Juniper SSG5 NHTB(Next-Hop Tunnel Binding) VPN設定
Juniper SSG5 NHTB(Next-Hop Tunnel Binding) VPN設定
NHTB是一台網路設備僅使用一個VPN通道要來跟數台網路設備彼此之間建立起VPN連線。
Multi-proxy與NHTB的差異在於:Multi-proxy是兩台建立VPN連線的設備其下各有數個子網段要透過一個VPN通道來相互溝通。
使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
就拿我們接下來要介紹的案例來說,四個防火牆要建立VPN連線,而其各自有三個子網段,並且彼此之間各網段都要能互通,其拓墣如下圖VPN設定拓墣圖所示,若不使用NHTB設定,則每個防火牆都要為其建立27條通道,27個VPN設定才行,而若使用了NHTB設定,則每個防火牆只要為其建立1條通道,3個VPN設定即可,這能讓設定少掉許多煩瑣重複的程序,而在維護上也明顯更輕鬆簡單的多。
ps:上述VPN通道計算方式:1台防火牆內含3個子網段,兩台防火牆之間要建立VPN連線則需要3*3=9條通道,若要跟另外三台防火牆建立連線總共就要9*3=27條VPN通道。
您也可以參考相關連結:
設定案例請參考以下JUNIPER原廠相關連結:
通常您必須為每一個VPN連線綁定到個別的隧道介面,也就是說您若有5個VPN連線,就必須建立5個隧道介面來給VPN連線使用。但您也可以將多個 IPSec VPN 隧道綁定到單個隧道介面。為了將多個 IPSec VPN 隧道綁定到單個隧道介面,安全設備要使用兩個表: 路由表和下一躍點隧道綁定表(NHTB)。其目的是要將安全設備(Security Devices)路由表項中指定的下一躍點閘道 IP 位址映射到 NHTB 表中指定的特定VPN隧道。而通過這種技術,單通道介面就可以支援許多 VPN 隧道。
例如:路由表條目 192.168.2.0/24
可能指定1.1.100.2 作為下一躍點閘道Next-Hop,其中1.1.100.2 是遠端 IKE 對等方的隧道介面的IP位址,其CLI命令設定如下:
set
vrouter
trust-vr route 192.168.2.0/24 interface tunnel.1
gateway 1.1.100.2 ==>
SSG5命令
set route 192.168.2.0/24 interface tunnel.1 gateway 1.1.100.2 ==>
SSG5命令
set routing-options static route 192.168.2.0/24 next-hop
st0.0 ==> SRX命令
當安全設備接收到的通信量為 192.168.2.0/24,路由表指定隧道介面-tunnel.1,但在這種情況下它並沒有指定要使用哪個 VPN 隧道。如果只有一個 VPN 隧道綁定到tunnel.1,則指定隧道介面就足夠了。如果有多個 VPN 隧道綁定到該介面,則需要在路由和特定隧道之間有一個連結。而NHTB表就提供了該連結。此示例的 NHTB 表CLI命令設定如下:
set interface tunnel.1 nhtb 1.1.100.2 vpn
"Site4-Site2" ==>
SSG5命令
set interfaces st0 unit 0 family inet next-hop-tunnel
1.1.100.2 ipsec-vpn Site4-to-Site2 ==> SRX命令
其中
"vpn1" 是連線到遠端IKE對等方的vpn隧道的名稱,其內部子網為192.168.2.0/24,使用唯一的 IP 位址1.1.100.2,即路由表條目和NHTB表條目有共同之處,因此安全設備就可以將目的地為192.168.2.0/24的通信轉發到tunnel.1,並且明確指定要使用VPN通道" Site4-Site2"。
下圖為VPN設定拓墣圖:
-------- SSG5 HNTB設定 Site
2 --------
## SSG本身為Site2,WAN IP:
192.168.188.11,tunnel.1 IP: 1.1.100.2/32
set interface tunnel.1 nhtb 1.1.100.1 vpn
"Site2-Site1" ##
(Site1 wan ip
192.168.188.10),指定要往Site1的目標ip與vpn name
set interface tunnel.1 nhtb 1.1.100.3 vpn
"Site2-Site3" ## (Site3 wan ip 192.168.188.12,此ip隱藏在vpn的gateway設定中,所以此處看不到)
set interface tunnel.1 nhtb 1.1.100.4 vpn
"Site2-Site4" ## (Site4 wan ip 192.168.188.13)
set route 192.168.1.0/24 interface tunnel.1
gateway 1.1.100.1
## 遠端的網段指定要走tunnel.1並送往Site1之tunnel.1
IP
set route 192.168.3.0/24 interface tunnel.1
gateway 1.1.100.1
set route 192.168.4.0/24 interface tunnel.1
gateway 1.1.100.1
set route 192.168.7.0/24 interface tunnel.1
gateway 1.1.100.3
set route 192.168.8.0/24 interface tunnel.1
gateway 1.1.100.3
set route 192.168.9.0/24 interface tunnel.1
gateway 1.1.100.3
set route 192.168.10.0/24 interface
tunnel.1 gateway 1.1.100.4
set route 192.168.11.0/24 interface
tunnel.1 gateway 1.1.100.4
set route 192.168.12.0/24 interface
tunnel.1 gateway 1.1.100.4
以下這條命令非必要,只是說明而已。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRX到SSG5是正常的,而SSG5到SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interface tunnel.1 mtu 1500
ssg5-serial-> set interface tunnel.1 mtu ?
