Edited at

Juniper vSRXでOracle CloudへIPsec VPN接続してみてみた

Juniper vSRX はセキュア インターネット ゲートウェイ製品です。

ネットワーク管理者は、高度なルーティング機能を備えた業界トップクラスの性能を誇るvSRX 仮想ファイアウォールを使用して、脅威に先んじ、ワークロードを保護しながら、高度な接続と IPsec および VPN 終端サービスを提供できます。

ということで、問い合わせも多いJuniper SRX と同等のIPSec接続設定をvSRX を用いてOracle Cloud Infrastructure(OCI)とのIPSec接続の設定してみてみます。

■構成

vSRXの導入は次の記事を参考とし、本手順はIPSec接続から行います。

Juniper vSRX Virtual FirewallをOracle Cloudにインストールしてみてみた


■OCI IPSec設定


●Customer-Premises Equipment作成

OCIの[Networking] > [ICustomer-Premises Equipment] 画面から[Create Customer-Premises Equipmentn]をクリックし以下内容を設定

・NAME:適当な名前を設定

・DRG:IPsec接続させる作成済みのDRGを設定
・STATIC ROUTE CIDER:対向側(FortiGate)のCIDERを設定 *後から追加変更削除可能です
・CPE IKE IDENTIFIER : FortiGateのWAN側Private IPを設定



[Create Premises Equipment]をクリックして作成


●IPSec Connection作成

①OCIの[Networking] > [IPsec Connetion] 画面から[Create IPsec Connection]をクリックし以下内容を設定



[Create IPsec Connection]をクリックして作成

②作成したIPsec ConnetionのVPN IP Addressを確認

③作成したIPsec ConnetionのShared Secretを確認

・Tunnel1(200.200.200.201)のShared Secret

・Tunnel2(200.200.200.202)のShared Secret


●Security List設定

IPSecに必要な 4500と500のUDP Portと対向の10.0.0.0/16と通信できるようにSecurity Listを設定


■vSRX IPSec設定

以下の設定コマンドを入力し、インターフェイス及びゾーンの作成と、スタティックルート(静的ルート)の設定を行います。

●管理者モードへ移行

root@% cli

root> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode

[edit]
root#


●IPsec IKE Phase1設定

以下の設定コマンドを入力し、IKE Phase1の設定を行います。

set security ike proposal oracle-ike-proposal authentication-method pre-shared-keys 

set security ike proposal oracle-ike-proposal authentication-algorithm sha-384
set security ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc
set security ike proposal oracle-ike-proposal lifetime-seconds 28800
set security ike proposal oracle-ike-proposal dh-group group5

set security ike policy ike_pol_oracle-vpn01 mode main
set security ike policy ike_pol_oracle-vpn01 proposals oracle-ike-proposal
set security ike policy ike_pol_oracle-vpn01 pre-shared-key ascii-text vSRXSharedSercret01
set security ike gateway gw_oracle01 ike-policy ike_pol_oracle-vpn01
set security ike gateway gw_oracle01 dead-peer-detection
set security ike gateway gw_oracle01 external-interface ge-0/0/0.0
set security ike gateway gw_oracle01 address 200.200.200.201

set security ike policy ike_pol_oracle-vpn02 mode main
set security ike policy ike_pol_oracle-vpn02 proposals oracle-ike-proposal
set security ike policy ike_pol_oracle-vpn02 pre-shared-key ascii-text vSRXSharedSercret02
set security ike gateway gw_oracle02 ike-policy ike_pol_oracle-vpn02
set security ike gateway gw_oracle02 dead-peer-detection
set security ike gateway gw_oracle02 external-interface ge-0/0/0.0
set security ike gateway gw_oracle02 address 200.200.200.202


●IPsec IKE Phase2設定

以下の設定コマンドを入力し、IKE Phase2の設定を行います。

set security ipsec proposal vpn-monitor-options

set security ipsec proposal oracle-ipsec-proposal protocol esp
set security ipsec proposal oracle-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec-pol-ipsec_pol_oracle-vpn perfect-forward-secrecy keys group5
set security ipsec policy ipsec-pol-ipsec_pol_oracle-vpn proposals oracle-ipsec-proposal

set security ipsec vpn oracle-vpn01 bind-interface st0.1
set security ipsec vpn oracle-vpn01 vpn-monitor
set security ipsec vpn oracle-vpn01 ike gateway gw_oracle01
set security ipsec vpn oracle-vpn01 ike ipsec-policy ipsec-pol-ipsec_pol_oracle-vpn
set security ipsec vpn oracle-vpn01 establish-tunnels immediately

set security ipsec vpn oracle-vpn02 bind-interface st0.2
set security ipsec vpn oracle-vpn02 vpn-monitor
set security ipsec vpn oracle-vpn02 ike gateway gw_oracle02
set security ipsec vpn oracle-vpn02 ike ipsec-policy ipsec-pol-ipsec_pol_oracle-vpn
set security ipsec vpn oracle-vpn02 establish-tunnels immediately


