概要
Juniper vSRXを使用してOCI IPSecにVPN接続する設定例です。
構成
設定例(Static)
- OCI
OCIメニューからネットワーキング>>顧客接続性>>サイト間VPNを選択します。
作成については以下のサイトをご参照ください。
サイト間VPNの設定
https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/settingupIPsec.htm
CPE構成 Juniper SRX
https://docs.oracle.com/ja-jp/iaas/Content/Network/Reference/junipersrxCPE.htm
ここでは作成済みの設定となります。
ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN
ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル1
ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル2
- vSRX
AWS MarketplaceからvSRX Next Generation Firewallを利用しました。
Software Versionは22.2R2.10です。
作成については以下のサイトをご参照ください。
CPE構成 Juniper SRX
https://docs.oracle.com/ja-jp/iaas/Content/Network/Reference/junipersrxCPE.htm
ここでは作成済みの設定となります。
set version 22.2R2.10
set groups aws-default system root-authentication encrypted-password *disabled*
set groups aws-default system scripts translation max-datasize 512m
set groups aws-default system login user ec2-user full-name juniper-aws-ec2-user
set groups aws-default system login user ec2-user uid 100
set groups aws-default system login user ec2-user class super-user
set groups aws-default system login user ec2-user authentication ssh-rsa "ssh-rsa ***** "
set groups aws-default system services ssh no-passwords
set groups aws-default system services netconf ssh
set groups aws-default system services web-management https system-generated-certificate
set groups aws-default system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set groups aws-default interfaces fxp0 unit 0 family inet dhcp
set apply-groups aws-default
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "*****"
set security ike proposal oracle-ike-proposal authentication-method pre-shared-keys
set security ike proposal oracle-ike-proposal dh-group group20
set security ike proposal oracle-ike-proposal authentication-algorithm sha-384
set security ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc
set security ike proposal oracle-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_oracle-vpn-tun1 mode main
set security ike policy ike_pol_oracle-vpn-tun1 reauth-frequency 0
set security ike policy ike_pol_oracle-vpn-tun1 proposals oracle-ike-proposal
set security ike policy ike_pol_oracle-vpn-tun1 pre-shared-key ascii-text "【PreSharedKey】"
set security ike policy ike_pol_oracle-vpn-tun2 mode main
set security ike policy ike_pol_oracle-vpn-tun2 reauth-frequency 0
set security ike policy ike_pol_oracle-vpn-tun2 proposals oracle-ike-proposal
set security ike policy ike_pol_oracle-vpn-tun2 pre-shared-key ascii-text "【PreSharedKey】"
set security ike gateway gw_oracle-tun1 ike-policy ike_pol_oracle-vpn-tun1
set security ike gateway gw_oracle-tun1 address 【OCI_Global_IP1】
set security ike gateway gw_oracle-tun1 dead-peer-detection optimized
set security ike gateway gw_oracle-tun1 local-identity inet 【CPE_Global_IP】
set security ike gateway gw_oracle-tun1 external-interface ge-0/0/0
set security ike gateway gw_oracle-tun1 local-address 10.2.4.101
set security ike gateway gw_oracle-tun1 version v2-only
set security ike gateway gw_oracle-tun2 ike-policy ike_pol_oracle-vpn-tun2
set security ike gateway gw_oracle-tun2 address 【OCI_Global_IP2】
set security ike gateway gw_oracle-tun2 dead-peer-detection optimized
set security ike gateway gw_oracle-tun2 local-identity inet 【CPE_Global_IP】
set security ike gateway gw_oracle-tun2 external-interface ge-0/0/0
set security ike gateway gw_oracle-tun2 local-address 10.2.4.101
set security ike gateway gw_oracle-tun2 version v2-only
set security ipsec vpn-monitor-options
set security ipsec proposal oracle-ipsec-proposal protocol esp
set security ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-gcm
set security ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_oracle-vpn perfect-forward-secrecy keys group5
set security ipsec policy ipsec_pol_oracle-vpn proposals oracle-ipsec-proposal
set security ipsec vpn oracle-vpn-tun1 bind-interface st0.1
set security ipsec vpn oracle-vpn-tun1 df-bit clear
set security ipsec vpn oracle-vpn-tun1 ike gateway gw_oracle-tun1
set security ipsec vpn oracle-vpn-tun1 ike ipsec-policy ipsec_pol_oracle-vpn
set security ipsec vpn oracle-vpn-tun1 establish-tunnels immediately