<number> mtu size, <1280-1500>
ssg5-serial->
-------- SSG5 HNTB設定 Site
2 END --------
以下為SRX的HNTB設定。
-------- SRX HNTB設定 Site
4 ---------
## SRX本身為Site4,WAN IP:
192.168.188.13,st0.0 IP: 1.1.100.4/32
set interfaces st0 unit 0 multipoint ##將多個 IPSec VPN 隧道綁定到單個隧道介面
set interfaces st0 unit 0 family inet
next-hop-tunnel 1.1.100.1 ipsec-vpn Site4-to-Site1 ##(Site1 wan ip 192.168.188.10)指定next-hop ip與vpn tunnel
set interfaces st0 unit 0 family inet
next-hop-tunnel 1.1.100.2 ipsec-vpn Site4-to-Site2 ##
(Site2 wan ip
192.168.188.11,此IP隱藏在VPN的gateway設定之中,所以此處看不到)
set interfaces st0 unit 0 family inet
next-hop-tunnel 1.1.100.3 ipsec-vpn Site4-to-Site3 ##
(Site3 wan ip
192.168.188.12)
set routing-options static route 192.168.1.0/24
next-hop st0.0
##遠端的網段指定要從通道st0.0傳送
set routing-options static route 192.168.3.0/24
next-hop st0.0
set routing-options static route 192.168.5.0/24
next-hop st0.0
set routing-options static route 192.168.2.0/24
next-hop st0.0
set routing-options static route 192.168.4.0/24
next-hop st0.0
set routing-options static route 192.168.6.0/24
next-hop st0.0
set routing-options static route 192.168.7.0/24
next-hop st0.0
set routing-options static route 192.168.8.0/24
next-hop st0.0
set routing-options static route 192.168.9.0/24
next-hop st0.0
以下這條命令非必要,但是建議要加。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRX到SSG5是正常的,而SSG5到SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interfaces st0 unit 0
family inet mtu 1500
-------- SRX HNTB設定 Site
4 END ---------
使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
設定案例請參考以下JUNIPER原廠相關連結:
以下用現成的檔案來作說明:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
下面為4顆SSG5的VPN設定範例。
在這裡我們可以參考相關的連結:
vpn-route_based-
multi_lan_to_multi_lan - ospf - SSG - 4_router_of_router_d - ok - lan_10_11_12.txt (此檔為Site2之設定)
## 帳號:netscreen 密碼:netscreen IP:192.168.2.1##ethernet0/0 WAN , ethernet0/1 DMZ , ethernet0/2--ethernet0/4 LAN1 , ethernet0/5 LAN2 , ethernet0/6 LAN3
## 本地端網路-192.168.2.0 192.168.4.0 192.168.6.0 遠端網路1-192.168.1.0 192.168.3.0 192.168.5.0
## 遠端網路2-192.168.7.0 192.168.8.0 192.168.9.0 遠端網路3-192.168.10.0 192.168.11.0 192.168.12.0
## 本地端網路的3個子網路與另外3個遠端網路之各別的3個子網路,彼此皆可互通。
## 本設定檔開放wan端PING及web服務(方便測試),為了資安考量可將其關閉。
## 在大型網路中,vpn設定採用OSPF方法,可減少維護成本及設定之困難度,以及防火牆資源之占用。
## 本設定使用OSPF設定,讓與遠端能與本地端溝通,可用於跟他廠牌router做vpn連結,而不同廠牌間之端口MTU預設值會不同,要設定一致才能互相溝通
## SSG tunnel.1端口預設MTU=1500,SRX ST0.0端口預設MTU=9192,故本例在ST0.0端口設定MTU=1500才能與SSG設備溝通。
## 本CD中之OSPF 4 ROUTER系列,router a b c d之間,SRX與SSG router皆可互為替換。
## 套用本設定檔時請自行調整以下IP: wan端IP-192.168.188.11 遠端VPN1 IP-192.168.188.10 遠端VPN1 IP-192.168.188.12 遠端VPN1 IP-192.168.188.13 預設閘道192.168.188.178
## VPN phase1 ike proposol pre-g2-3des-md5 phase2 ipsec proposol nopfs-esp-3des-md5
## 為測試只採用基本加密設定,請自行更改成高安全性設定,如以下:
## VPN phase1 ike proposol pre-g2-aes128-sha phase2 ipsec proposol pfs_g2-esp-aes128-sha
## 或是在proposal中直接選擇Standard或是Compatible即可。
## pre-shared-key "netscreen"
unset key protection enable
set clock dst-off
set clock ntp
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
exit
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 60
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "VPN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "VPN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/5" zone "Trust"
set interface "ethernet0/6" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "VPN"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface
ethernet0/0 ip 192.168.188.11/24
set interface ethernet0/0 route
set interface
ethernet0/5 ip 192.168.4.1/24
set interface ethernet0/5 nat
set interface
ethernet0/6 ip 192.168.6.1/24
set interface ethernet0/6 nat