●Zone インターフェイス設定

・LAN側インターフェイス Zone設定

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

・WAN側インターフェイス Zone設定

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

・VPNインターフェイス Zone設定

set security zones security-zone vpn interfaces st0.1

set security zones security-zone vpn interfaces st0.2


●Policy設定

・trustゾーンとvpnゾーン間の通信を許可

set security policies from-zone trust to-zone vpn policy permit-all match source-address any

set security policies from-zone trust to-zone vpn policy permit-all match destination-address any
set security policies from-zone trust to-zone vpn policy permit-all match application any
set security policies from-zone trust to-zone vpn policy permit-all then permit
set security policies from-zone vpn to-zone trust policy permit-all match source-address any
set security policies from-zone vpn to-zone trust policy permit-all match destination-address any
set security policies from-zone vpn to-zone trust policy permit-all match application any
set security policies from-zone vpn to-zone trust policy permit-all then permit

・trustゾーンとuntrustゾーン間の通信を許可

set security policies from-zone trust to-zone trust policy default-permit match source-address any

set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security zones security-zone trust tcp-rst

・untrustゾーンからtrustゾーンへの通信はuntrust interfaces ge-0/0/0.0に個別設定したプロトコルのみ許可

set security policies from-zone untrust to-zone trust policy default-deny match source-address any

set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst


●設定保存

[edit]

root# commit
commit complete


■IPSec接続確認

以下のコマンドを入力して、IKE SA, IPsec SAが正常に確立していることを確認

root> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address
39237 UP 86c315a81cc3 d8e9489d8d90 Main 200.200.200.201
39237 UP f56d3577d51f a4e83b20ea89 Main 200.200.200.202


●SA が確立されていることを確認

接続済みであればパケットがカウントされていきます

root> show security ipsec statistics

ESP Statistics:
Encrypted bytes: 258704
Decrypted bytes: 95284
Encrypted packets: 1702
Decrypted packets: 1700
・・・

root> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 264176
Decrypted bytes: 97300
Encrypted packets: 1738
Decrypted packets: 1736
・・・

.IPSec接続情報を出力して確認

root> show security ipsec security-associations detail


ID: 131073 Virtual-system: root, VPN Name: oracle-vpn01
Local Gateway: 10.0.2.201, Remote Gateway: 200.200.200.201
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
Port: 4500, Nego#: 91, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Tunnel events:
Sat Jul 06 2019 23:57:42 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:57:32 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:55:42 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:55:32 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:53:42 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:53:32 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:51:42 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:51:32 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 20:57:33 +0900: IKE SA negotiation successfully completed (35 times)
Direction: inbound, SPI: a50d0109, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3514 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2905 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 6e79af70, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3514 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2905 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

ID: 131074 Virtual-system: root, VPN Name: oracle-vpn02
Local Gateway: 10.0.2.201, Remote Gateway: 200.200.200.202
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
Port: 500, Nego#: 86, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Tunnel events:
Sat Jul 06 2019 23:58:22 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:58:12 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:56:32 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:56:22 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:54:32 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:54:22 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 23:52:32 +0900: IPSec SA negotiation successfully completed (1 times)
Sat Jul 06 2019 23:52:22 +0900: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared (1 times)
Sat Jul 06 2019 21:09:13 +0900: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: 96feb2a0, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3554 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2911 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 85b0170f, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3554 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2911 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64


●DRG IPsec Connection Status UP確認

IPsec ConnectionのStatusがUPしていることを確認


■接続確認

IPSec通信が確立できていることを確認するためにそれぞれのNetwork上にあるインスタン同士が通信できることを確認します


●ssh接続確認

・Tokyo --> Phoenix間インスタンス ssh接続確認

[opc@tokyo-inst01 ~]$ ssh -i <ssh鍵> opc@172.24.0.2 hostname

phoenix-inst1

・Phoenix --> Tokyo間インスタンス ssh接続確認

[opc@phoenix-inst1 ~]$ ssh -i <ssh鍵> opc@10.0.10.2 hostname

tokyo-inst01


■VPN Connect Metric確認

OCIコンソソールで各トンネルのIPSec接続のメトリックでStatus,Error,Sent/ReceivedのMonitoring情報を確認できます


■参考

【SRX】JUNOS ハンズオントレーニング資料 SRXシリーズ サービス ゲートウェイ コース