반응형
SMALL
SRX IPSec Tunnel Sample
root@SRX_Test# show | display set | no-more
set version 15.1X49-D90.7
set system host-name SRX_Test
set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"
set system name-server 8.8.8.8
set system login user isd uid 2001
set system login user isd class super-user
set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group5
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"
set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
set security ike gateway VPN-GATEWAY address 10.1.2.201
set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
set security ike gateway VPN-GATEWAY nat-keepalive 10
set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.1
set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity service any
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0
set security nat source rule-set src-nat rule r1 then source-nat interface
set security forwarding-process enhanced-services-mode
set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone trust to-zone vpn policy permit-all match source-address any
set security policies from-zone trust to-zone vpn policy permit-all match destination-address any
set security policies from-zone trust to-zone vpn policy permit-all match application any
set security policies from-zone trust to-zone vpn policy permit-all then permit
set security policies from-zone vpn to-zone trust policy permit-all match source-address any
set security policies from-zone vpn to-zone trust policy permit-all match destination-address any
set security policies from-zone vpn to-zone trust policy permit-all match application any
set security policies from-zone vpn to-zone trust policy permit-all then permit
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24
set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24
set interfaces st0 unit 1 family inet
set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1
set routing-options static route 172.15.1.0/24 next-hop st0.1
[edit]
root@SRX_Test# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201
6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201
[edit]
root@SRX_Test# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201
>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201
[edit]
root@SRX_Test#
======================================================================================================================================================
FWF90D3Z13006231 # get vpn ipsec tunnel details
gateway
name: 'VPN-GW'
type: route-based
local-gateway: 10.1.2.201:0 (static)
remote-gateway: 10.1.2.115:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 7870
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TUNNEL'
auto-negotiate: disable
mode: tunnel
src: 0:172.15.1.0/255.255.255.0:0
dst: 0:172.15.0.0/255.255.255.0:0
SA
lifetime/rekey: 86400/79426
mtu: 1446
tx-esp-seq: 1
replay: enabled
inbound
spi: 46f0dfb7
enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1
auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f
outbound
spi: 44d00f02
enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5
auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7
NPU acceleration: none
FWF90D3Z13006231 #
FWF90D3Z13006231 # get vpn ip tunnel summary
'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902
FWF90D3Z13006231 # get ipsec tunnel list
NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT
VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367
반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
반응형
SMALL

 

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone untrust
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Host1
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Host1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

 

반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
Juniper SRX Routed-Based IPSec VPN  (0) 2021.08.26
DefensePro CLI  (0) 2021.04.26
Juniper SRX request chassis cluster failover redundancy-group  (0) 2021.04.13
반응형
SMALL

 

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 bind-interface st0.0
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone VPN
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match application any
set security policies from-zone trust to-zone VPN policy VPN-OUT then permit
set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match application any
set security policies from-zone VPN to-zone trust policy VPN-IN then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services ping
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set interfaces st0 unit 0 family inet address 10.100.200.2/24
set routing-options static route 10.100.11.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

 

반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Cluster configuration  (2) 2021.08.26
Juniper SRX Policy-Based IPSec VPN  (0) 2021.08.26
DefensePro CLI  (0) 2021.04.26
Juniper SRX request chassis cluster failover redundancy-group  (0) 2021.04.13
IPS (Sniper) 기본 Command  (3) 2021.03.29
반응형
SMALL

Configuration for SRX

root# show |no-more 
system {
     root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.2.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}

security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text “$ABC123"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        
    }
    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
    }
    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
               
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }

}

VPN Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :   ------------------------------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****


Verification of VPN connection
SRX:

root> show security ike sa                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
778322  UP     8858011cc0881359  e5ecd6302f0306b0  Main           100.1.1.1       

root> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  fb0a0946 28765/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  11f6197b 28765/unlim   -   root 500   100.1.1.1       

root> show security ipsec sa detail                            
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy Name:vpn-tr-untr

    Direction: inbound, SPI: 22abf60, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: ccb96ffb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics | no-more    
ESP Statistics:
  Encrypted bytes:          1842192
  Decrypted bytes:          1210704
  Encrypted packets:          12144
  Decrypted packets:          12144
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX request chassis cluster failover redundancy-group  (0) 2021.04.13
IPS (Sniper) 기본 Command  (3) 2021.03.29
MonitorAPP 웹방화벽 동작 체크 방법  (0) 2021.01.29
Fortinet FortiSandbox Shell mode  (0) 2021.01.20
Fortinet FortiSandbox Clustering Setting sample  (0) 2021.01.20

+ Recent posts

티스토리툴바