我第一次在Juniper SRX和Cisco ASA之间建立IPSec是在2014年。 即便如此,它还是很痛苦的,因为存在很多问题(通常是在再生过程中隧道破裂),很难诊断(ASA在我们客户的位置,因此调试机会有限),但是以某种方式起作用了。
从那时起,推荐的用于SRX的JunOS已更新至15.1(至少用于SRX300系列),并且ASA学习了如何使用基于路由的IPSec(软件版本9.8),从而略微简化了配置。 在不久前的当前工作中,有机会再次组建这样的计划。 再一次,以失败告终-在再生期间,隧道安全倒塌(并且在没有手动重启的情况下并不总是会上升)。 再次在原木中保持沉默和混乱,但是因为 ASA与我们的合作伙伴在一起,所以没有办法分别亮相。
现在,机会来了,这是一个可以使双方(SRX和ASA)都在我们的控制之下的计划,您可以永久发挥作用。
性格
所以我们有:
- 瞻博SRX340(JunOS 15.1X49D150.2)
- Cisco ASA 5506(软件9.8.4)
- 它们之间基于路由的IPSec(路由将由BGP提供,我也会对此说几句话)
方案
构型
杜松
让我们从SRX配置开始。 我在其上构建了许多不同的隧道,最后我得出了这样的结论:
set security ike policy IKE-ASA mode main set security ike policy IKE-ASA proposals SHA256-AES128-5-86400 set security ike policy IKE-ASA pre-shared-key ascii-text ... set security ike gateway GW-ASA ike-policy IKE-ASA set security ike gateway GW-ASA address 192.0.2.2 set security ike gateway GW-ASA dead-peer-detection interval 10 set security ike gateway GW-ASA dead-peer-detection threshold 3 set security ike gateway GW-ASA local-identity inet 198.51.100.2 set security ike gateway GW-ASA external-interface ae0.4 set security ike gateway GW-ASA version v2-only set security ipsec vpn VPN-ASA bind-interface st0.7 set security ipsec vpn VPN-ASA df-bit clear set security ipsec vpn VPN-ASA vpn-monitor source-interface st0.7 set security ipsec vpn VPN-ASA vpn-monitor destination-ip 169.254.100.2 set security ipsec vpn VPN-ASA ike gateway GW-ASA set security ipsec vpn VPN-ASA ike ipsec-policy SHA256-AES128-3600-14-policy set security ipsec vpn VPN-ASA establish-tunnels immediately set interfaces st0 unit 7 description "ASA AnyConnect router" set interfaces st0 unit 7 family inet mtu 1436 set interfaces st0 unit 7 family inet address 169.254.100.1/30 set routing-options static route 192.0.2.2/32 next-hop 198.51.100.1 set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic system-services ping set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic system-services ike set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic system-services traceroute set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic protocols bgp
可以看出,使用IKEv2时没有使用流量选择器(我们已经拥有足够的资金来限制流量-从BGP前缀列表到安全策略)。 对于堆,使用了DPD(死对等检测)和vpn-monitor(它们的检查类型略有不同,为保证可靠性,我将两者都使用)。
思科公司
ASA配置:
crypto ipsec ikev2 ipsec-proposal SHA256-AES128 protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-256 crypto ipsec profile IPSEC-PROFILE-AMS1-VPN2 set ikev2 ipsec-proposal SHA256-AES128 set pfs group14 set security-association lifetime kilobytes unlimited set security-association lifetime seconds 3600 crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha256 group 5 prf sha256 lifetime seconds 86400 tunnel-group 198.51.100.2 type ipsec-l2l tunnel-group 198.51.100.2 ipsec-attributes isakmp keepalive threshold 30 retry 10 ikev2 remote-authentication pre-shared-key ... ikev2 local-authentication pre-shared-key ... crypto ikev2 enable outside interface Tunnel7 nameif l2l-ams1-vpn2 ip address 169.254.100.2 255.255.255.252 tunnel source interface outside tunnel destination 198.51.100.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE-AMS1-VPN2
两台路由器上的配置结构大致相同,但与往常一样,各部分的名称完全不匹配。
配置比较
IKE政策/建议
crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha256 group 5 prf sha256 lifetime seconds 86400
set security ike proposal SHA256-AES128-5-86400 description ike-phase1-proposal1 set security ike proposal SHA256-AES128-5-86400 authentication-method pre-shared-keys set security ike proposal SHA256-AES128-5-86400 dh-group group5 set security ike proposal SHA256-AES128-5-86400 authentication-algorithm sha-256 set security ike proposal SHA256-AES128-5-86400 encryption-algorithm aes-128-cbc set security ike proposal SHA256-AES128-5-86400 lifetime-seconds 86400 set security ike policy IKE-ASA mode main set security ike policy IKE-ASA proposals SHA256-AES128-5-86400 set security ike policy IKE-ASA pre-shared-key ascii-text ...
