juniper srx 日本語マニュアル · juniper srx 日本語マニュアル 6. hub-and-spoke vpn...
TRANSCRIPT
![Page 1: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/1.jpg)
© 2018 Juniper Networks
Juniper SRX 日本語マニュアル6. Hub-and-Spoke VPN の CLI 設定
![Page 2: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/2.jpg)
© 2018 Juniper Networks
はじめに
Hub-and-Spoke VPN の CLI 設定方法ついて説明します。
※手順内容は「SRX300」、Junos OS「15.1X49-D140」にて確認を実施しております。
2
2018年8月
![Page 3: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/3.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN
構成概要
3
Trust Untrust
Internet
Trust
ge-0/0/0
2.2.2.2/30
Trust
Sunnyvale
Westford
Corporate
office
10.10.10.0/24
ge-0/0/0
3.3.3.2/30
ge-0/0/3
1.1.1.2/30
192.168.168.0/24
192.168.178.0/24
St0.0 VPN zone
10.11.11.11
St0.0 VPN zone
10.11.11.12
St0.0 VPN zone
10.11.11.10
.1
.1
.1
![Page 4: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/4.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
① インタフェース設定
② インタフェースをセキュリティゾーンにバインド
③ ルーティング設定
4
user@srx# set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
user@srx# set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30
user@srx# set interfaces st0 unit 0 family inet address 10.11.11.10/24
user@srx# set security zones security-zone untrust interfaces ge-0/0/3.0
user@srx# set security zones security-zone untrust host-inbound-traffic system-services ike
user@srx# set security zones security-zone trust interfaces ge-0/0/0.0
user@srx# set security zones security-zone trust host-inbound-traffic system-services all
user@srx# set security zones security-zone vpn interfaces st0.0
user@srx# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
user@srx# set routing-options static route 192.168.168.0/24 next-hop 10.11.11.11
user@srx# set routing-options static route 192.168.178.0/24 next-hop 10.11.11.12
![Page 5: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/5.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
④ アドレスブック設定
⑤ IKE (Phase1接続 プロファイル・ポリシー・ゲートウェイ)設定
5
user@srx# set security address-book book1 address local-net 10.10.10.0/24
user@srx# set security address-book book1 attach zone trust
user@srx# set security address-book book2 address sunnyvale-net 192.168.168.0/24
user@srx# set security address-book book2 address westford-net 192.168.178.0/24
user@srx# set security address-book book2 attach zone vpn
user@srx# set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
user@srx# set security ike proposal ike-phase1-proposal dh-group group2
user@srx# set security ike proposal ike-phase1-proposal authentication-algorithm sha1
user@srx# set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
user@srx# set security ike policy ike-phase1-policy mode main
user@srx# set security ike policy ike-phase1-policy proposals ike-phase1-proposal
user@srx# set security ike policy ike-phase1-policy pre-shared-key ascii-text “$ABC123”
user@srx# set security ike gateway gw-westford external-interface ge-0/0/3.0
user@srx# set security ike gateway gw-westford ike-policy ike-phase1-policy
user@srx# set security ike gateway gw-westford address 3.3.3.2
user@srx# set security ike gateway gw-sunnyvale external-interface ge-0/0/3.0
user@srx# set security ike gateway gw-sunnyvale ike-policy ike-phase1-policy
user@srx# set security ike gateway gw-sunnyvale address 2.2.2.2
![Page 6: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/6.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
⑥ IPsec (Phase2接続 プロポーサル・ポリシー・VPN)設定
⑦ TCP MSS 設定調整※利用の環境に合わせて調整する必要あり
6
user@srx# set security ipsec proposal ipsec-phase2-proposal protocol esp
user@srx# set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
user@srx# set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
user@srx# set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
user@srx# set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
user@srx# set security ipsec vpn vpn-westford ike gateway gw-westford
user@srx# set security ipsec vpn vpn-westford ike ipsec-policy ipsec-phase2-policy
user@srx# set security ipsec vpn vpn-westford bind-interface st0.0
user@srx# set security ipsec vpn vpn-sunnyvale ike gateway gw-sunnyvale
user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy ipsec-phase2-policy
user@srx# set security ipsec vpn vpn-sunnyvale bind-interface st0.0
user@srx# set interfaces st0 unit 0 multipoint
user@srx# set interfaces st0 unit 0 family inet next-hop-tunnel 10.11.11.11 ipsec-vpn vpn-sunnyvale
user@srx# set interfaces st0 unit 0 family inet next-hop-tunnel 10.11.11.12 ipsec-vpn vpn-westford
user@srx# set security flow tcp-mss ipsec-vpn mss 1350
![Page 7: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/7.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
⑧ セキュリティポリシー設定
7
user@srx# set security policies from-zone trust to-zone vpn policy local-to-spokes match source-address
local-net
user@srx# set security policies from-zone trust to-zone vpn policy local-to-spokes match destination-
address sunnyvale-net
user@srx# set security policies from-zone trust to-zone vpn policy local-to-spokes match destination-
address westford-net
user@srx# set security policies from-zone trust to-zone vpn policy local-to-spokes match application any
user@srx# set security policies from-zone trust to-zone vpn policy local-to-spokes then permit
user@srx# set security policies from-zone vpn to-zone trust policy spokes-to-local match source-address
sunnyvale-net
user@srx# set security policies from-zone vpn to-zone trust policy spokes-to-local match source-address
