Абстрактная задача заключается в необходимости поднять туннель из приватной сети до корпоративной через Интернет. Варианты решения:
1. PPtP-туннель с рабочего места до корпоративного маршрутизатора
2. IPIP-туннель до корпоративного маршрутизатора через IPSec до Cisco ASA.
Имеется некая корпоративная сеть с маршрутизаторами Cisco и межсетевым экраном Cisco ASA. В связи с трудностями приобретения ASA-K9, пробуем аналог Juniper SRX 100B. Примечательно, что аналог умеет ipip-,gre-туннели.
Рисуем схематичную картинку:
План адресации:
10.0.0.0 - 10.0.0.255 Loopback /32
10.0.1.0 - 10.0.1.255 P2p /30
10.10.0.0 - 10.10.255.0 LAN /24
999.999.999.0/30 - p2p ASA-Internet
888.888.888.888 - публичный адрес DSL-модема
Конфигурация R1:
Конфигурация ASA:
DSL-модем работает в режиме маршрутизатора и раздает адреса по dhcp. На его LAN интерфейсе адрес 192.168.0.1, который будет адресом по-умолчанию для SRX. Аплинк SRX подключается в порт 0/7. Все остальные интерфейсы настроены для подключения рабочих мест.
Схема с дополнительным туннелем ipip выбрана с целью обеспечить более гибкую маршрутизацию и качество обслуживания. Получился ущерб в MTU, так как пакеты с MTU более 1480 байт и DF битом не будут переданы. У juniper'а есть возможность дефрагментировать такие пакеты только в gre-туннелях и только при наличии карты AS PIC, устанавливаемой в маршрутизаторы.
Смотрим чего получилось:
UPDATE: Чуть подробнее о туннелях IPSec в Junos
1. PPtP-туннель с рабочего места до корпоративного маршрутизатора
2. IPIP-туннель до корпоративного маршрутизатора через IPSec до Cisco ASA.
Имеется некая корпоративная сеть с маршрутизаторами Cisco и межсетевым экраном Cisco ASA. В связи с трудностями приобретения ASA-K9, пробуем аналог Juniper SRX 100B. Примечательно, что аналог умеет ipip-,gre-туннели.
Рисуем схематичную картинку:
План адресации:
10.0.0.0 - 10.0.0.255 Loopback /32
10.0.1.0 - 10.0.1.255 P2p /30
10.10.0.0 - 10.10.255.0 LAN /24
999.999.999.0/30 - p2p ASA-Internet
888.888.888.888 - публичный адрес DSL-модема
Конфигурация R1:
interface Loopback0Удаленные точки имеют произвольный внешний адрес. На ASA не прописывается acl для ipsec и создается динамический crypto map. При заведении tunnel-group с именем вместо Ip-адреса будет сообщено, что подключение возможно только с использованием сертификата, либо в агрессивном режиме (aggressive mode).
ip address 10.0.0.1 255.255.255.255
!
interface Tunnel2
description *** TO SRX2 10.0.0.2***
bandwidth 10000
ip address 10.1.0.5 255.255.255.252
ip mtu 1480
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipip
tunnel path-mtu-discovery
!
interface Tunnel3
description *** TO SRX3 10.0.0.3***
bandwidth 10000
ip address 10.1.0.9 255.255.255.252
ip mtu 1480
tunnel source 10.0.0.1
tunnel destination 10.0.0.3
tunnel mode ipip
tunnel path-mtu-discovery
!
interface GigabitEthernet0/1
description *** TO ASA ***
ip address 10.1.0.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.1.0.2
ip route 10.0.0.2 255.255.255.255 10.1.0.2
ip route 10.0.0.3 255.255.255.255 10.1.0.2
ip route 10.10.1.0 255.255.255.0 10.1.0.6
ip route 10.10.2.0 255.255.255.0 10.1.0.10
Конфигурация ASA:
interface GigabitEthernet0/0
description LAN
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.1.0.2 255.255.255.252
!