从这里开始一些术语上的混乱。 思科称之为IKE策略,瞻博网络具有IKE提案。 Juniper的IKE策略类似于ASA的隧道组...就我个人而言,我更喜欢Juniper的方法,但是在这里,这当然是一个习惯问题。
我必须说,在ASA上配置IKEv2(尤其是基于路由)仍然比加密映射和以前的其他耻辱更具逻辑性。
IPSec策略/提议
crypto ipsec ikev2 ipsec-proposal SHA256-AES128 protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-256 crypto ipsec profile IPSEC-PROFILE-SHA256-AES128-3600-14 set ikev2 ipsec-proposal SHA256-AES128 set pfs group14 set security-association lifetime kilobytes unlimited set security-association lifetime seconds 3600
set security ipsec proposal SHA256-AES128-3600 description ipsec-phase2-proposal set security ipsec proposal SHA256-AES128-3600 protocol esp set security ipsec proposal SHA256-AES128-3600 authentication-algorithm hmac-sha-256-128 set security ipsec proposal SHA256-AES128-3600 encryption-algorithm aes-128-cbc set security ipsec proposal SHA256-AES128-3600 lifetime-seconds 3600 set security ipsec policy SHA256-AES128-3600-14-policy description SHA256-AES128-3600-14-policy set security ipsec policy SHA256-AES128-3600-14-policy perfect-forward-secrecy keys group14 set security ipsec policy SHA256-AES128-3600-14-policy proposals SHA256-AES128-3600
在这里,两家供应商都采用相同的加减方式-首先,我们创建带有加密/身份验证参数的提案,然后在其上保留生命周期和pfs。
网关
tunnel-group 198.51.100.2 type ipsec-l2l tunnel-group 198.51.100.2 ipsec-attributes isakmp keepalive threshold 30 retry 10 ikev2 remote-authentication pre-shared-key ... ikev2 local-authentication pre-shared-key ...
