Configuration for SRX
root# show |no-more
system {
root-authentication {
encrypted-password “$ABC123"; ## SECRET-DATA
}
services {
ssh;
telnet;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 100.1.1.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 100.1.1.1;
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text “$ABC123"; ## SECRET-DATA
}
gateway gw-chicago {
ike-policy ike-phase1-policy;
address 100.1.1.1;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-chicago {
ike {
gateway gw-chicago;
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone untrust {
policy vpn-tr-untr {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn-chicago;
}
}
}
}
}
from-zone untrust to-zone trust {
policy vpn-untr-tr {
match {
source-address chicago;
destination-address sunnyvale;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn-chicago;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address sunnyvale 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
address-book {
address chicago 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
VPN Configuration for Cisco ASA
(Only VPN related config included)
Interface Configuration:
------------------------------------------------------------------------------------------------------------------
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
!
Policy Configuration : ------------------------------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 100.1.1.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
Verification of VPN connection
SRX:
root> show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
778322 UP 8858011cc0881359 e5ecd6302f0306b0 Main 100.1.1.1
root> show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:des/ md5 fb0a0946 28765/unlim - root 500 100.1.1.1
>131073 ESP:des/ md5 11f6197b 28765/unlim - root 500 100.1.1.1
root> show security ipsec sa detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
Version: IKEv1
DF-bit: clear
Policy Name:vpn-tr-untr
Direction: inbound, SPI: 22abf60, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 28571 seconds
Lifesize Remaining: 4607999 kilobytes
Soft lifetime: Expires in 27982 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: ccb96ffb, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 28571 seconds
Lifesize Remaining: 4607999 kilobytes
Soft lifetime: Expires in 27982 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
root> show security ipsec statistics | no-more
ESP Statistics:
Encrypted bytes: 1842192
Decrypted bytes: 1210704
Encrypted packets: 12144
Decrypted packets: 12144
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
'업무이야기 > Security' 카테고리의 다른 글
Juniper SRX request chassis cluster failover redundancy-group (0) | 2021.04.13 |
---|---|
IPS (Sniper) 기본 Command (3) | 2021.03.29 |
MonitorAPP 웹방화벽 동작 체크 방법 (0) | 2021.01.29 |
Fortinet FortiSandbox Shell mode (0) | 2021.01.20 |
Fortinet FortiSandbox Clustering Setting sample (0) | 2021.01.20 |