使用 srx110 设置 aws vpn

网络工程 虚拟专用网 杜松 ipsec 杜松-朱诺斯 杜松-srx
2022-02-18 05:44:11

我正在尝试从 SRX 110 将 IPsec vpn 设置到 AWS,但在使其工作时遇到了一些麻烦。我已经下载了配置文件,我的隧道似乎已经启动,但我似乎无法在 AWS 中 ping 任何东西。

show security ipsec security-associations                                                      
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/sha1 9e84c351 3427/ unlim - root 500 52.55.170.166   
  >131073 ESP:aes-cbc-128/sha1 62e0325 3427/ unlim - root 500 52.55.170.166   
  <131074 ESP:aes-cbc-128/sha1 2128ae3d 3431/ unlim - root 500 52.207.67.71    
  >131074 ESP:aes-cbc-128/sha1 3d29fbfe 3431/ unlim - root 500 52.207.67.71  

show security ike security-associations                                                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
6550418 UP     81a741b305932303  5cded1ed9120865f  Main           52.207.67.71    
6550417 UP     028df2e8bf768421  0f0010a4a0fe461a  Main           52.55.170.166

在 aws 方面,我看到了这一点:

VPN Tunnel  IP Address     Status   Status Last Changed     Details
Tunnel 1    52.55.170.166   DOWN    2016-11-02 23:04 UTC-4  IPSEC IS UP
Tunnel 2    52.207.67.71    DOWN    2016-11-02 23:04 UTC-4  IPSEC IS UP

我认为我的区域中没有正确配置某些东西,但不确定,我有两个区域:

区域 1

Name: Internal
Type: Security
Interface: vlan.1

区域 2:

Name: Internet
Type: Security
Interfaces: fe-0/0/0.0

当我运行配置时,它又创建了两个区域,如下所示:

Name: trust
Type: Security
Protocals: bgp
interfaces: st0.1,st0.2

和这个:

Name: untrust
Type: Security
Services: ike
Interfaces: blank

为什么隧道似乎已启动,但我似乎无法在 vpc 内 ping 任何东西?

另外,我对此也很陌生......

- - - - - - - - - 编辑 - - - - - - - -

在 aws 方面,它现在显示:

VPN Tunnel  IP Address  Status  Status Last Changed     Details
Tunnel 1    52.55.170.166   UP  2016-11-02 23:04 UTC-4  1 
Tunnel 2    52.207.67.71    UP  2016-11-02 23:04 UTC-4  1

我当前的配置现在是什么样子:

system {
    host-name RonakLab;
    time-zone EST;
    root-authentication {
        encrypted-password "xxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
            https {
                system-generated-certificate;
                interface vlan.1;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.2.0/24 {
                address-range low 192.168.2.1 high 192.168.2.254;
                router {
                    192.168.2.1;
                }
            }
            propagate-settings fe-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                mtu 1436;
                address 169.254.47.18/30;
            }
        }
        unit 2 {
            family inet {
                mtu 1436;
                address 169.254.45.38/30;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    ike {
        proposal ike-prop-vpn-f7584996-1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
        }
        proposal ike-prop-vpn-f7584996-2 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
        }
        policy ike-pol-vpn-f7584996-1 {
            mode main;
            proposals ike-prop-vpn-f7584996-1;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
        policy ike-pol-vpn-f7584996-2 {
            mode main;
            proposals ike-prop-vpn-f7584996-2;
            pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
        }
        gateway gw-vpn-f7584996-1 {
            ike-policy ike-pol-vpn-f7584996-1;
            address 52.45.108.91;
            dead-peer-detection;
            no-nat-traversal;
            external-interface fe-0/0/0.0;
        }
        gateway gw-vpn-f7584996-2 {
            ike-policy ike-pol-vpn-f7584996-2;
            address 52.54.120.173;
            dead-peer-detection;
            no-nat-traversal;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-prop-vpn-f7584996-1 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        proposal ipsec-prop-vpn-f7584996-2 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec-pol-vpn-f7584996-1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-vpn-f7584996-1;
        }
        policy ipsec-pol-vpn-f7584996-2 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-vpn-f7584996-2;
        }
        vpn vpn-f7584996-1 {
            bind-interface st0.1;
            df-bit clear;
            vpn-monitor {
                source-interface st0.1;
                destination-ip 169.254.47.17;
            }
            ike {
                gateway gw-vpn-f7584996-1;
                ipsec-policy ipsec-pol-vpn-f7584996-1;
            }
        }
        vpn vpn-f7584996-2 {
            bind-interface st0.2;
            df-bit clear;
            vpn-monitor {
                source-interface st0.2;
                destination-ip 169.254.45.37;
            }
            ike {
                gateway gw-vpn-f7584996-2;
                ipsec-policy ipsec-pol-vpn-f7584996-2;
            }
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1387;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone aws {
            policy TO-aws {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone aws to-zone Internal {
            policy FROM-aws {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone aws {
            host-inbound-traffic {
                protocols {
                    bgp;
                }
            }
            interfaces {
                st0.1;
                st0.2;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}
2个回答

