본문 바로가기

업무이야기/Security

Configuration Example – Site-to-site VPN between SRX and Cisco ASA (Policy-based VPN)

by 쫑콩아빠 2021. 3. 16.
728x90

Configuration for SRX

root# show |no-more 
system {
     root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.2.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}

security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text “$ABC123"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        
    }
    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
    }
    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
               
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }

}

VPN Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :   ------------------------------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****


Verification of VPN connection
SRX:

root> show security ike sa                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
778322  UP     8858011cc0881359  e5ecd6302f0306b0  Main           100.1.1.1       

root> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  fb0a0946 28765/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  11f6197b 28765/unlim   -   root 500   100.1.1.1       

root> show security ipsec sa detail                            
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy Name:vpn-tr-untr

    Direction: inbound, SPI: 22abf60, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: ccb96ffb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics | no-more    
ESP Statistics:
  Encrypted bytes:          1842192
  Decrypted bytes:          1210704
  Encrypted packets:          12144
  Decrypted packets:          12144
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

728x90