set security ike gateway GW-ASA ike-policy IKE-ASA-LEGAL set security ike gateway GW-ASA address 192.0.2.2 set security ike gateway GW-ASA dead-peer-detection interval 10 set security ike gateway GW-ASA dead-peer-detection threshold 3 set security ike gateway GW-ASA local-identity inet 198.51.100.2 set security ike gateway GW-ASA external-interface ae0.4 set security ike gateway GW-ASA version v2-only
在这里,差异更加明显。 在ASA上,PSK直接在对等设置中指示。 Juniper允许您同时指定传出接口和其他选项(例如本地身份),此外它还引用了ike策略(在此我们指定了PSK)。
顺便说一句,如果要在ASA上将IKEv2转换为IKEv1(反之亦然),则Cisco将需要重新创建整个隧道组。 在SRX上,只需更改一个选项即可。
(确实,不兼容的选项可能稍后会在提交时出现,但这是详细信息)VPN / VTI
interface Tunnel7 nameif l2l-ams1-vpn2 ip address 169.254.100.2 255.255.255.252 tunnel source interface outside tunnel destination 198.51.100.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE-SHA256-AES128-3600-14
set security ipsec vpn VPN-ASA bind-interface st0.7 set security ipsec vpn VPN-ASA df-bit clear set security ipsec vpn VPN-ASA vpn-monitor source-interface st0.7 set security ipsec vpn VPN-ASA vpn-monitor destination-ip 169.254.100.2 set security ipsec vpn VPN-ASA ike gateway GW-ASA set security ipsec vpn VPN-ASA ike ipsec-policy SHA256-AES128-3600-14-policy set security ipsec vpn VPN-ASA establish-tunnels immediately set interfaces st0 unit 7 description "AnyConnect router" set interfaces st0 unit 7 family inet mtu 1436 set interfaces st0 unit 7 family inet address 169.254.100.1/30
在我看来,瞻博网络的配置似乎更加合乎逻辑。 VPN是单独配置的(也可以基于策略),安全隧道本身是单独配置的。 特别感谢“立即建立隧道”。 一个非常有用的选项;)(tsiskovody理解我的意思)。 SRX的另一个“好处”是可以通过自动检测对等点(不幸的是,它仅在SRX之间工作)和手动路由来构建多点IPSec。 当然,这不是成熟的DMVPN,但是诸如“一个中心-许多分支机构”这样的设置使它变得更加容易。
介面
我将分别介绍配置建立IPSec的接口。 对于瞻博网络,它分别是
ae0.4 ;对于ASA,它在
外面 crypto ikev2 enable outside
set security zones security-zone ZONE-INTERNET interfaces ae0.4 host-inbound-traffic system-services ike set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic system-services ping set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic system-services traceroute set security zones security-zone ZONE-VPN interfaces st0.7 host-inbound-traffic protocols bgp
在接口上,您需要启用ike,否则将无济于事:)此外,对于SRX,您需要在st0.x接口上启用bgp / ospf /无论传入连接。
配置BGP
一方面,这里的一切都很平淡(一方面)
set protocols bgp group ASA type external set protocols bgp group ASA description "AnyConnect router" set protocols bgp group ASA hold-time 30 set protocols bgp group ASA import IMPORT-EBGP-ASA set protocols bgp group ASA export EXPORT-EBGP-ASA set protocols bgp group ASA local-as 64666 set protocols bgp group ASA neighbor 169.254.100.2 peer-as 65001 set policy-options policy-statement EXPORT-EBGP-ASA term 0 from route-filter 10.0.0.0/8 exact set policy-options policy-statement EXPORT-EBGP-ASA term 0 then accept set policy-options policy-statement EXPORT-EBGP-ASA term 1 then reject set policy-options policy-statement IMPORT-EBGP-ASA term 1 then reject
在ASA上,我们给出LAN的聚合前缀-我将使用10/8。 我们不接受ASA的任何内容,因为从软件版本9.8.4起,您仍然无法通过BGP宣布管理接口(可以理解)和BVI(非常不便)的地址。 但是,如果您在ASA后面还有其他网络,则当然需要将它们添加到策略中。
asa(config-router-af)# network 10.255.32.252 mask 255.255.255.254 ERROR: BGP configuration not supported on management-only/BVI interface
要“查看”内部接口,您将需要在ipsec方向上在SRX上注册一条静态路由:
set routing-options static route 10.255.32.252/31 next-hop 169.254.100.2
此外,ASA仍然不知道如何环回接口,因此我们将从内部发送所有/ netflow和其他日志。
ASA5506具有内置开关,因此您可以使用虚拟BVI接口(当您使用按需布线方案时,仅使用一个物理端口时特别有用。