westford-net
user@srx# set security policies from-zone vpn to-zone trust policy spokes-to-local match destination-
address local-net
user@srx# set security policies from-zone vpn to-zone trust policy spokes-to-local match application any
user@srx# set security policies from-zone vpn to-zone trust policy spokes-to-local then permit
user@srx# set security policies from-zone vpn to-zone vpn policy spoke-to-spoke match source-address any
user@srx# set security policies from-zone vpn to-zone vpn policy spoke-to-spoke match destination-
address any
user@srx# set security policies from-zone vpn to-zone vpn policy spoke-to-spoke match application any
user@srx# set security policies from-zone vpn to-zone vpn policy spoke-to-spoke then permit
![Page 8: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/8.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
① インタフェース設定
② インタフェースをセキュリティゾーンにバインド
③ ルーティング設定
8
user@srx# set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.2/30
user@srx# set interfaces ge-0/0/3 unit 0 family inet address 192.168.178.1/24
user@srx# set interfaces st0 unit 0 family inet address 10.11.11.12/24
user@srx# set security zones security-zone untrust interfaces ge-0/0/0.0
user@srx# set security zones security-zone untrust host-inbound-traffic system-services ike
user@srx# set security zones security-zone trust interfaces ge-0/0/3.0
user@srx# set security zones security-zone trust host-inbound-traffic system-services all
user@srx# set security zones security-zone vpn interfaces st0.0
user@srx# set routing-options static route 0.0.0.0/0 next-hop 3.3.3.1
user@srx# set routing-options static route 10.10.10.0/24 next-hop 10.11.11.10
user@srx# set routing-options static route 192.168.168.0/24 next-hop 10.11.11.10
![Page 9: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/9.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
④ アドレスブック設定
⑤ IKE (Phase1接続 プロファイル・ポリシー・ゲートウェイ)設定
9
user@srx# set security address-book book1 address local-net 192.168.178.0/24
user@srx# set security address-book book1 attach zone trust
user@srx# set security address-book book2 address corp-net 10.10.10.0/24
user@srx# set security address-book book2 address sunnyvale-net 192.168.168.0/24
user@srx# set security address-book book2 attach zone vpn
user@srx# set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
user@srx# set security ike proposal ike-phase1-proposal dh-group group2
user@srx# set security ike proposal ike-phase1-proposal authentication-algorithm sha1
user@srx# set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
user@srx# set security ike policy ike-phase1-policy mode main
user@srx# set security ike policy ike-phase1-policy proposals ike-phase1-proposal
user@srx# set security ike policy ike-phase1-policy pre-shared-key ascii-text “$ABC123”
user@srx# set security ike gateway gw-corporate external-interface ge-0/0/0.0
user@srx# set security ike gateway gw-corporate ike-policy ike-phase1-policy
user@srx# set security ike gateway gw-corporate address 1.1.1.2
![Page 10: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/10.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
⑥ IPsec (Phase2接続 プロポーサル・ポリシー・VPN)設定
⑦ TCP MSS 設定調整
10
user@srx# set security ipsec proposal ipsec-phase2-proposal protocol esp
user@srx# set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
user@srx# set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
user@srx# set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
user@srx# set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
user@srx# set security ipsec vpn vpn-corporate ike gateway gw-corporate
user@srx# set security ipsec vpn vpn-corporate ike ipsec-policy ipsec-phase2-policy
user@srx# set security ipsec vpn vpn-corporate bind-interface st0.0
user@srx# set security flow tcp-mss ipsec-vpn mss 1350
![Page 11: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/11.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
⑧ セキュリティポリシー設定
11
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match source-address
local-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match destination-
address corp-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match destination-
address sunnyvale-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match application any
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate then permit
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match source-address
corp-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match source-address
sunnyvale-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match destination-
address local-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match application any
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate then permit
![Page 12: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/12.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
① インタフェース設定
② インタフェースをセキュリティゾーンにバインド
③ ルーティング設定
12
user@srx# set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/30
user@srx# set interfaces ge-0/0/3 unit 0 family inet address 192.168.168.1/24
user@srx# set interfaces st0 unit 0 family inet address 10.11.11.11/24
user@srx# set security zones security-zone untrust interfaces ge-0/0/0.0
user@srx# set security zones security-zone untrust host-inbound-traffic system-services ike
user@srx# set security zones security-zone trust interfaces ge-0/0/3.0
user@srx# set security zones security-zone trust host-inbound-traffic system-services all