set security ipsec vpn oracle-vpn-tun2 bind-interface st0.2
set security ipsec vpn oracle-vpn-tun2 df-bit clear
set security ipsec vpn oracle-vpn-tun2 ike gateway gw_oracle-tun2
set security ipsec vpn oracle-vpn-tun2 ike ipsec-policy ipsec_pol_oracle-vpn
set security ipsec vpn oracle-vpn-tun2 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1300
set security policies from-zone inside to-zone oracle_vpn policy vpn-out match source-address any-ipv4
set security policies from-zone inside to-zone oracle_vpn policy vpn-out match destination-address any-ipv4
set security policies from-zone inside to-zone oracle_vpn policy vpn-out match application any
set security policies from-zone inside to-zone oracle_vpn policy vpn-out match source-identity any
set security policies from-zone inside to-zone oracle_vpn policy vpn-out match dynamic-application none
set security policies from-zone inside to-zone oracle_vpn policy vpn-out then permit
set security policies from-zone inside to-zone oracle_vpn policy vpn-out then log session-init
set security policies from-zone inside to-zone oracle_vpn policy vpn-out then log session-close
set security policies from-zone oracle_vpn to-zone inside policy vpn-in match source-address oracle_vcn
set security policies from-zone oracle_vpn to-zone inside policy vpn-in match destination-address internal
set security policies from-zone oracle_vpn to-zone inside policy vpn-in match application any
set security policies from-zone oracle_vpn to-zone inside policy vpn-in match source-identity any
set security policies from-zone oracle_vpn to-zone inside policy vpn-in match dynamic-application none
set security policies from-zone oracle_vpn to-zone inside policy vpn-in then permit
set security policies from-zone oracle_vpn to-zone inside policy vpn-in then log session-init
set security policies from-zone oracle_vpn to-zone inside policy vpn-in then log session-close
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone inside address-book address internal 10.2.3.0/24
set security zones security-zone inside interfaces ge-0/0/1.0
set security zones security-zone oracle_vpn address-book address oracle_vcn 10.0.0.0/25
set security zones security-zone oracle_vpn interfaces st0.1 host-inbound-traffic system-services ping
set security zones security-zone oracle_vpn interfaces st0.2 host-inbound-traffic system-services ping
set interfaces ge-0/0/0 unit 0 family inet address 10.2.4.101/24
set interfaces ge-0/0/1 unit 0 family inet address 10.2.3.101/24
set interfaces st0 unit 1 family inet mtu 1340
set interfaces st0 unit 1 family inet address 192.168.0.9/30
set interfaces st0 unit 2 family inet mtu 1340
set interfaces st0 unit 2 family inet address 192.168.0.13/30
set routing-options static route 【OCI_Global_IP1】/32 next-hop 10.2.4.1
set routing-options static route 【OCI_Global_IP2】/32 next-hop 10.2.4.1
set routing-options static route 0.0.0.0/0 next-hop 10.2.0.1
set routing-options static route 10.0.0.0/24 next-hop st0.1
set routing-options static route 10.0.0.0/24 next-hop st0.2
IPSec状況抜粋
ec2-user> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5269069 UP 59dbca753a3c9ed8 b431e69d74b42c9e IKEv2 【OCI_Global_IP1】
5269071 UP b1dc1297b827a247 2f4f43a3ecdc16fb IKEv2 【OCI_Global_IP2】
ec2-user> show security ipsec security-associations
Total active tunnels: 2 Total Ipsec sas: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-gcm-256/None 55f3a1a1 3023/ unlim - root 4500 【OCI_Global_IP1】
>131073 ESP:aes-gcm-256/None cfcc6f6d 3023/ unlim - root 4500 【OCI_Global_IP1】
<131074 ESP:aes-gcm-256/None 8e4a62ba 3143/ unlim - root 4500 【OCI_Global_IP2】
>131074 ESP:aes-gcm-256/None 257b2e36 3143/ unlim - root 4500 【OCI_Global_IP2】
- Pingテスト
AWSサーバーからOCIサーバーへのping結果
Server.
[ec2-user@ip-10-2-3-102 .ssh]$ ping 10.0.0.105
PING 10.0.0.105 (10.0.0.105) 56(84) bytes of data.
64 bytes from 10.0.0.105: icmp_seq=1 ttl=60 time=4.04 ms
64 bytes from 10.0.0.105: icmp_seq=2 ttl=60 time=3.95 ms
64 bytes from 10.0.0.105: icmp_seq=3 ttl=60 time=4.00 ms
64 bytes from 10.0.0.105: icmp_seq=4 ttl=60 time=3.99 ms
^C
--- 10.0.0.105 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 3.954/3.998/4.040/0.054 ms
OCIサーバーからAWSサーバーへのping結果
Server.
