SRX dial-up VPN (NCP編)

SRX dial-up VPN (NCP編)
ネットワーク構成
Win XP SP3
Japanese Ed.
NCP IPSec client
SRX100
Policy base VPN
fe-0/0/0
vlan.0
L3 SW
Hub
.216
.254
172.27.24.0/24
.254
.1
100.100.100.0/24
Test devices
SRX100
JUNOS 10.2
Client
Windows XP SP3
– Japanese Edition
– NCP client Ver.9.20 Build 33
Windows 7 Ultimate
– Japanese Edition
– NCP client Ver.9.20 Build 33
2
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
.1
Win 2003 SVR
.100
192.168.1.0/24
PRESHARED-KEY（事前共有鍵方式）で接続する
設定条件
SRXの設定の流れ
IKE フェーズ1の設定
IKE フェーズ2の設定
VPN接続用ポリシーの設定
Xauth用サーバの設定
IKE フェーズ1
Aggressiveモード
Preshared-key
DH group 2
AES128bit 暗号化
SHA1 ハッシュ
IKE フェーズ2
ESPモード
AES128bit 暗号化
SHA1 ハッシュ
PFS DH-group2
Xauth用サーバ
Radius
3
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
SRX 設定 - IKE フェーズ1と2 - (PRESHARED-KEY)
ike {
proposal pre-g2-aes128-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy NCP_ike_policy {
mode aggressive;
proposals pre-g2-aes128-sha;
pre-shared-key ascii-text
"$9$jbkmT69pRhrz3hrev7Nik."; ## SECRET-DATA
}
gateway NCP_p1 {
ike-policy NCP_ike_policy;
dynamic {
user-at-hostname "[email protected]";
}
dead-peer-detection;
external-interface fe-0/0/0.0;
xauth access-profile radius-auth;
}
}
4
Copyright © 2010 Juniper Networks, Inc.
ipsec {
proposal g2-esp-aes128-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy NCP_ipsec_policy {
perfect-forward-secrecy {
keys group2;
}
proposals g2-esp-aes128-sha;
}
vpn NCP_p2 {
ike {
gateway NCP_p1;
ipsec-policy NCP_ipsec_policy;
}
}
}
www.juniper.net
SRX 設定 – ポリシーとXAUTH - (PRESHARED-KEY)
policies {
from-zone untrust to-zone trust {
policy NCP_IPSec {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn NCP_p2;
}
}
log {
session-init;
}
}
}
}
5
Copyright © 2010 Juniper Networks, Inc.
access {
profile radius-auth {
authentication-order radius;
radius-server {
172.27.24.201 {
secret "$9$V.sgJikP36AGD6Ap0hcbs2";
## SECRET-DATA
source-address 100.100.100.1;
}
}
}
}
www.juniper.net
SRX設定全体 (PRESHARED-KEY)
[edit]
root@SRX100-vpn# show | display set |no-more
set version 10.2B3.3
set system host-name SRX100-vpn
set system time-zone Asia/Tokyo
set system root-authentication encrypted-password "$1$xDjciVll$zJ38YGxJgNRtlsS77Wdko1"
set system name-server 172.27.24.201
"$1$AVWl7szn$EtuXUTHqnLgb1JKK1j/Ob1"
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set interfaces interface-range interfaces-trust member fe-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/0 unit 0 family inet address 100.100.100.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 100.100.100.254
set protocols stp
set security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keys
set security ike proposal pre-g2-aes128-sha dh-group group2
set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1
set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbc
set security ike policy NCP_ike_policy mode aggressive
set security ike policy NCP_ike_policy proposals pre-g2-aes128-sha
set security ike policy NCP_ike_policy pre-shared-key ascii-text "$9$jbkmT69pRhrz3hrev7Nik."
