La mise en place d’un VPN IPsec permet d’interconnecter 2 sites distants au sein d’un même réseau LAN.
Nous allons détailler comment configurer ce VPN IPsec.

Mise en place

La configuration d’un vpn ipsec se fait en plusieurs étapes :

  • Configuration de la phase1
  • Configuration de la phase 2
  • Configuration du routage
  • Configuration des règles de firewall

Dans un premier, il faut définir certains paramètres qui devront être identiques pour les 2 sites à savoir les paramètres de bases suivant :

  • Authentification pour les phase1 et 2
  • Encryption pour les phase1 et 2
  • pre shared key
  • DH group pour la phase 1
  • PFS pour la phase 2

Configuration Phase 1

Afin de configurer la phase 1, nous utiliserons le template suivant :

VPN-NAME authentication-method pre-shared-keys
 set security ike proposal IKE-PROPOSAL_VPN-NAME dh-group valeur_dh-group
 set security ike proposal IKE-PROPOSAL_VPN-NAME authentication-algorithm valeur_authentication
 set security ike proposal IKE-PROPOSAL_VPN-NAME encryption-algorithm valeur_encryption
 set security ike proposal IKE-PROPOSAL_VPN-NAME lifetime-seconds 28800
 
 set security ike policy IKE-POLICY_VPN-NAME mode main
 set security ike policy IKE-POLICY_VPN-NAME proposals IKE-PROPOSAL_VPN-NAME
 set security ike policy IKE-POLICY_VPN-NAME pre-shared-key ascii-text valeur_alphanumérique
 
 set security ike gateway IKE-GW_VPN-NAME ike-policy IKE-POLICY_VPN-NAME
 set security ike gateway IKE-GW_VPN-NAME address adresse_ip_firewall_distant
 set security ike gateway IKE-GW_VPN-NAME external-interface external_interface
 

Configuration Phase 2

Afin de configurer la phase 2, nous utiliserons le template suivant :

set security ipsec proposal IPSEC-PROPOSAL_VPN-NAME protocol esp
 set security ipsec proposal IPSEC-PROPOSAL_VPN-NAME authentication-algorithm valeur_authentication
 set security ipsec proposal IPSEC-PROPOSAL_VPN-NAME encryption-algorithm valeur_encryption
 set security ipsec proposal IPSEC-PROPOSAL_VPN-NAME lifetime-seconds 3600
 
 set security ipsec policy IPSEC-POLICY_VPN-NAME perfect-forward-secrecy keys valeur_pfs
 set security ipsec policy IPSEC-POLICY_VPN-NAME proposals IPSEC-PROPOSAL_VPN-NAME
 
 set security ipsec vpn IPSEC-VPN_VPN-NAME bind-interface st0.X
 set security ipsec vpn IPSEC-VPN_VPN-NAME ike gateway IKE-GW_VPN-NAME
 set security ipsec vpn IPSEC-VPN_VPN-NAME ike idle-time 180
 set security ipsec vpn IPSEC-VPN_VPN-NAME ike ipsec-policy IPSEC-POLICY_VPN-NAME
 set security ipsec vpn IPSEC-VPN_VPN-NAME establish-tunnels immediately
 

NB: X correspond au numéro du tunnel VPN IPsec

Routage

Le routage se fera avec la configuration d’une route statiques puis de l’activation de l’interface du tunnel :

set routing-options static route subnet-remote next-hop st0.X
 
 set interfaces st0 unit 35 family inet
 set security zones security-zone ZONE_VPN_VPN-NAME interfaces st0.X
 set security zones security-zone ZONE_VPN_VPN-NAME host-inbound-traffic system-services ike

Règles de firewall

Afin que votre tunnel soit fonctionnel, nous devons autoriser les flux de ce dernier sur le firewall dans le sens entrant et sortant :

set security zones security-zone ZONE_VPN_VPN-NAME address-book address subnet-remote subnet/24
 
 set security policies from-zone ZONE_VPN_VPN-NAME to-zone trust policy ZONE_VPN_VPN-NAME-TO-trust match source-address subnet-remote
 set security policies from-zone ZONE_VPN_VPN-NAME to-zone trust policy ZONE_VPN_VPN-NAME-TO-trust match destination-address subnet-local
 set security policies from-zone ZONE_VPN_VPN-NAME to-zone trust policy ZONE_VPN_VPN-NAME-TO-trust match application any
 set security policies from-zone ZONE_VPN_VPN-NAME to-zone trust policy ZONE_VPN_VPN-NAME-TO-trust then permit
 
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match source-address subnet-local
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match destination-address subnet-remote
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match application any
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME then permit
 

Vote