SRXで Route-based VPN

SRX同士でRoute-based VPNを作ったときの設定メモ

[SRX-1] ----- VPN ----- [SRX-2]

基本の設定

UnnumberedなんでIPふらなくて良い

[共通]

set interfaces st0 unit 0 family inet

※VPN接続先が複数ある場合、「st0 unit 1」「st0 unit 2」と増やす

system-services allじゃないならいれる

[共通]

set security zones security-zone Internet host-inbound-traffic system-services ike

対向同士全く同じ設定にする

※VPN接続先が複数あっても1つの設定でOK
　ただし、事前共有キーを分ける場合はike policy設定は分けないといけない

[共通]

set security ike proposal prop-basic authentication-method pre-shared-keys
set security ike proposal prop-basic dh-group group2
set security ike proposal prop-basic authentication-algorithm sha-256
set security ike proposal prop-basic encryption-algorithm 3des-cbc
set security ike proposal prop-basic lifetime-seconds 7200
set security ike policy pol-basic mode main
set security ike policy pol-basic proposals prop-basic
set security ike policy pol-basic pre-shared-key ascii-text "hogehogehugapiyo"

set security ipsec proposal prop-basic protocol esp
set security ipsec proposal prop-basic authentication-algorithm hmac-sha-256-128
set security ipsec proposal prop-basic encryption-algorithm 3des-cbc
set security ipsec proposal prop-basic lifetime-seconds 3600
set security ipsec policy proposals perfect-forward-secrecy keys group2
set security ipsec policy proposals proposals prop-basic

GWに対向のGIPふる

※対向のGIP同士で疎通が取れるようにFW設定しておく
※複数VPN接続先がある場合はgateway名を分けて接続先の数だけ設定が必要

[SRX-1]

set security ike gateway VPN-GW ike-policy pol-basic
set security ike gateway VPN-GW address 5.6.7.8
set security ike gateway VPN-GW external-interface ge-0/0/0

[SRX-2]

set security ike gateway VPN-GW ike-policy pol-basic
set security ike gateway VPN-GW address 1.2.3.4
set security ike gateway VPN-GW external-interface ge-0/0/0

GW設定後対向同士おなじ設定にする

※複数VPN接続先がある場合はvpn名を分けて複数記述する
　　→bind-interface、gatewayも適宜設定

[共通]

set security ipsec vpn vpn bind-interface st0.0
set security ipsec vpn vpn vpn-monitor optimized
set security ipsec vpn vpn ike gateway VPN-GW
set security ipsec vpn vpn ike ipsec-policy proposals
set security ipsec vpn vpn establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1300

各ZONEにVPN接続双方のLocalNW設定

※接続先が複数ある場合はVPN-REMOTE-A、VPN-REMOTE-B的な感じでふえていくはず

[SRX-1]

set security zones security-zone Internal address-book address VPN-LOCAL 10.1.1.0/24
set security zones security-zone VPN address-book address VPN-REMOTE 192.168.1.0/24

[SRX-2]

set security zones security-zone Internal address-book address VPN-LOCAL 192.168.1.0/24
set security zones security-zone VPN address-book address VPN-REMOTE 10.1.1.0/24

VPN接続双方のFW許可

※複数接続先がある場合、私は接続先数分設定を増やしてしまうけど
　address-setにしてまとめても良いのかもしれない。

[共通]

set security policies from-zone Internal to-zone VPN policy vpn_in match source-address VPN-LOCAL
set security policies from-zone Internal to-zone VPN policy vpn_in match destination-address VPN-REMOTE
set security policies from-zone Internal to-zone VPN policy vpn_in match application any
set security policies from-zone Internal to-zone VPN policy vpn_in then permit
set security policies from-zone VPN to-zone Internal policy vpn_out match source-address VPN-REMOTE
set security policies from-zone VPN to-zone Internal policy vpn_out match destination-address VPN-LOCAL
set security policies from-zone VPN to-zone Internal policy vpn_out match application any
set security policies from-zone VPN to-zone Internal policy vpn_out then permit

VPN用のスタティックルートを設定

※VPN接続先が複数ある場合、接続先数分設定が必要

[SRX-1]

set routing-options static route 192.168.1.0/24 next-hop st0.0

[SRX-1]

set routing-options static route 10.1.1.0/24 next-hop st0.0

設定反映

commit check
↓
commit

設定確認

こうなってたらOK！

root@SRX-1> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1755220 UP     8e6467ff19021eb6  08fc6979efed5564  Main           5.6.7.8

root@SRX-1> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131075 ESP:3des/sha256 bb012cda 2994/ unlim U   root 500   5.6.7.8

root@SRX-2> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1755220 UP     8e6467ff19021eb6  08fc6979efed5564  Main           1.2.3.4

root@SRX-2> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131075 ESP:3des/sha256 bb012cda 2994/ unlim U   root 500   1.2.3.4

今回のはまりポイント

１．上記の通り設定してもIKEがDOWNのまま！
２．しかもSRX-2のRemoteAddressのIPが設定したアドレスと違う！

root@SRX-1> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1755220 DOWN     8e6467ff19021eb6  08fc6979efed5564  Unknown           5.6.7.8

root@SRX-2> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1755220 DOWN     8e6467ff19021eb6  08fc6979efed5564  Unknown           1.2.3.3

設定を確認

root@SRX-2# show security ike gateway VPN-GW
ike-policy pol-basic;
address 1.2.3.4;
external-interface ge-0/0/0;

ログを出す

set system syslog file kmd daemon info
set system syslog file kmd match KMD
set system syslog file kmd archive size 500k
commit check
commit

run show log kmd or run start shell → tail -f /var/log/kmd


May 30 10:30:18  4a-b01-a3 kmd[1717]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 1.2.3.4/500, Remote: 5.6.7.8/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
May 30 10:30:22  4a-b01-a3 kmd[1717]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: vpn Gateway: VPN-GW, Local: 1.2.3.4/500, Remote: 5.6.7.8/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

?

たまたま1個のロンイインターフェースにGIPを複数ふっていた（VLAN未使用

root@SRX-1# show interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            address 1.2.3.4/24;
            address 1.2.3.3/24;
            address 1.2.3.5/24;
        }
    }
}

↑の場合、primary設定がないと一番数字の若いIPを見に行ってしまうらしい！
(きっちりIP指定してるのに・・・)

というわけで

root@SRX-1# show interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            address 1.2.3.4/24 {
              primary;
              }
            address 1.2.3.3/24;
            address 1.2.3.5/24;
        }
    }
}

これでOK！