6
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
SRX設定全体 (PRESHARED-KEY)
set security ike gateway NCP_p1 ike-policy NCP_ike_policy
set security ike gateway NCP_p1 dynamic user-athostname "[email protected]"
set security ike gateway NCP_p1 dead-peer-detection
set security ike gateway NCP_p1 external-interface fe0/0/0.0
set security ike gateway NCP_p1 xauth access-profile
radius-auth
set security ipsec proposal g2-esp-aes128-sha protocol esp
set security ipsec proposal g2-esp-aes128-sha
authentication-algorithm hmac-sha1-96
set security ipsec proposal g2-esp-aes128-sha encryptionalgorithm aes-128-cbc
set security ipsec policy NCP_ipsec_policy perfectforward-secrecy keys group2
set security ipsec policy NCP_ipsec_policy proposals g2esp-aes128-sha
set security ipsec vpn NCP_p2 ike gateway NCP_p1
set security ipsec vpn NCP_p2 ike ipsec-policy
set security zones security-zone trust host-inbound-traffic
system-services all
set security zones security-zone trust host-inbound-traffic
protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust address-book
address 172.27.24.216 32.0.0.0/32
set security zones security-zone untrust screen untrustscreen
set security zones security-zone untrust host-inboundtraffic system-services all
set security zones security-zone untrust host-inboundtraffic system-services ike
set security zones security-zone untrust interfaces fe0/0/0.0
7
set security policies from-zone trust to-zone untrust policy
trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy
trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy
trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy
trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy
NCP_IPSec match source-address any
set security policies from-zone untrust to-zone trust policy
NCP_IPSec match destination-address any
set security policies from-zone untrust to-zone trust policy
NCP_IPSec match application any
set security policies from-zone untrust to-zone trust policy
NCP_IPSec then permit tunnel ipsec-vpn NCP_p2
set security policies from-zone untrust to-zone trust policy
NCP_IPSec then log session-init
set access profile radius-auth authentication-order radius
set access profile radius-auth radius-server 172.27.24.201
secret "$9$V.sgJikP36AGD6Ap0hcbs2"
set access profile radius-auth radius-server 172.27.24.201
source-address 100.100.100.1
set vlans vlan-trust vlan-id 2
set vlans vlan-trust l3-interface vlan.0
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
Profile name
設定プロファイルの名称 (任
意)
Communication Medium
アクセス回線の種別を選択
通常LANを選択
Default Profile after System
Reboot
システム起動時にデフォルト
の設定としたい場合に有効
化する
8
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
Connection Mode
接続動作の指定と無通信状
態のタイムアウト値を設定
9
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
Gateway (Tunnel Endpoint)
接続先のSRXのIPを指定
IKE Policy
IKE P1のプロポーザルを指定
IPSec Policy
IKE P2のプロポーザルを指定
Exch Mode
Main/Aggressive modeを選択
PFS Group
DHグループを指定
Policy Lifetime
P1/P2のライフタイム値を指定
Policy Editor
P1/P2のプロポーザルセットを編集
する場合に利用
10
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
IPsec Compression
IPsec compressionを有効に
する場合にチェック
Disable DPD (Dead Peer
Detection)
DPDを無効にする場合にチ
ェック
UDP Encapsulation
カスタマイズしたポート番号
で待ち受けている場合に利
用
11
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
Local Identity (IKE)
IKE IDの種類とID値を指定
Preshared Key
事前共有鍵を指定
Extend Authentication
(XAUTH)
Xauthで利用するIDとパスワ
ードを指定
毎回入力する場合は空欄に
する
12
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
Assignment of the Private IP
Address
クライアントに設定するIPアド
レスを指定
modeconfigを利用するには
”IKE config mode”を指定
DNS/WINS serversにて
DNSなどの値を指定
13
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPSECクライアント (NCP) 設定例
接続成功するとConnection
Establishedになり緑になる
14
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
XAUTH 設定 (ローカル認証)
access {
profile Local-auth {
authentication-order password;
client ipsec01 {
User名の設定
firewall-user {
パスワードの設定
password
"$9$7MdwgGDkTz6oJz69A1INdb"; ##
SECRET-DATA
}
}
}
}
15
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
BACKUP SLIDE
using certificate
証明書の利用
# set security pki ca-profile private-CA ca-identity
"COLORS CLASS 1 CA“
証明書作成の流れ
1.
2.
3.
4.
5.
CAプロファイルの設定
証明書の読み込み
秘密鍵と証明書要求の作成
CAによる証明書の発行
発行された証明書の読み込み
! CAプロファイルの設定
> request security pki ca-certificate load filename
rubyca.pem ca-profile private-CA
! CA証明書の読み込み
> request security pki generate-key-pair certificate-id
srx100-vpn size 2048
! 秘密鍵の生成
> request security pki generate-certificate-request
certificate-id srx100-vpn domain-name srx100vpn.juniper.local ip-address 100.100.10 0.1 email
[email protected] subjec t CN=srx100vpn.juniper.local,OU=remotevpn,OU=SRX,O="Juniper Networks",L=Shinju
ku,ST=Tokyo,C=JP
! 証明書要求(CSR)の作成
> request security pki local-certificate load certificat e
load certificate-id srx100-vpn file name srx100vpn.pem
! 証明書の読み込み
18
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net

Download Report