interface GigabitEthernet0/1
description Internet
speed 1000
duplex full
nameif outside
security-level 0
ip address 999.999.999.1 255.255.255.252
object-group network IPIPhost.local
network-object host 10.0.0.1
object-group network IPIPhost.remote
network-object host 10.0.0.2
network-object host 10.0.0.3
object-group network LAN
network-object 10.10.0.0 255.255.0.0
access-list ACL-IN extended permit ip object-group IPIPhost.local object-group IPIPhost.remote
access-list ACL-IN extended permit ip object-group LAN any
access-list InternetAccess extended permit ip object-group LAN any
access-list nonat extended permit ip object-group IPIPhost.local object-group IPIPhost.remote
nat-control
global (outside) 1 777.777.777.16 255.255.255.240
nat (inside) 0 access-list nonat
nat (inside) 1 access-list InternetAccess
access-group ACL-IN in interface inside
route outside 0.0.0.0 0.0.0.0 999.999.999.2 1
route inside 10.0.0.0 255.0.0.0 10.1.0.1 1
route outside 10.0.0.2 255.255.255.255 999.999.999.2
route outside 10.0.0.3 255.255.255.255 999.999.999.2
no crypto isakmp am-disable
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 1048576
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map espaessha 1 set transform-set ESP-AES-128-SHA
crypto map outside_map1 65000 ipsec-isakmp dynamic espaessha
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
tunnel-group SRX2 type ipsec-l2l
tunnel-group SRX2 ipsec-attributes
pre-shared-key SecreT2
tunnel-group SRX3 type ipsec-l2l
tunnel-group SRX3 ipsec-attributes
pre-shared-key SecreT3
DSL-модем работает в режиме маршрутизатора и раздает адреса по dhcp. На его LAN интерфейсе адрес 192.168.0.1, который будет адресом по-умолчанию для SRX. Аплинк SRX подключается в порт 0/7. Все остальные интерфейсы настроены для подключения рабочих мест.
set groups IPSEC_VALUE security ipsec proposal IPSEC_VALUE_GROUP protocol esp
set groups IPSEC_VALUE security ipsec proposal IPSEC_VALUE_GROUP lifetime-seconds 3600
set groups IPSEC_VALUE security ipsec proposal IPSEC_VALUE_GROUP lifetime-kilobytes 1048576
set system host-name router-in-somewhere
set system name-server 10.10.100.100
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/7.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp domain-name corporate.local
set system services dhcp domain-search corporate.local
set system services dhcp wins-server 10.10.100.100
set system services dhcp router 10.10.1.254
set system services dhcp pool 10.10.1.0/24 address-range low 10.10.1.10
set system services dhcp pool 10.10.1.0/24 address-range high 10.10.1.99
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 10.0.0.1
set interfaces interface-range interfaces-trust member fe-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/0
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ip-0/0/0 unit 0 tunnel source 10.0.0.2
set interfaces ip-0/0/0 unit 0 tunnel destination 10.0.0.1
set interfaces ip-0/0/0 unit 0 tunnel path-mtu-discovery
set interfaces ip-0/0/0 unit 0 family inet mtu 1480
set interfaces ip-0/0/0 unit 0 family inet address 10.1.0.6/30
set interfaces fe-0/0/7 unit 0 description Internet
set interfaces fe-0/0/7 unit 0 family inet dhcp
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 0 family inet
set interfaces vlan unit 0 family inet address 10.10.1.254/24
set routing-options static route 10.0.0.0/8 next-hop 10.1.0.5
set routing-options static route 10.0.0.1/32 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options router-id 10.0.0.2
set security ike proposal IKE_PROP_DEFAULT authentication-method pre-shared-keys
set security ike proposal IKE_PROP_DEFAULT dh-group group2
set security ike proposal IKE_PROP_DEFAULT authentication-algorithm sha1
set security ike proposal IKE_PROP_DEFAULT encryption-algorithm 3des-cbc
set security ike proposal IKE_PROP_DEFAULT lifetime-seconds 86400
set security ike policy IKE_POL_DEFAULT mode aggressive
set security ike policy IKE_POL_DEFAULT proposals IKE_PROP_DEFAULT
set security ike policy IKE_POL_DEFAULT pre-shared-key ascii-text SecreT2
set security ike gateway HUB ike-policy IKE_POL_DEFAULT
set security ike gateway HUB address 999.999.999.1
set security ike gateway HUB local-identity hostname SRX2
set security ike gateway HUB external-interface fe-0/0/7
set security ipsec proposal IPSEC_PROP_DEFAULT apply-groups IPSEC_VALUE
set security ipsec proposal IPSEC_PROP_DEFAULT authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROP_DEFAULT encryption-algorithm 3des-cbc
set security ipsec proposal ESP-AES-128-SHA apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-128-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-AES-128-SHA encryption-algorithm aes-128-cbc
set security ipsec proposal ESP-AES-256-MD5 apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-256-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-AES-256-MD5 encryption-algorithm aes-256-cbc
set security ipsec proposal ESP-DES-SHA apply-groups IPSEC_VALUE
set security ipsec proposal ESP-DES-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-DES-SHA encryption-algorithm des-cbc
set security ipsec proposal ESP-3DES-SHA apply-groups IPSEC_VALUE
set security ipsec proposal ESP-3DES-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-3DES-SHA encryption-algorithm 3des-cbc
