SRX Firewall üzerinde site to site vpn konfigürasyonu ve troubleshooting adımlarını inceleyeceğiz. Remote sitemızda birden fazla lokal network var. Aşağıdaki gibi bir topolojimiz olsun:
IPSEC VPN konfigürasyonu IKE ve IPSEC olmak üzere iki fazdan oluşmaktadır.
- Faz1 (IKE) ve Faz2 (IPSEC) konfigürasyonu oluşturulacak.
- Karşı taraftaki her bir local network için Secure Tunnel Interface oluşturulacak (st0.0, st0.1,st0.2… şeklinde).
- vpn isminde bir security zone oluşturulacak, Secure Tunnel Interface ler bu zone altına tanımlanacak.
- karşı taraf local networkler için secure tunnel interface lere route yazılacak.
- Security Policyler oluşturularak iki site arasında hangi trafiğe izin verileceği belirtilecek.
Konfigürasyon Adımları
(İki tarafta da SRX cihaz varsa konfigürasyon adımları birebir aynıdır. Yalnızca IP adresleri değiştirilmektedir).
(# Konfigürasyon mod)
- set security ike proposal P1proposal authentication-method pre-shared-keys
set security ike proposal P1proposal dh-group group2
set security ike proposal P1proposal authentication-algorithm md5
set security ike proposal P1proposal encryption-algorithm 3des-cbc
set security ike proposal P1proposal lifetime-seconds 86400
set security ike policy P1policy mode main
set security ike policy P1policy proposals P1proposal
set security ike policy P1policy pre-shared-key ascii-text 1234xxxxyyyyzzzz
set security ike gateway P1gateway ike-policy P1policy
set security ike gateway P1gateway address 10.250.253.66
set security ike gateway P1gateway external-interface vlan.602
set security ipsec proposal P2proposal protocol esp
set security ipsec proposal P2proposal authentication-algorithm hmac-md5-96
set security ipsec proposal P2proposal encryption-algorithm 3des-cbc
set security ipsec proposal P2proposal lifetime-seconds 36000
set security ipsec policy P2policy perfect-forward-secrecy keys group2
set security ipsec policy P2policy proposals P2proposal
set security ipsec vpn site1-to-site2 bind-interface st0.0
set security ipsec vpn site1-to-site2 ike gateway P1gateway
set security ipsec vpn site1-to-site2 ike proxy-identity local 10.200.219.0/24
set security ipsec vpn site1-to-site2 ike proxy-identity remote 10.25.33.0/24
set security ipsec vpn site1-to-site2 ike proxy-identity service any
set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
set security ipsec vpn site1-to-site2 establish-tunnels immediately
set security ipsec vpn site1-to-site3 bind-interface st0.2
set security ipsec vpn site1-to-site3 ike gateway P1gateway
set security ipsec vpn site1-to-site3 ike proxy-identity local 10.200.219.0/24
set security ipsec vpn site1-to-site3 ike proxy-identity remote 10.4.0.0/16
set security ipsec vpn site1-to-site3 ike proxy-identity service any
set security ipsec vpn site1-to-site3 ike ipsec-policy P2policy
set security ipsec vpn site1-to-site3 establish-tunnels immediately
- set interfaces st0 unit 0 family inet
set interfaces st0 unit 0 description “Tunnel Interface for 10.25.33.0/24”
set interfaces st0 unit 2 description “Tunnel Interface for 10.4.0.0/16”
set interfaces st0 unit 2 family inet
- set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.2
- set routing-options static route 0.0.0.0/0 next-hop 172.29.30.109
set routing-options static route 10.25.33.0/24 next-hop st0.0
set routing-options static route 10.4.0.0/16 next-hop st0.2
- set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then log session-init
set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then log session-close
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then log session-init
set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then log session-close
Konfigürasyon yapılıp “commit” edildikten sonra operasyon modda (>) faz1 ve faz2 adımlarını şu komutlarla inceleyebiliriz.
