Juniper SRX Firewall Site to Site VPN Konfigürasyonu ve Troubleshooting Adımları

SRX Firewall üzerinde site to site vpn konfigürasyonu ve troubleshooting adımlarını inceleyeceğiz. Remote sitemızda birden fazla lokal network var. Aşağıdaki gibi bir topolojimiz olsun:

SRX-site-to-site-vpn-topoloji-srx

IPSEC VPN konfigürasyonu IKE ve IPSEC olmak üzere iki fazdan oluşmaktadır.

  1. Faz1 (IKE) ve Faz2 (IPSEC) konfigürasyonu oluşturulacak.
  2. Karşı taraftaki her bir local network için Secure Tunnel Interface oluşturulacak (st0.0, st0.1,st0.2… şeklinde).
  3. vpn isminde bir security zone oluşturulacak, Secure Tunnel Interface ler bu zone altına tanımlanacak.
  4. karşı taraf local networkler için secure tunnel interface lere route yazılacak.
  5. Security Policyler oluşturularak iki site arasında hangi trafiğe izin verileceği belirtilecek.

Konfigürasyon Adımları
(İki tarafta da SRX cihaz varsa konfigürasyon adımları birebir aynıdır. Yalnızca IP adresleri değiştirilmektedir).
(# Konfigürasyon mod)

  1. set security ike proposal P1proposal authentication-method pre-shared-keys
    set security ike proposal P1proposal dh-group group2
    set security ike proposal P1proposal authentication-algorithm md5
    set security ike proposal P1proposal encryption-algorithm 3des-cbc
    set security ike proposal P1proposal lifetime-seconds 86400
    set security ike policy P1policy mode main
    set security ike policy P1policy proposals P1proposal
    set security ike policy P1policy pre-shared-key ascii-text 1234xxxxyyyyzzzz
    set security ike gateway P1gateway ike-policy P1policy
    set security ike gateway P1gateway address 10.250.253.66
    set security ike gateway P1gateway external-interface vlan.602
    set security ipsec proposal P2proposal protocol esp
    set security ipsec proposal P2proposal authentication-algorithm hmac-md5-96
    set security ipsec proposal P2proposal encryption-algorithm 3des-cbc
    set security ipsec proposal P2proposal lifetime-seconds 36000
    set security ipsec policy P2policy perfect-forward-secrecy keys group2
    set security ipsec policy P2policy proposals P2proposal
    set security ipsec vpn site1-to-site2 bind-interface st0.0
    set security ipsec vpn site1-to-site2 ike gateway P1gateway
    set security ipsec vpn site1-to-site2 ike proxy-identity local 10.200.219.0/24
    set security ipsec vpn site1-to-site2 ike proxy-identity remote 10.25.33.0/24
    set security ipsec vpn site1-to-site2 ike proxy-identity service any
    set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
    set security ipsec vpn site1-to-site2 establish-tunnels immediately
    set security ipsec vpn site1-to-site3 bind-interface st0.2
    set security ipsec vpn site1-to-site3 ike gateway P1gateway
    set security ipsec vpn site1-to-site3 ike proxy-identity local 10.200.219.0/24
    set security ipsec vpn site1-to-site3 ike proxy-identity remote 10.4.0.0/16
    set security ipsec vpn site1-to-site3 ike proxy-identity service any
    set security ipsec vpn site1-to-site3 ike ipsec-policy P2policy
    set security ipsec vpn site1-to-site3 establish-tunnels immediately
  1. set interfaces st0 unit 0 family inet
    set interfaces st0 unit 0 description “Tunnel Interface for 10.25.33.0/24”
    set interfaces st0 unit 2 description “Tunnel Interface for 10.4.0.0/16”
    set interfaces st0 unit 2 family inet
  1. set security zones security-zone vpn interfaces st0.0
    set security zones security-zone vpn interfaces st0.2
  1. set routing-options static route 0.0.0.0/0 next-hop 172.29.30.109
    set routing-options static route 10.25.33.0/24 next-hop st0.0
    set routing-options static route 10.4.0.0/16 next-hop st0.2
  1. set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match source-address any
    set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match destination-address any
    set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow match application any
    set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then permit
    set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then log session-init
    set security policies from-zone trust to-zone vpn policy trust-to-vpn-allow then log session-close
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match source-address any
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match destination-address any
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow match application any
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then permit
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then log session-init
    set security policies from-zone vpn to-zone trust policy vpn-to-trust-allow then log session-close

