcbs2";
## SECRET-DATAsource-address 100.100.100.1;
}}
}}
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX設定全体 (PRESHARED-KEY)[edit]root@SRX100-vpn# show | display set |no-moreset version 10.2B3.3set system host-name SRX100-vpnset system time-zone Asia/Tokyoset system root-authentication encrypted-password "$1$xDjciVll$zJ38YGxJgNRtlsS77Wdko1"set system name-server 172.27.24.201"$1$AVWl7szn$EtuXUTHqnLgb1JKK1j/Ob1"set system services sshset system services telnetset system services web-management http interface vlan.0set system services web-management https system-generated-certificateset system services web-management https interface vlan.0set interfaces interface-range interfaces-trust member fe-0/0/1set interfaces interface-range interfaces-trust member fe-0/0/2set interfaces interface-range interfaces-trust member fe-0/0/3set interfaces interface-range interfaces-trust member fe-0/0/4set interfaces interface-range interfaces-trust member fe-0/0/5set interfaces interface-range interfaces-trust member fe-0/0/6set interfaces interface-range interfaces-trust member fe-0/0/7set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trustset interfaces fe-0/0/0 unit 0 family inet address 100.100.100.1/24set interfaces vlan unit 0 family inet address 192.168.1.1/24set routing-options static route 0.0.0.0/0 next-hop 100.100.100.254set protocols stpset security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keysset security ike proposal pre-g2-aes128-sha dh-group group2set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbcset security ike policy NCP_ike_policy mode aggressiveset security ike policy NCP_ike_policy proposals pre-g2-aes128-shaset security ike policy NCP_ike_policy pre-shared-key ascii-text "$9$jbkmT69pRhrz3hrev7Nik."
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SRX設定全体 (PRESHARED-KEY)set security ike gateway NCP_p1 ike-policy NCP_ike_policyset security ike gateway NCP_p1 dynamic user-at-hostname "[email protected]"set security ike gateway NCP_p1 dead-peer-detectionset security ike gateway NCP_p1 external-interface fe-0/0/0.0set security ike gateway NCP_p1 xauth access-profile radius-authset security ipsec proposal g2-esp-aes128-sha protocol espset security ipsec proposal g2-esp-aes128-sha authentication-algorithm hmac-sha1-96set security ipsec proposal g2-esp-aes128-sha encryption-algorithm aes-128-cbcset security ipsec policy NCP_ipsec_policy perfect-forward-secrecy keys group2set security ipsec policy NCP_ipsec_policy proposals g2-esp-aes128-shaset security ipsec vpn NCP_p2 ike gateway NCP_p1set security ipsec vpn NCP_p2 ike ipsec-policy set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces vlan.0set security zones security-zone untrust address-book address 172.27.24.216 32.0.0.0/32set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces fe-0/0/0.0
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match application anyset security policies from-zone trust to-zone untrust policy trust-to-untrust then permitset security policies from-zone untrust to-zone trust policy NCP_IPSec match source-address anyset security policies from-zone untrust to-zone trust policy NCP_IPSec match destination-address anyset security policies from-zone untrust to-zone trust policy NCP_IPSec match application anyset security policies from-zone untrust to-zone trust policy NCP_IPSec then permit tunnel ipsec-vpn NCP_p2set security policies from-zone untrust to-zone trust policy NCP_IPSec then log session-initset access profile radius-auth authentication-order radiusset access profile radius-auth radius-server 172.27.24.201 secret "$9$V.sgJikP36AGD6Ap0hcbs2"set access profile radius-auth radius-server 172.27.24.201 source-address 100.100.100.1set vlans vlan-trust vlan-id 2set vlans vlan-trust l3-interface vlan.0
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
Profile name設定プロファイルの名称 (任意)
Communication Mediumアクセス回線の種別を選択
通常LANを選択
Default Profile after System Rebootシステム起動時にデフォルトの設定としたい場合に有効化する
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
Connection Mode接続動作の指定と無通信状態のタイムアウト値を設定
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
Gateway (Tunnel Endpoint)接続先のSRXのIPを指定
IKE PolicyIKE P1のプロポーザルを指定
IPSec PolicyIKE P2のプロポーザルを指定
Exch ModeMain/Aggressive modeを選択
PFS GroupDHグループを指定
Policy LifetimeP1/P2のライフタイム値を指定
Policy EditorP1/P2のプロポーザルセットを編集する場合に利用
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
IPsec CompressionIPsec compressionを有効にする場合にチェック
Disable DPD (Dead Peer Detection)
DPDを無効にする場合にチェック
UDP Encapsulationカスタマイズしたポート番号で待ち受けている場合に利用
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
Local Identity (IKE)IKE IDの種類とID値を指定
Preshared Key事前共有鍵を指定
Extend Authentication (XAUTH)
Xauthで利用するIDとパスワードを指定
毎回入力する場合は空欄にする
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
Assignment of the Private IP Addressクライアントに設定するIPアドレスを指定
modeconfigを利用するには”IKE config mode”を指定DNS/WINS serversにてDNSなどの値を指定
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
IPSECクライアント (NCP)設定例
接続成功するとConnection Establishedになり緑になる
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
XAUTH設定 (ローカル認証)
access {
profile Local-auth {
authentication-order password;
client ipsec01 {
firewall-user {
password "$9$7MdwgGDkTz6oJz69A1INdb"; ## SECRET-DATA
}
}
}
}
User名の設定
パスワードの設定
BACKUP SLIDEusing certificate
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
証明書の利用
証明書作成の流れ1. CAプロファイルの設定2. 証明書の読み込み
3. 秘密鍵と証明書要求の作成
4. CAによる証明書の発行5. 発行された証明書の読み込み
# set security pki ca-profile private-CA ca-identity "COLORS CLASS 1 CA“
! CAプロファイルの設定
> request security pki ca-certificate load filename rubyca.pem ca-profile private-CA
! CA証明書の読み込み
> request security pki generate-key-pair certificate-id srx100-vpn size 2048
! 秘密鍵の生成
> request security pki generate-certificate-request certificate-id srx100-vpn domain-name srx100-vpn.juniper.local ip-address 100.100.10 0.1 email [email protected] subjec t CN=srx100-vpn.juniper.local,OU=remote-vpn,OU=SRX,O="Juniper Networks",L=Shinju ku,ST=Tokyo,C=JP
! 証明書要求(CSR)の作成
> request security pki local-certificate load certificat e load certificate-id srx100-vpn file name srx100-vpn.pem
! 証明書の読み込み
Related Documents