从您的输出来看,似乎有几处错误:

  1. st0.0和接口是您连接到 AWSst0.1接口,但是它们当前位于trust没有绑定安全策略的区域中。

为了解决这些问题,我建议进行以下更改(作为起点):

rename security zones security-zone trust to AWS
set security policy from-zone Internal to-zone AWS policy TO-AWS match source-address any
set security policy from-zone Internal to-zone AWS policy TO-AWS match destination-address any
set security policy from-zone Internal to-zone AWS policy TO-AWS match application any
set security policy from-zone Internal to-zone AWS policy TO-AWS then permit
set security policy from-zone AWS to-zone Internal policy FROM-AWS match source-address any
set security policy from-zone AWS to-zone Internal policy FROM-AWS match destination-address any
set security policy from-zone AWS to-zone Internal policy FROM-AWS match application any
set security policy from-zone AWS to-zone Internal policy FROM-AWS then permit
  1. 在您附加的输出中,BGP 已启动,但您似乎没有从 AWS 接收任何路由。我也不确定您是否希望将默认路由发送到 AWS。

我会从更简单的事情开始,比如只宣传附加的vlan.1前缀:

set policy-options policy-statement DIRECT term DIRECT-INTERFACES from protocol direct
set policy-options policy-statement DIRECT term DIRECT-INTERFACES from interface vlan.1
set policy-options policy-statement DIRECT term DIRECT-INTERFACES then accept
set policy-options policy-statement DIRECT term REJECT then reject
delete protocols bgp group ebgp neighbor 169.254.44.65 export EXPORT-DEFAULT
delete protocols bgp group ebgp neighbor 169.254.47.145 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 169.254.44.65 export DIRECT
set protocols bgp group ebgp neighbor 169.254.47.145 export DIRECT

之后,您需要确保在 AWS 中从您的 VPC 传播路由(以便您通过 BGP 接收它们) - 粗略的过程是:

  1. 在导航窗格中,选择Route Tables,然后选择路由表(通常是 VPC 的主路由表)。
  2. 单击窗格Route Propagation中的选项卡,单击,选择网关,然后单击DetailsEditSave

您是否在 AWS 上传播了路由表?如果没有,请转到 VPC,路由表转到您的 VPC 的路由表,然后在路由传播命中编辑下并标记为 YES。VPN已启动,因为对等方都建立了阶段1和阶段2,我认为您的问题是当您将流量从瞻博网络设备发送到AWS时,AWS设备会回复,但AWS不知道IP需要遍历通过 VPN 隧道。你也可以做这个测试;在 AWS 上创建一个 linux 实例并运行 tcpdump。使用 tcpdump,您应该能够看到来自您的分支的流量。

其它你可能感兴趣的问题
上一篇什么是目标地址? 下一篇什么限制了接口的 MTU 集?