set interface
bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
set interface
tunnel.1 ip 1.1.100.2/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/5 ip manageable
set interface ethernet0/6 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/6 manage ssh
unset interface ethernet0/6 manage snmp
unset interface ethernet0/6 manage ssl
set interface bgroup0 manage mtrace
set interface ethernet0/5 dhcp server service
set interface ethernet0/6 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/5 dhcp server enable
set interface ethernet0/6 dhcp server enable
set interface bgroup0 dhcp server auto
set interface ethernet0/5 dhcp server option lease 1440000
set interface ethernet0/5 dhcp server option gateway 192.168.4.1
set interface ethernet0/5 dhcp server option dns1 168.95.1.1
set interface ethernet0/5 dhcp server option dns2 168.95.192.1
set interface ethernet0/6 dhcp server option lease 1440000
set interface ethernet0/6 dhcp server option gateway 192.168.6.1
set interface ethernet0/6 dhcp server option dns1 168.95.1.1
set interface ethernet0/6 dhcp server option dns2 168.95.192.1
set interface bgroup0 dhcp server option gateway 192.168.2.1
set interface bgroup0 dhcp server option dns1 168.95.1.1
set interface bgroup0 dhcp server option dns2 168.95.192.1
set interface ethernet0/5 dhcp server ip 192.168.4.11 to 192.168.4.111
set interface ethernet0/6 dhcp server ip 192.168.6.11 to 192.168.6.111
set interface bgroup0 dhcp server ip 192.168.2.11 to 192.168.2.111
unset interface ethernet0/5 dhcp server config next-server-ip
unset interface ethernet0/6 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init
"AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 168.95.1.1
set dns host dns2 168.95.192.1
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 4
set address "Trust" "Local-192.168.2.1/24" 192.168.2.1
255.255.255.0
set address "Trust" "Local-192.168.4.1/24" 192.168.4.1
255.255.255.0
set address "Trust" "Local-192.168.6.1/24" 192.168.6.1
255.255.255.0
set address "VPN" "Remote-192.168.10.1/24"
192.168.10.1 255.255.255.0
set address "VPN" "Remote-192.168.11.1/24"
192.168.11.1 255.255.255.0
set address "VPN" "Remote-192.168.12.1/24"
192.168.12.1 255.255.255.0
set address "VPN" "Remote-192.168.1.1/24" 192.168.1.1
255.255.255.0
set address "VPN" "Remote-192.168.3.1/24" 192.168.3.1
255.255.255.0
set address "VPN" "Remote-192.168.5.1/24" 192.168.5.1
255.255.255.0
set address "VPN" "Remote-192.168.7.1/24" 192.168.7.1
255.255.255.0
set address "VPN" "Remote-192.168.8.1/24" 192.168.8.1
255.255.255.0
set address "VPN" "Remote-192.168.9.1/24" 192.168.9.1
255.255.255.0
set group address "Trust" "Local_Lans"
set group address "Trust" "Local_Lans" add
"Local-192.168.2.1/24"
set group address "Trust" "Local_Lans" add
"Local-192.168.4.1/24"
set group address "Trust" "Local_Lans" add
"Local-192.168.6.1/24"
set group address "VPN" "Remote-Lans"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.10.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.11.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.12.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.1.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.3.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.5.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.7.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.8.1/24"
set group address "VPN" "Remote-Lans" add
"Remote-192.168.9.1/24"
set crypto-policy
exit
set ike gateway "Site1-GW" address 192.168.188.10 Main local-id
"192.168.188.11" outgoing-interface "ethernet0/0" preshare
"I1uIdkFgN4eG9hs1uzC3BskwzRnVcksr7Q==" proposal
