La mise en place d’un VPN IPsec permet d’interconnecter 2 sites distants au sein d’un même réseau LAN.
Nous allons détailler comment configurer ce VPN IPsec.
Mise en place
La configuration d’un vpn ipsec se fait en plusieurs étapes :
- Configuration de la phase1
- Configuration de la phase 2
- Configuration du routage
- Configuration des règles de firewall
Dans un premier, il faut définir certains paramètres qui devront être identiques pour les 2 sites à savoir les paramètres de bases suivant :
- Authentification pour les phase1 et 2
- Encryption pour les phase1 et 2
- pre shared key
- DH group pour la phase 1
- PFS pour la phase 2
Configuration Phase 1
Afin de configurer la phase 1, nous utiliserons le template suivant :
set security ike proposal IKE-PROPOSAL_
VPN-NAME
authentication-method pre-shared-keys set security ike proposal IKE-PROPOSAL_
VPN-NAME
dh-group valeur_dh-group
set security ike proposal IKE-PROPOSAL_
VPN-NAME
authentication-algorithm valeur_authentication
set security ike proposal IKE-PROPOSAL_
VPN-NAME
encryption-algorithm valeur_encryption
set security ike proposal IKE-PROPOSAL_
VPN-NAME
lifetime-seconds 28800 set security ike policy IKE-POLICY_
VPN-NAME
mode main set security ike policy IKE-POLICY_
VPN-NAME
proposals IKE-PROPOSAL_
VPN-NAME
set security ike policy IKE-POLICY_
VPN-NAME
pre-shared-key ascii-text valeur_alphanumérique
set security ike gateway IKE-GW_
VPN-NAME
ike-policy IKE-POLICY_
VPN-NAME
set security ike gateway IKE-GW_
VPN-NAME
address adresse_ip_firewall_distant
set security ike gateway IKE-GW_
VPN-NAME
external-interface external_interface
Configuration Phase 2
Afin de configurer la phase 2, nous utiliserons le template suivant :
set security ipsec proposal IPSEC-PROPOSAL_
VPN-NAME
protocol esp set security ipsec proposal IPSEC-PROPOSAL_
VPN-NAME
authentication-algorithm valeur_authentication
set security ipsec proposal IPSEC-PROPOSAL_
VPN-NAME
encryption-algorithm valeur_encryption
set security ipsec proposal IPSEC-PROPOSAL_
VPN-NAME
lifetime-seconds 3600 set security ipsec policy IPSEC-POLICY_
VPN-NAME
perfect-forward-secrecy keys valeur_pfs
set security ipsec policy IPSEC-POLICY_
VPN-NAME
proposals IPSEC-PROPOSAL_
VPN-NAME
set security ipsec vpn IPSEC-VPN_
VPN-NAME
bind-interface st0.X
set security ipsec vpn IPSEC-VPN_
VPN-NAME
ike gateway IKE-GW_
VPN-NAME
set security ipsec vpn IPSEC-VPN_
VPN-NAME
ike idle-time 180 set security ipsec vpn IPSEC-VPN_
VPN-NAME
ike ipsec-policy IPSEC-POLICY_
VPN-NAME
set security ipsec vpn IPSEC-VPN_
VPN-NAME
establish-tunnels immediately
NB: X correspond au numéro du tunnel VPN IPsec
Routage
Le routage se fera avec la configuration d’une route statiques puis de l’activation de l’interface du tunnel :
set routing-options static route subnet-remote next-hop st0.X set interfaces st0 unit X family inet set security zones security-zone ZONE_VPN_
VPN-NAME
interfaces st0.X
set security zones security-zone ZONE_VPN_
VPN-NAME
host-inbound-traffic system-services ike
VPN-NAME
set security zones security-zone trust address-book address subnet-local subnet/ma
Règles de firewall
Afin que votre tunnel soit fonctionnel, nous devons autoriser les flux de ce dernier sur le firewall dans le sens entrant et sortant :
set security zones security-zone ZONE_VPN_
VPN-NAME
address-book address subnet-remote subnet/24
set security policies from-zone ZONE_VPN_
VPN-NAME
to-zone trust policy ZONE_VPN_
VPN-NAME
-TO-trust match source-address subnet-remote
set security policies from-zone ZONE_VPN_
VPN-NAME
to-zone trust policy ZONE_VPN_
VPN-NAME
-TO-trust match destination-address subnet-local
set security policies from-zone ZONE_VPN_
VPN-NAME
to-zone trust policy ZONE_VPN_
VPN-NAME
-TO-trust match application any set security policies from-zone ZONE_VPN_
VPN-NAME
to-zone trust policy ZONE_VPN_
VPN-NAME
-TO-trust then permit set security policies from-zone trust to-zone ZONE_VPN_
VPN-NAME
policy trust-TO-ZONE_VPN_
VPN-NAME
match source-address subnet-local
set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match destination-address subnet-remote
set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME match application any
set security policies from-zone trust to-zone ZONE_VPN_VPN-NAME policy trust-TO-ZONE_VPN_VPN-NAME then permit