Konfigürasyon yapılıp “commit” edildikten sonra operasyon modda (>) faz1 ve faz2 adımlarını şu komutlarla inceleyebiliriz.

Faz1:
root@SRX> show security ike security-associations detail

IKE peer 10.250.253.66, Index 2394982, Gateway Name: P1gateway

Role: Initiator, State: UP

Initiator cookie: 91d4d2d8ffbb79c1, Responder cookie: 7ed8da799a977ef1

Exchange type: Main, Authentication method: Pre-shared-keys

Local: 172.29.30.110:500, Remote: 10.250.253.66:500

Lifetime: Expires in 66677 seconds

Peer ike-id: 10.250.253.66

Xauth assigned IP: 0.0.0.0

Algorithms:

Authentication        : hmac-md5-96

Encryption            : 3des-cbc

Pseudo random function: hmac-md5

Diffie-Hellman group  : DH-group-2

Traffic statistics:

Input  bytes  :                 6360

Output bytes  :                11632

Input  packets:                   56

Output packets:                   56

Flags: IKE SA is created

IPSec security associations: 0 created, 0 deleted

Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Initiator, Message ID: 0

Local: 172.29.30.110:500, Remote: 10.250.253.66:500

Local identity: 172.29.30.110

Remote identity: 10.250.253.66

Flags: IKE SA is created

IKE peer 10.250.253.66, Index 2394984, Gateway Name: P1gateway

Role: Responder, State: UP

Initiator cookie: e1274f94e50f5254, Responder cookie: 0b5c3f5d84970f7a

Exchange type: Main, Authentication method: Pre-shared-keys

Local: 172.29.30.110:500, Remote: 10.250.253.66:500

Lifetime: Expires in 74253 seconds

Peer ike-id: 10.250.253.66

Xauth assigned IP: 0.0.0.0

Algorithms:

Authentication        : hmac-md5-96

Encryption            : 3des-cbc

Pseudo random function: hmac-md5

Diffie-Hellman group  : DH-group-2

Traffic statistics:

Input  bytes  :                 2752

Output bytes  :                 3332

Input  packets:                   11

Output packets:                   23

Flags: IKE SA is created

IPSec security associations: 7 created, 0 deleted

Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Responder, Message ID: 0

Local: 172.29.30.110:500, Remote: 10.250.253.66:500

Local identity: 172.29.30.110

Remote identity: 10.250.253.66

Flags: IKE SA is created

Faz2:
root@SRX> show security ipsec security-associations detail

ID: 131073 Virtual-system: root, VPN Name: site1-to-site2

Local Gateway: 172.29.30.110, Remote Gateway: 10.250.253.66

Local Identity: ipv4_subnet(any:0,[0..7]=10.200.219.0/24)

Remote Identity: ipv4_subnet(any:0,[0..7]=10.25.33.0/24)

Version: IKEv1

DF-bit: clear

Bind-interface: st0.0

Port: 500, Nego#: 7, Fail#: 0, Def-Del#: 0 Flag: 0x600a29

Last Tunnel Down Reason: Lifetime expired

Direction: inbound, SPI: e3c1e9b9, AUX-SPI: 0

Hard lifetime: Expires in 3261 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 2653 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 4fce74a1, AUX-SPI: 0

Hard lifetime: Expires in 3261 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 2653 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64

ID: 131074 Virtual-system: root, VPN Name: site1-to-site3

Local Gateway: 172.29.30.110, Remote Gateway: 10.250.253.66

Local Identity: ipv4_subnet(any:0,[0..7]=10.200.219.0/24)