Faz1:
root@SRX> show security ike security-associations detail
IKE peer 10.250.253.66, Index 2394982, Gateway Name: P1gateway
Role: Initiator, State: UP
Initiator cookie: 91d4d2d8ffbb79c1, Responder cookie: 7ed8da799a977ef1
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 172.29.30.110:500, Remote: 10.250.253.66:500
Lifetime: Expires in 66677 seconds
Peer ike-id: 10.250.253.66
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-md5-96
Encryption : 3des-cbc
Pseudo random function: hmac-md5
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 6360
Output bytes : 11632
Input packets: 56
Output packets: 56
Flags: IKE SA is created
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 172.29.30.110:500, Remote: 10.250.253.66:500
Local identity: 172.29.30.110
Remote identity: 10.250.253.66
Flags: IKE SA is created
IKE peer 10.250.253.66, Index 2394984, Gateway Name: P1gateway
Role: Responder, State: UP
Initiator cookie: e1274f94e50f5254, Responder cookie: 0b5c3f5d84970f7a
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 172.29.30.110:500, Remote: 10.250.253.66:500
Lifetime: Expires in 74253 seconds
Peer ike-id: 10.250.253.66
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-md5-96
Encryption : 3des-cbc
Pseudo random function: hmac-md5
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 2752
Output bytes : 3332
Input packets: 11
Output packets: 23
Flags: IKE SA is created
IPSec security associations: 7 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 172.29.30.110:500, Remote: 10.250.253.66:500
Local identity: 172.29.30.110
Remote identity: 10.250.253.66
Flags: IKE SA is created
Faz2:
root@SRX> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: site1-to-site2
Local Gateway: 172.29.30.110, Remote Gateway: 10.250.253.66
Local Identity: ipv4_subnet(any:0,[0..7]=10.200.219.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.25.33.0/24)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0
Port: 500, Nego#: 7, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: e3c1e9b9, AUX-SPI: 0
Hard lifetime: Expires in 3261 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2653 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 4fce74a1, AUX-SPI: 0
Hard lifetime: Expires in 3261 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2653 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
ID: 131074 Virtual-system: root, VPN Name: site1-to-site3
Local Gateway: 172.29.30.110, Remote Gateway: 10.250.253.66
Local Identity: ipv4_subnet(any:0,[0..7]=10.200.219.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.4.0.0/16)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.2
Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: 4743d72a, AUX-SPI: 0
Hard lifetime: Expires in 1860 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1252 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: fdee0f95, AUX-SPI: 0
Hard lifetime: Expires in 1860 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1252 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
root@SRX> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 20:34:32
> to 172.29.30.109 via vlan.602
10.4.0.0/16 *[Static/5] 01:43:04
> via st0.2
10.25.33.0/24 *[Static/5] 05:28:17
> via st0.0
10.200.219.0/24 *[Direct/0] 1d 04:47:12
> via vlan.0
10.200.219.1/32 *[Local/0] 1d 04:47:17
Local via vlan.0
172.29.30.108/30 *[Direct/0] 20:34:32
> via vlan.602
172.29.30.110/32 *[Local/0] 20:37:10
Local via vlan.602
Karşı networkte yeni bir local subnet oluşturulduğunda oluşturulan bu yeni subnete de VPN yapmak istersek şu adımları tamamlamamız gerekiyor:
- yeni subnet için bir tunnel interfacei tanımlamak
- bu interface i de vpn zonu altına taşımak
- ipsec fazında remote proxy identity konfigürasyonunu yapmak
- karşı tarafta oluşturulan yeni local subnet için oluşturduğumuz secure tunnel a route yazmak gerekiyor.
Konfigürasyon Adımları (#)
- set interfaces st0 unit 2 description “Tunnel Interface for 10.4.0.0/16”
set interfaces st0 unit 2 family inet
- set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.2
- set security ipsec vpn site1-to-site3 bind-interface st0.2
set security ipsec vpn site1-to-site3 ike gateway P1gateway
set security ipsec vpn site1-to-site3 ike proxy-identity local 10.200.219.0/24
set security ipsec vpn site1-to-site3 ike proxy-identity remote 10.4.0.0/16
set security ipsec vpn site1-to-site3 ike proxy-identity service any
set security ipsec vpn site1-to-site3 ike ipsec-policy P2policy
set security ipsec vpn site1-to-site3 establish-tunnels immediately
- set routing-options static route 10.4.0.0/16 next-hop st0.2
Troubleshooting
- Trafik flow u debug a alıp gelen giden paketler incelenebilir.(#)
- İke ve ipsec fazlarının debugı açılıp /var/log/ dizini altında bir file a yazdırılabilir.(#)
set security flow traceoptions file flowtrace world-readable size 3m
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter PF1 source-prefix 10.200.219.1 destination-prefix 10.4.26.228 protocol esp
set security ike traceoptions file iketrace world-readable size 3m
set security ike traceoptions flag all
set security ipsec traceoptions flag packet-drops
yukarıdaki komutlar konfigürasyon modda # çalıştırılıp operasyon moda çıkılarak > show log iketrace, show log flowtrace ve show log kmd komutları ile loglar incelenebilir.
Not: loglar incelendikten sonra debuggingin kapatılması cihaza fazla yük bindirmemek açısından önemlidir.
delete security ike traceoptions
delete security flow traceoptions
delete security ipsec traceoptions
commit