La mise en place d’un VPN IPsec permet d’interconnecter 2 sites distants au sein d’un même réseau LAN.
Nous allons détailler comment configurer ce VPN IPsec.

Mise en place

La configuration d’un vpn ipsec se fait en plusieurs étapes :

  • Configuration de la phase1
  • Configuration de la phase 2
  • Configuration du routage
  • Configuration des règles de firewall

Dans un premier, il faut définir certains paramètres qui devront être identiques pour les 2 sites à savoir les paramètres de bases suivant :

  • Authentification pour les phase1 et 2
  • Encryption pour les phase1 et 2
  • pre shared key
  • DH group pour la phase 1
  • PFS pour la phase 2

Configuration Phase 1

Afin de configurer la phase 1, nous utiliserons le template suivant :

set security ike proposal IKE-PROPOSAL_

VPN-NAME

 authentication-method pre-shared-keys
 set security ike proposal IKE-PROPOSAL_

VPN-NAME

 dh-group valeur_dh-group
 set security ike proposal IKE-PROPOSAL_

VPN-NAME

 authentication-algorithm valeur_authentication
 set security ike proposal IKE-PROPOSAL_

VPN-NAME

 encryption-algorithm valeur_encryption
 set security ike proposal IKE-PROPOSAL_

VPN-NAME

 lifetime-seconds 28800
 
 set security ike policy IKE-POLICY_

VPN-NAME

 mode main
 set security ike policy IKE-POLICY_

VPN-NAME

 proposals IKE-PROPOSAL_

VPN-NAME

 set security ike policy IKE-POLICY_

VPN-NAME

 pre-shared-key ascii-text valeur_alphanumérique
 
 set security ike gateway IKE-GW_

VPN-NAME

 ike-policy IKE-POLICY_

VPN-NAME

 set security ike gateway IKE-GW_

VPN-NAME

 address adresse_ip_firewall_distant
 set security ike gateway IKE-GW_

VPN-NAME

 external-interface external_interface

Configuration Phase 2

Afin de configurer la phase 2, nous utiliserons le template suivant :

set security ipsec proposal IPSEC-PROPOSAL_

VPN-NAME

 protocol esp
 set security ipsec proposal IPSEC-PROPOSAL_

VPN-NAME

 authentication-algorithm valeur_authentication
 set security ipsec proposal IPSEC-PROPOSAL_

VPN-NAME

 encryption-algorithm valeur_encryption
 set security ipsec proposal IPSEC-PROPOSAL_

VPN-NAME

 lifetime-seconds 3600
 
 set security ipsec policy IPSEC-POLICY_

VPN-NAME

 perfect-forward-secrecy keys valeur_pfs
 set security ipsec policy IPSEC-POLICY_

VPN-NAME

 proposals IPSEC-PROPOSAL_

VPN-NAME

 
 set security ipsec vpn IPSEC-VPN_

VPN-NAME

 bind-interface st0.X
 set security ipsec vpn IPSEC-VPN_

VPN-NAME

 ike gateway IKE-GW_

VPN-NAME

 set security ipsec vpn IPSEC-VPN_

VPN-NAME

 ike idle-time 180
 set security ipsec vpn IPSEC-VPN_

VPN-NAME

 ike ipsec-policy IPSEC-POLICY_

VPN-NAME

 set security ipsec vpn IPSEC-VPN_

VPN-NAME

 establish-tunnels immediately

NB: X correspond au numéro du tunnel VPN IPsec

Routage

Le routage se fera avec la configuration d’une route statiques puis de l’activation de l’interface du tunnel :

set routing-options static route subnet-remote next-hop st0.X
 
 set interfaces st0 unit X family inet
 set security zones security-zone ZONE_VPN_

VPN-NAME

 interfaces st0.X
 set security zones security-zone ZONE_VPN_

VPN-NAME

 host-inbound-traffic system-services ike

VPN-NAME

 set security zones security-zone trust address-book address subnet-local subnet/ma

Règles de firewall

Afin que votre tunnel soit fonctionnel, nous devons autoriser les flux de ce dernier sur le firewall dans le sens entrant et sortant :

set security zones security-zone ZONE_VPN_

VPN-NAME

 address-book address subnet-remote subnet/24
 
 set security policies from-zone ZONE_VPN_

VPN-NAME

 to-zone trust policy ZONE_VPN_

VPN-NAME

-TO-trust match source-address subnet-remote
 set security policies from-zone ZONE_VPN_

VPN-NAME

 to-zone trust policy ZONE_VPN_

VPN-NAME

-TO-trust match destination-address subnet-local
 set security policies from-zone ZONE_VPN_

VPN-NAME

 to-zone trust policy ZONE_VPN_

VPN-NAME

-TO-trust match application any
 set security policies from-zone ZONE_VPN_

VPN-NAME

 to-zone trust policy ZONE_VPN_

VPN-NAME

-TO-trust then permit
 
 set security policies from-zone trust to-zone ZONE_VPN_

VPN-NAME

 policy trust-TO-ZONE_VPN_

VPN-NAME

 match source-address subnet-local
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match destination-address subnet-remote
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match application any
 set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME then permit