user@srx# set security zones security-zone vpn interfaces st0.0
user@srx# set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
user@srx# set routing-options static route 10.10.10.0/24 next-hop 10.11.11.10
user@srx# set routing-options static route 192.168.178.0/24 next-hop 10.11.11.10
![Page 13: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/13.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
④ アドレスブック設定
⑤ IKE (Phase1接続 プロファイル・ポリシー・ゲートウェイ)設定
13
user@srx# set security address-book book1 address local-net 192.168.168.0/24
user@srx# set security address-book book1 attach zone trust
user@srx# set security address-book book2 address corp-net 10.10.10.0/24
user@srx# set security address-book book2 address westford-net 192.168.178.0/24
user@srx# set security address-book book2 attach zone vpn
user@srx# set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
user@srx# set security ike proposal ike-phase1-proposal dh-group group2
user@srx# set security ike proposal ike-phase1-proposal authentication-algorithm sha1
user@srx# set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
user@srx# set security ike policy ike-phase1-policy mode main
user@srx# set security ike policy ike-phase1-policy proposals ike-phase1-proposal
user@srx# set security ike policy ike-phase1-policy pre-shared-key ascii-text “$ABC123”
user@srx# set security ike gateway gw-corporate external-interface ge-0/0/0.0
user@srx# set security ike gateway gw-corporate ike-policy ike-phase1-policy
user@srx# set security ike gateway gw-corporate address 1.1.1.2
![Page 14: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/14.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
⑥ IPsec (Phase2接続 プロポーサル・ポリシー・VPN)設定
⑦ TCP MSS 設定調整
14
user@srx# set security ipsec proposal ipsec-phase2-proposal protocol esp
user@srx# set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
user@srx# set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
user@srx# set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
user@srx# set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
user@srx# set security ipsec vpn vpn-corporate ike gateway gw-corporate
user@srx# set security ipsec vpn vpn-corporate ike ipsec-policy ipsec-phase2-policy
user@srx# set security ipsec vpn vpn-corporate bind-interface st0.0
user@srx# set security flow tcp-mss ipsec-vpn mss 1350
![Page 15: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/15.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
⑧ セキュリティポリシー設定
15
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match source-address
local-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match destination-
address corp-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match destination-
address westford-net
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate match application any
user@srx# set security policies from-zone trust to-zone vpn policy to-corporate then permit
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match source-address
corp-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match source-address
westford-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match destination-
address local-net
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate match application any
user@srx# set security policies from-zone vpn to-zone trust policy from-corporate then permit
![Page 16: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/16.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認①
16
user@srx# show
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$xwZ-d4oaDqfFVbsgaJji.mfTn/Ap0IhSkPfFnCtu"; ##
SECRET-DATA
}
gateway gw-westford {
ike-policy ike-phase1-policy;
address 3.3.3.2;
external-interface ge-0/0/3.0;
![Page 17: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/17.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認②
17
gateway gw-sunnyvale {
ike-policy ike-phase1-policy;
address 2.2.2.2;
external-interface ge-0/0/3.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
![Page 18: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/18.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認③
18
vpn vpn-westford {
bind-interface st0.0;
ike {
gateway gw-westford;
ipsec-policy ipsec-phase2-policy;
}
}
vpn vpn-sunnyvale {
bind-interface st0.0;
ike {
gateway gw-sunnyvale;
ipsec-policy ipsec-phase2-policy;
}
}
}
![Page 19: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/19.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認④
19
address-book {
book1 {
address local-net 10.10.10.0/24;
attach {
zone trust;
}
}
book2 {
address sunnyvale-net 192.168.168.0/24;
address westford-net 192.168.178.0/24;
attach {
zone vpn;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
![Page 20: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/20.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認⑤
20
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
![Page 21: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/21.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認⑥
21
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 1.1.1.2/30;
}
![Page 22: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/22.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Corporate office)
設定の確認⑦
22
st0 {
unit 0 {
multipoint;
family inet {
next-hop-tunnel 10.11.11.11 ipsec-vpn vpn-sunnyvale;
next-hop-tunnel 10.11.11.12 ipsec-vpn vpn-westford;
address 10.11.11.10/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