[opc@t-vm10-0-0-105 ~]$ ping 10.2.3.102
PING 10.2.3.102 (10.2.3.102) 56(84) bytes of data.
64 bytes from 10.2.3.102: icmp_seq=1 ttl=252 time=3.68 ms
64 bytes from 10.2.3.102: icmp_seq=2 ttl=252 time=4.04 ms
64 bytes from 10.2.3.102: icmp_seq=3 ttl=252 time=3.89 ms
64 bytes from 10.2.3.102: icmp_seq=4 ttl=252 time=3.91 ms
^C
--- 10.2.3.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 3.675/3.878/4.039/0.144 ms
設定例(BGP)
Static route設定を以下のように変更します
【OCI】
- ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル1を編集しルーティングをBGPに変更
- ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル2を編集しルーティングをBGPに変更
- ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPNを編集しオンプレミス・ネットワークへのルートに設定したStatic Routeを削除
【vSRX】
- OCI VCN向けのStatic routeを削除
set routing-options static route 10.0.0.0/24 next-hop st0.1
set routing-options static route 10.0.0.0/24 next-hop st0.2
- BGPを追加
トンネル1を優先するためにトンネル2のBGPに対してAS Path prependでルートを付加する設定を追加しています
set policy-options policy-statement route-export1 term default from route-filter 10.2.3.0/24 exact
set policy-options policy-statement route-export1 term default then accept
set policy-options policy-statement route-export1 term reject then reject
set policy-options policy-statement route-export2 term default from route-filter 10.2.3.0/24 exact
set policy-options policy-statement route-export2 term default then as-path-prepend 64512
set policy-options policy-statement route-export2 term default then accept
set policy-options policy-statement route-export2 term reject then reject
set policy-options policy-statement route-import2 term default then as-path-prepend 31898
set policy-options policy-statement route-import2 term default then accept
set protocols bgp group ebgp type external
set protocols bgp group ebgp neighbor 192.168.0.10 export route-export1
set protocols bgp group ebgp neighbor 192.168.0.10 peer-as 31898
set protocols bgp group ebgp neighbor 192.168.0.10 local-as 64512
set protocols bgp group ebgp neighbor 192.168.0.14 import route-import2
set protocols bgp group ebgp neighbor 192.168.0.14 export route-export2
set protocols bgp group ebgp neighbor 192.168.0.14 peer-as 31898
set protocols bgp group ebgp neighbor 192.168.0.14 local-as 64512
BGP確認
ec2-user> show route
inet.0: 15 destinations, 18 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/25 *[BGP/170] 00:16:46, localpref 100
AS path: 31898 I, validation-state: unverified
> to 192.168.0.10 via st0.1
[BGP/170] 00:19:25, localpref 100
AS path: 31898 31898 I, validation-state: unverified
> to 192.168.0.14 via st0.2
- Pingテスト
AWSサーバーからOCIサーバーへのping結果
Server.
[ec2-user@ip-10-2-3-102 .ssh]$ ping 10.0.0.105
PING 10.0.0.105 (10.0.0.105) 56(84) bytes of data.
64 bytes from 10.0.0.105: icmp_seq=1 ttl=60 time=4.95 ms
64 bytes from 10.0.0.105: icmp_seq=2 ttl=60 time=4.85 ms
64 bytes from 10.0.0.105: icmp_seq=3 ttl=60 time=4.93 ms
64 bytes from 10.0.0.105: icmp_seq=4 ttl=60 time=4.85 ms
64 bytes from 10.0.0.105: icmp_seq=5 ttl=60 time=4.78 ms
^C
--- 10.0.0.105 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 4.788/4.877/4.951/0.058 ms
[ec2-user@ip-10-2-3-102 .ssh]$
OCIサーバーからAWSサーバーへのping結果
Server.
[opc@t-vm10-0-0-105 ~]$ ping 10.2.3.102
PING 10.2.3.102 (10.2.3.102) 56(84) bytes of data.
64 bytes from 10.2.3.102: icmp_seq=1 ttl=252 time=3.77 ms
64 bytes from 10.2.3.102: icmp_seq=2 ttl=252 time=3.99 ms
64 bytes from 10.2.3.102: icmp_seq=3 ttl=252 time=3.93 ms
64 bytes from 10.2.3.102: icmp_seq=4 ttl=252 time=3.88 ms
^C
--- 10.2.3.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 3.772/3.890/3.987/0.100 ms
[opc@t-vm10-0-0-105 ~]$