"pre-g2-3des-md5"
set ike gateway "Site3-GW" address 192.168.188.12 Main local-id
"192.168.188.11" outgoing-interface "ethernet0/0" preshare
"I1uIdkFgN4eG9hs1uzC3BskwzRnVcksr7Q==" proposal
"pre-g2-3des-md5"
set ike gateway "Site4-GW" address 192.168.188.13 Main local-id
"192.168.188.11" outgoing-interface "ethernet0/0" preshare
"I1uIdkFgN4eG9hs1uzC3BskwzRnVcksr7Q==" proposal
"pre-g2-3des-md5"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Site2-Site1" gateway "Site1-GW" no-replay
tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site2-Site1" monitor optimized rekey
set vpn "Site2-Site1" id 0x1 bind interface tunnel.1
set interface
tunnel.1 nhtb 1.1.100.1 vpn "Site2-Site1"
set vpn "Site2-Site3" gateway "Site3-GW" no-replay
tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site2-Site3" monitor optimized rekey
set vpn "Site2-Site3" id 0x2 bind interface tunnel.1
set interface
tunnel.1 nhtb 1.1.100.3 vpn "Site2-Site3"
set vpn "Site2-Site4" gateway "Site4-GW" no-replay
tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site2-Site4" monitor optimized rekey
set vpn "Site2-Site4" id 0x3 bind interface tunnel.1
set interface
tunnel.1 nhtb 1.1.100.4 vpn "Site2-Site4"
set url protocol websense
exit
set policy id 5 from "VPN" to "VPN" "Remote-Lans"
"Remote-Lans" "ANY" permit
set policy id 5
exit
set policy id 3 name "Remote_Sites-to-Local_Site" from
"VPN" to "Trust"
"Remote-Lans" "Local_Lans" "ANY" permit
set policy id 3
exit
set policy id 2 name "Local_Site-to-Remote_Sites" from
"Trust" to "VPN"
"Local_Lans" "Remote-Lans" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any"
"ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "118.163.81.61"
set ntp server backup1 "129.6.15.28"
set ntp server backup2 "120.119.31.1"
set ntp interval 100
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162112010001171"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0
gateway 192.168.188.178
set route
192.168.1.0/24 interface tunnel.1 gateway 1.1.100.1
set route
192.168.3.0/24 interface tunnel.1 gateway 1.1.100.1
set route
192.168.4.0/24 interface tunnel.1 gateway 1.1.100.1
set route
192.168.7.0/24 interface tunnel.1 gateway 1.1.100.3
set route
192.168.8.0/24 interface tunnel.1 gateway 1.1.100.3
set route
192.168.9.0/24 interface tunnel.1 gateway 1.1.100.3
set route
192.168.10.0/24 interface tunnel.1 gateway 1.1.100.4
set route
192.168.11.0/24 interface tunnel.1 gateway 1.1.100.4
set route
192.168.12.0/24 interface tunnel.1 gateway 1.1.100.4
exit
set interface bgroup0 protocol ospf area 0.0.0.0
set interface bgroup0 protocol ospf passive
set interface bgroup0 protocol ospf enable
set interface bgroup0 protocol ospf priority 10
set interface bgroup0 protocol ospf cost 1
set interface ethernet0/5 protocol ospf area 0.0.0.0
set interface ethernet0/5 protocol ospf passive
set interface ethernet0/5 protocol ospf enable
set interface ethernet0/5 protocol ospf priority 10
set interface ethernet0/5 protocol ospf cost 1
set interface ethernet0/6 protocol ospf area 0.0.0.0
set interface ethernet0/6 protocol ospf passive
set interface ethernet0/6 protocol ospf enable
set interface ethernet0/6 protocol ospf priority 10
set interface ethernet0/6 protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf link-type p2mp
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf dead-interval 40
set interface tunnel.1 protocol ospf hello-interval 10
set interface tunnel.1 protocol ospf priority 10
set interface tunnel.1 protocol ospf cost 1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
+++++++++++++++++++++++++++++++++++++++++++++++++++++++