Remote Identity: ipv4_subnet(any:0,[0..7]=10.4.0.0/16)

Version: IKEv1

DF-bit: clear

Bind-interface: st0.2

Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29

Last Tunnel Down Reason: Lifetime expired

Direction: inbound, SPI: 4743d72a, AUX-SPI: 0

Hard lifetime: Expires in 1860 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 1252 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: fdee0f95, AUX-SPI: 0

Hard lifetime: Expires in 1860 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 1252 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64

root@SRX> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

+ = Active Route, – = Last Active, * = Both

0.0.0.0/0          *[Static/5] 20:34:32

> to 172.29.30.109 via vlan.602

10.4.0.0/16        *[Static/5] 01:43:04

> via st0.2

10.25.33.0/24      *[Static/5] 05:28:17

  > via st0.0

10.200.219.0/24    *[Direct/0] 1d 04:47:12

> via vlan.0

10.200.219.1/32    *[Local/0] 1d 04:47:17

Local via vlan.0

172.29.30.108/30   *[Direct/0] 20:34:32

> via vlan.602

172.29.30.110/32   *[Local/0] 20:37:10

Local via vlan.602

Aynısının lacivert ekranı
SRX-site-to-site-vpn-topoloji-srx-2SRX-site-to-site-vpn-topoloji-srx-3SRX-site-to-site-vpn-topoloji-srx-4

Karşı networkte yeni bir local subnet oluşturulduğunda oluşturulan bu yeni subnete de VPN yapmak istersek şu adımları tamamlamamız gerekiyor:

  1. yeni subnet için bir tunnel interfacei tanımlamak
  2. bu interface i de vpn zonu altına taşımak
  3. ipsec fazında remote proxy identity konfigürasyonunu yapmak
  4. karşı tarafta oluşturulan yeni local subnet için oluşturduğumuz secure tunnel a route yazmak gerekiyor.

Konfigürasyon Adımları (#)

  1. set interfaces st0 unit 2 description “Tunnel Interface for 10.4.0.0/16”
    set interfaces st0 unit 2 family inet
  1. set security zones security-zone vpn interfaces st0.0
    set security zones security-zone vpn interfaces st0.2
  1. set security ipsec vpn site1-to-site3 bind-interface st0.2
    set security ipsec vpn site1-to-site3 ike gateway P1gateway
    set security ipsec vpn site1-to-site3 ike proxy-identity local 10.200.219.0/24
    set security ipsec vpn site1-to-site3 ike proxy-identity remote 10.4.0.0/16
    set security ipsec vpn site1-to-site3 ike proxy-identity service any
    set security ipsec vpn site1-to-site3 ike ipsec-policy P2policy
    set security ipsec vpn site1-to-site3 establish-tunnels immediately
  1. set routing-options static route 10.4.0.0/16 next-hop st0.2

Troubleshooting

  1. Trafik flow u debug a alıp gelen giden paketler incelenebilir.(#)
  2. İke ve ipsec fazlarının debugı açılıp /var/log/ dizini altında bir file a yazdırılabilir.(#)

set security flow traceoptions file flowtrace world-readable size 3m
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter PF1 source-prefix 10.200.219.1 destination-prefix 10.4.26.228 protocol esp

set security ike traceoptions file iketrace world-readable size 3m
set security ike traceoptions flag all

set security ipsec traceoptions flag packet-drops

yukarıdaki komutlar konfigürasyon modda # çalıştırılıp operasyon moda çıkılarak > show log iketrace, show log flowtrace ve show log kmd komutları ile loglar incelenebilir.

Not: loglar incelendikten sonra debuggingin kapatılması cihaza fazla yük bindirmemek açısından önemlidir.

delete security ike traceoptions
delete security flow traceoptions
delete security ipsec traceoptions
commit

Emre BAŞTUĞ

About Emre BAŞTUĞ

Emre BAŞTUĞ