Bài viết này sẽ hướng dẫn các bạn cấu hình Route-Based Site-to-Site IPSec VPN trên thiết bị Juniper SRX theo mô hình ví dụ phía dưới. Trên mô hình đã được cấu hình IP, Zone, Static route, Policy từ zone Trust đến zone Untrust theo ví dụ, các bạn có thể xem cách cấu hình tại bài viết này. 1. Cấu hình IKE phase 1 : + Trên SRX-A : root@SRX-A#set security ike proposal IKE-PROP lifetime-seconds 3600 root@SRX-A#set security ike proposal IKE-PROP authentication-method pre-shared-keys root@SRX-A#set security ike proposal IKE-PROP authentication-algorithm sha1 root@SRX-A#set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc root@SRX-A#set security ike proposal IKE-PROP dh-group group5 root@SRX-A#set security ike policy IKE-POL proposals IKE-PROP root@SRX-A#set security ike policy IKE-POL mode main root@SRX-A#set security ike policy IKE-POL pre-shared-key ascii-text juniper123 root@SRX-A#set security ike gateway IKE-GW ike-policy IKE-POL root@SRX-A#set security ike gateway IKE-GW address 2.2.2.2 root@SRX-A#set security ike gateway IKE-GW external-interface ge-0/0/0.0 - Cho phép IKE trên Untrust zone. root@SRX-A#set security zones security-zone untrust host-inbound-traffic system-services ike + Trên SRX-B : root@SRX-B#set security ike proposal IKE-PROP lifetime-seconds 3600 root@SRX-B#set security ike proposal IKE-PROP authentication-method pre-shared-keys root@SRX-B#set security ike proposal IKE-PROP authentication-algorithm sha1 root@SRX-B#set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc root@SRX-B#set security ike proposal IKE-PROP dh-group group5 root@SRX-B#set security ike policy IKE-POL proposals IKE-PROP root@SRX-B#set security ike policy IKE-POL mode main root@SRX-B#set security ike policy IKE-POL pre-shared-key ascii-text juniper123 root@SRX-B#set security ike gateway IKE-GW ike-policy IKE-POL root@SRX-B#set security ike gateway IKE-GW address 1.1.1.1 root@SRX-B#set security ike gateway IKE-GW external-interface ge-0/0/0.0 - Cho phép IKE trên Untrust zone. root@SRX-B#set security zones security-zone untrust host-inbound-traffic system-services ike 2. Cấu hình IKE phase 2 trên cả SRX-A và SRX-B : set security ipsec proposal IPSEC-PROP lifetime-seconds 3600 set security ipsec proposal IPSEC-PROP protocol esp set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc set security ipsec policy IPSEC-POL proposals IPSEC-PROP set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5 set security ipsec vpn IPSEC-VPN ike gateway IKE-GW set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL set security ipsec vpn IPSEC-VPN vpn-monitor set security ipsec vpn IPSEC-VPN establish-tunnels immediately set security ipsec vpn IPSEC-VPN bind-interface st0.1 3. Cấu hình tunnel interface trên cả SRX-A và SRX-B : set interfaces st0 unit 1 family inet set security zones security-zone VPN interfaces st0.1 4. Cấu hình routing : + SRX-A : root@SRX-A#set routing-options static route 172.16.10.0/24 next-hop st0.1 + SRX-B : root@SRX-B#set routing-options static route 192.168.10.0/24 next-hop st0.1 5. Cấu hình Security Policy : - Tạo address-book trên cả hai thiết bị. set security address-book global address NET-A 192.168.10.0/24 set security address-book global address NET-B 172.16.10.0/24 - Tạo Security Policy SRX-A root@SRX-A#set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address NET-A destination-address NET-B application any root@SRX-A#set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit root@SRX-A#set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address NET-B destination-address NET-A application any root@SRX-A#set security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit - Tạo Security Policy SRX-B root@SRX-B#set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address NET-B destination-address NET-A application any root@SRX-B#set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit root@SRX-B#set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address NET-A destination-address NET-B application any root@SRX-B#set security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit 6. Kiểm tra kết nối trên các Host : - Một số lệnh giúp bạn kiểm tra trạng thái của VPN. show security ike security-associations show security ipsec security-associations show security ipsec statistics show route !!! Cám ơn các bạn đã theo dõi bài viết !!!