set security ipsec proposal ESP-DES-MD5 apply-groups IPSEC_VALUE
set security ipsec proposal ESP-DES-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-DES-MD5 encryption-algorithm des-cbc
set security ipsec proposal ESP-AES-192-MD5 apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-192-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-AES-192-MD5 encryption-algorithm aes-192-cbc
set security ipsec proposal ESP-3DES-MD5 apply-groups IPSEC_VALUE
set security ipsec proposal ESP-3DES-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-3DES-MD5 encryption-algorithm 3des-cbc
set security ipsec proposal ESP-AES-256-SHA apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-256-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-AES-256-SHA encryption-algorithm aes-256-cbc
set security ipsec proposal ESP-AES-192-SHA apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-192-SHA authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-AES-192-SHA encryption-algorithm aes-192-cbc
set security ipsec proposal ESP-AES-128-MD5 apply-groups IPSEC_VALUE
set security ipsec proposal ESP-AES-128-MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal ESP-AES-128-MD5 encryption-algorithm aes-128-cbc
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-128-SHA
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-128-MD5
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-192-MD5
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-192-SHA
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-256-MD5
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-AES-256-SHA
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-DES-MD5
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-DES-SHA
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-3DES-MD5
set security ipsec policy IPSEC_POL_DEFAULT proposals ESP-3DES-SHA
set security ipsec vpn TO_HUB bind-interface st0.0
set security ipsec vpn TO_HUB ike gateway HUB
set security ipsec vpn TO_HUB ike proxy-identity local 10.0.0.2/32
set security ipsec vpn TO_HUB ike proxy-identity remote 10.0.0.1/32
set security ipsec vpn TO_HUB ike proxy-identity service any
set security ipsec vpn TO_HUB ike ipsec-policy IPSEC_POL_DEFAULT
set security ipsec vpn TO_HUB establish-tunnels immediately
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 10.10.1.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 10.0.0.2/32
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ip-0/0/0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services all
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
Схема с дополнительным туннелем ipip выбрана с целью обеспечить более гибкую маршрутизацию и качество обслуживания. Получился ущерб в MTU, так как пакеты с MTU более 1480 байт и DF битом не будут переданы. У juniper'а есть возможность дефрагментировать такие пакеты только в gre-туннелях и только при наличии карты AS PIC, устанавливаемой в маршрутизаторы.
Смотрим чего получилось:
ASA# show crypto isakmp saНа удаленной стороне:
[skip]
X IKE Peer: 888.888.888.888
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
ASA# show crypto ipsec sa peer 888.888.888.888
peer address: 888.888.888.888
Crypto map tag: espaessha, seq num: 1, local addr: 999.999.999.1
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer: 888.888.888.888
#pkts encaps: 7226497, #pkts encrypt: 13803665, #pkts digest: 13803665
#pkts decaps: 5169927, #pkts decrypt: 5169927, #pkts verify: 5169927
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7226497, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 6577168, #pre-frag failures: 0, #fragments created: 13154336
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 42
#send errors: 0, #recv errors: 0
local crypto endpt.: 999.999.999.1/4500, remote crypto endpt.: 888.888.888.888/28223
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: CBB3E465
inbound esp sas:
spi: 0xDF094148 (3741925704)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 149721088, crypto-map: espaessha
sa timing: remaining key lifetime (sec): 1019
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCBB3E465 (3417564261)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 149721088, crypto-map: espaessha
sa timing: remaining key lifetime (sec): 1018
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
root@srx> show security ike sa
Index Remote Address State Initiator cookie Responder cookie Mode
3 999.999.999.1 UP f6b84688041e47b2 19b6337d92e86171 Aggressive
root@srx> show security ipsec sa
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 999.999.999.1 4500 ESP:aes-128/sha1 3765363f 3068/ unlim - 0
>131073 999.999.999.1 4500 ESP:aes-128/sha1 f1fb308a 3068/ unlim - 0
root@srx> show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 23:07:06
> to 192.168.0.1 via fe-0/0/7.0
10.0.0.0/8 *[Static/5] 23:17:58
> to 10.1.0.5 via ip-0/0/0.0
10.0.0.2/32 *[Direct/0] 23:21:30
> via lo0.0
10.1.0.4/30 *[Direct/0] 23:17:58
> via ip-0/0/0.0
10.1.0.6/32 *[Local/0] 23:20:51
Local via ip-0/0/0.0
10.10.1.0/24 *[Direct/0] 23:20:30
> via vlan.0
10.10.1.254/32 *[Local/0] 23:21:30
Local via vlan.0
10.0.0.1/32 *[Static/5] 23:17:59
> via st0.0
192.168.0.0/24 *[Direct/0] 23:17:59
> via fe-0/0/7.0
192.168.0.25/32 *[Local/0] 23:17:59
Local via fe-0/0/7.0
root@srx>
UPDATE: Чуть подробнее о туннелях IPSec в Junos