Juniper - IPSec

由 datahunter 在一, 09/07/2018 - 18:10 發表

最後更新: 2021-07-22

Deactivate & Activate VPN

Step1: 查看 Tunnel 的名稱

root@fw# show security ipsec vpn ?
root@fw# show security ike ?

Step2: To Deactivate

user@srx#deactivate security ipsec vpn <vpn name>
user@srx#deactivate security ike gateway <gatewayname>
user@srx#commit

i.e.

deactivate security ipsec vpn DC
deactivate security ike gateway DC
commit

Step3: Verify

# 與 Step1 相同 command

root@fw# show security ike gateway DC

##
## inactive: security ike gateway DC
##
ike-policy DC_Pol;
address R.R.R.R;
local-identity inet L.L.L.L;
external-interface ge-0/0/0.0;
version v2-only;

P.S.

To Activate:

user@srx#activate security ike gateway <gatewayname>
user@srx#activate security ipsec vpn <vpn name>
user@srx#commit

Settings

Check system-services

Office# show security ipsec

gateway IKE-To-A {
    ike-policy IKE-A;
    address x.x.x.x;
    dead-peer-detection {
        always-send;
        interval 60;
        threshold 5;
    }
    external-interface ge-0/0/0.0;
}

Office# show security zones | display set | match ge-0/0/0.0

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

route-based VPN

verify that a st0.x interface is bound to the VPN with the command:

Office# show security ipsec

vpn IPSec {
    bind-interface st0.2;
    ike {
        gateway IKE-To-A;
        ipsec-policy IPsec-POLICY;
    }
    establish-tunnels immediately;
}

因為之後會用 st0.2 去 Set static-route

Checking

Check the status of IKE Phase I

show security ike security-associations

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
523871  UP     ????????????????  ????????????????  Main           remote-ip-address

Check the status of Phase 2

show security ipsec security-associations

# connection 成功後, 會有一組SPI(相同 ID)

  Total active tunnels: 1
  ID      Algorithm            SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-128/sha1 6c168f16 1227/ unlim  U   root 500   remote-wan-ip-address
  >131073 ESP:aes-cbc-128/sha1 6eb49f04 1227/ unlim  U   root 500   remote-wan-ip-address

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.

Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys.

The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: IKE and IPsec.

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down).

A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress.

lsys

The root system.

Check log

Enable Log

# set system syslog file kmd-logs daemon info

# set system syslog file kmd-logs match KMD

# commit

Show Log

> show log kmd-logs | no-more

# 成功 connect 的 log

# routeros 的 "Peers" Tab = IKE Phase I
# 成功後, "Remote Peers" 會有雙方 Wan IP

Jul  9 18:30:09  AB-Office kmd[1640]: IKE negotiation successfully completed.
 IKE Version: 1, VPN: IPSec Gateway: IKE-To-RemoteOfficeName, Local: L.L.L.L/500,
 Remote: R.R.R.R/500, Local IKE-ID: L.L.L.L, Remote IKE-ID: R.R.R.R, VR-ID: 0, Role: Initiator

# routeros 的 "Policies" Tab = Phase II
# 成功後, "Installed SAs" 會有雙方 的 SPI

Jul  9 18:27:50  AB-Office kmd[1640]: KMD_PM_SA_ESTABLISHED: Local gateway: L.L.L.L,
 Remote gateway: R.R.R.R, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
 Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x21241a28, AUX-SPI: 0, Mode: Tunnel,
 Type: dynamic, Traffic-selector:
Jul  9 18:27:50  AB-Office kmd[1640]: KMD_PM_SA_ESTABLISHED: Local gateway: L.L.L.L,
 Remote gateway: R.R.R.R, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
 Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x4c3b42, AUX-SPI: 0, Mode: Tunnel,
 Type: dynamic, Traffic-selector:
Jul  9 18:27:50  AB-Office kmd[1640]: KMD_VPN_UP_ALARM_USER: VPN IPSec from R.R.R.R is up.
 Local-ip: L.L.L.L, gateway name: IKE-To-RemoteOfficeName, vpn name: IPSec, tunnel-id: 131074,
 local tunnel-if: st0.2, remote tunnel-ip: Not-Available,
 Local IKE-ID: L.L.L.L, Remote IKE-ID: R.R.R.R, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , 
 Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
 Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static

Statistics

Office# show security ipsec statistics

ESP Statistics:
  Encrypted bytes:          7648616
  Decrypted bytes:          2763500
  Encrypted packets:          40389
  Decrypted packets:          32228
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

Reconnect IPSec

# Clear all IPsec SAs.

root@fw> clear security ipsec security-associations

# Clear SA by index

root@fw> clear security ipsec security-associations index 3201416

# Clear information about the current Internet Key Exchange security associations (IKE SAs).

clear security ike security-associations

local-identity & remote-identity

* For Network Address Translation Traversal (NAT-T), both remote identity and local identity must be configured.

# Default the device uses the IPv4 address

Specify the local/remote IKE identity to send in the exchange with the destination peer to establish communication.

# Junos OS Release 11.4

remote-identity {
(distinguished-name <container container-string> <wildcard wildcard-string> | hostname hostname | inet ip-address | key-id | user-at-hostname e-mail-address);
}

Modify

Edit security ike gateway gateway-name

瀏覽次數： 916

夢想家