interface BVI1 nameif inside security-level 100 ip address 10.255.32.253 255.255.255.254 management-access inside
之后,在正确的位置(日志记录,snmp,流),您将需要指定“ inside”作为源接口。
如果出了什么问题又名故障排除
IKE / IPSec
首先,您必须同时安装IPSec的两个阶段(对于Juniper,这实际上是IKE / IPSec)。
我们看:
admin@srx> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2128190 UP ae7d7d447326218a 2be3b3004ae0e36a IKEv2 192.0.2.2 admin@srx> show security ipsec security-associations Total active tunnels: 6 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131077 ESP:aes-cbc-128/sha256 fec3c7d1 2867/ unlim U root 500 192.0.2.2 >131077 ESP:aes-cbc-128/sha256 74d792ca 2867/ unlim U root 500 192.0.2.2
在ASA上:
asa# sho crypto ikev2 sa IKEv2 SAs: Session-id:5, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 585564345 192.0.2.2/500 198.51.100.2/500 READY RESPONDER Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/47018 sec Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 remote selector 0.0.0.0/0 - 255.255.255.255/65535 ESP spi in/out: 0xc989d9ea/0xcca8b6d5
在Juniper,您仍然可以查看ipsec隧道的统计信息,包括下降的原因:
admin@srx> show security ipsec security-associations index 131078 detail ID: 131078 Virtual-system: root, VPN Name: VPN-ASA-LEGAL-PL Local Gateway: 198.51.100.2, Remote Gateway: 192.0.2.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.7 Port: 500, Nego#: 734, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Mon Dec 09 2019 13:40:35: IPSec SA rekey successfully completed (48 times) Mon Dec 09 2019 00:30:47: IKE SA rekey successfully completed (10 times) Fri Nov 29 2019 02:13:55: IPSec SA negotiation successfully completed (1 times) Fri Nov 29 2019 02:13:55: IKE SA negotiation successfully completed (1 times) Fri Nov 29 2019 02:13:55: No response from peer. Negotiation failed (7 times) Fri Nov 29 2019 02:10:14: DPD detected peer as down. Existing IKE/IPSec SAs cleared (1 times) Fri Nov 29 2019 01:39:15: IPSec SA rekey successfully completed (1 times) Fri Nov 29 2019 00:49:50: IPSec SA negotiation successfully completed (1 times) Fri Nov 29 2019 00:49:50: IKE SA negotiation successfully completed (1 times) Fri Nov 29 2019 00:49:30: No response from peer. Negotiation failed (23 times) Fri Nov 29 2019 00:37:24: DPD detected peer as down. Existing IKE/IPSec SAs cleared (1 times) Fri Nov 29 2019 00:30:00: IPSec SA rekey successfully completed (77 times) Thu Nov 28 2019 20:11:31: IKE SA rekey successfully completed (7 times) Tue Nov 26 2019 08:51:44: IPSec SA negotiation successfully completed (1 times) Thu Nov 21 2019 21:24:32: IKE SA negotiation successfully completed (1 times) Thu Nov 21 2019 01:06:27: IKE SA rekey successfully completed (6 times) Direction: inbound, SPI: 4bd2e2bd, AUX-SPI: 0 , VPN Monitoring: UP Hard lifetime: Expires in 3132 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2495 seconds Mode: Tunnel(10 10), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 504f306e, AUX-SPI: 0 , VPN Monitoring: UP Hard lifetime: Expires in 3132 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2495 seconds Mode: Tunnel(10 10), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
如果IPSec一切正常,那么您需要查看ACL(安全策略,主机入站规则等)。 在极端情况下,您可以尝试重新装箱(ASA)-它曾为我提供帮助。
UPD:关于我已分配给Habr的Juniper中的调试IPsec
BGP协议
这里的一切都很标准-如果未安装会话,则可以通过捕获查看BGP-hello是否在双向飞行。
合计
仅此而已。 我不知道是要怪新软件,还是像星星一样聚在一起-但是ASA <> SRX隧道保持稳定,而且一天也不会掉下来,就像以前一样。
希望你也能成功!