route 192.168.168.0/24 next-hop 10.11.11.11;
route 192.168.178.0/24 next-hop 10.11.11.12;
}
}
![Page 23: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/23.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認①
23
user@srx# show
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$FWZa6/OB1ceW79Ct01ISyKvWL-Vs24ZDilMW7-wYg"; ##
SECRET-DATA
}
gateway gw-corporate {
ike-policy ike-phase1-policy;
address 1.1.1.2;
external-interface ge-0/0/0.0;
}
}
![Page 24: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/24.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認②
24
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn vpn-corporate {
bind-interface st0.0;
ike {
gateway gw-corporate;
ipsec-policy ipsec-phase2-policy;
}
}
}
![Page 25: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/25.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認③
25
address-book {
book1 {
address local-net 192.168.178.0/24;
attach {
zone trust;
}
}
book2 {
address corp-net 10.10.10.0/24;
address sunnyvale-net 192.168.168.0/24;
attach {
zone vpn;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
![Page 26: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/26.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認④
26
policies {
from-zone trust to-zone vpn {
policy to-corporate {
match {
source-address local-net;
destination-address [ corp-net sunnyvale-net ];
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy from-corporate {
match {
source-address [ corp-net sunnyvale-net ];
destination-address local-net;
application any;
}
then {
permit;
![Page 27: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/27.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認⑤
27
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/3.0;
}
![Page 28: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/28.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認⑥
28
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 3.3.3.2/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.178.1/24;
}
}
![Page 29: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/29.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Westford)
設定の確認⑦
29
st0 {
unit 0 {
family inet {
address 10.11.11.12/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 3.3.3.1;
route 10.10.10.0/24 next-hop 10.11.11.10;
route 192.168.168.0/24 next-hop 10.11.11.10;
}
}
![Page 30: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/30.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認①
30
user@srx# show
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$BjTREKvMxVYahcyeMW7NbwYgZUik.5z3dsYaZjHq"; ##
SECRET-DATA
}
gateway gw-corporate {
ike-policy ike-phase1-policy;
address 1.1.1.2;
external-interface ge-0/0/0.0;
}
}
![Page 31: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/31.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認②
31
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn vpn-corporate {
bind-interface st0.0;
ike {
gateway gw-corporate;
ipsec-policy ipsec-phase2-policy;
}
}
}
![Page 32: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/32.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認③
32
address-book {
book1 {
address local-net 192.168.168.0/24;
attach {
zone trust;
}
}
book2 {
address corp-net 10.10.10.0/24;
address westford-net 192.168.178.0/24;
attach {
zone vpn;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
![Page 33: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/33.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認④
33
policies {
from-zone trust to-zone vpn {
policy to-corporate {
match {
source-address local-net;
destination-address [ corp-net westford-net ];
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy from-corporate {
match {
source-address [ corp-net westford-net ];
destination-address local-net;
application any;
}
then {
permit;
![Page 34: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/34.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認⑤
34
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/3.0;
}
![Page 35: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/35.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認⑥
35
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 2.2.2.2/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.168.1/24;
}
}
![Page 36: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/36.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN(Sunnyvale)
設定の確認⑦
36
st0 {
unit 0 {
family inet {
address 10.11.11.11/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.1;
route 10.10.10.0/24 next-hop 10.11.11.10;
route 192.168.178.0/24 next-hop 10.11.11.10;
}
}
![Page 37: Juniper SRX 日本語マニュアル · Juniper SRX 日本語マニュアル 6. Hub-and-Spoke VPN のCLI 設定 ... user@srx# set security ipsec vpn vpn-sunnyvale ike ipsec-policy](https://reader036.vdocument.in/reader036/viewer/2022062317/5ee2cac6ad6a402d666d0f06/html5/thumbnails/37.jpg)
© 2018 Juniper Networks
Hub-and-Spoke VPN
VPN ステータスの確認(Corporate office)① Phase1
② Phase2
37
user@srx> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6765495 UP e30463649227e8d7 6d67cd92ccca0c11 Main 2.2.2.2
6765496 UP 7f712a8eac2b687c a277448f022795f5 Main 3.3.3.2
user@srx> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-128/sha1 f09b5702 3102/ unlim - root 500 2.2.2.2
>131074 ESP:aes-cbc-128/sha1 ada7a01e 3102/ unlim - root 500 2.2.2.2
<131073 ESP:aes-cbc-128/sha1 268b49 3102/ unlim – root 500 3.3.3.2
>131073 ESP:aes-cbc-128/sha1 f9c640f8 3102/ unlim - root 500 3.3.3.2