Exemplo: configure uma VPN IPsec entre um firewall virtual vSRX e um gateway de rede virtual no Microsoft Azure
Este exemplo mostra como configurar uma VPN IPsec entre uma instância de firewall virtual vSRX e um gateway de rede virtual no Microsoft Azure.
Antes de começar
Garanta que você instalou e lançou uma instância de firewall virtual vSRX na rede virtual Microsoft Azure.
Veja o gerador de configuração de VPN do site para o site do SRX e como solucionar problemas de um túnel VPN que está desligado ou não para obter informações adicionais.
Visão geral
Você pode usar uma VPN IPsec para proteger o tráfego entre dois VNETs no Microsoft Azure, com um firewall virtual vSRX protegendo um VNet e o gateway de rede virtual Azure protegendo o outro VNet.
Configuração de VPN IPsec de firewall virtual vSRX
Procedimento
Procedimento passo a passo
Para configurar a VPN IPsec no firewall virtual vSRX:
Faça login no firewall virtual vSRX no modo de edição de configuração (consulte Configure vSRX usando a CLI).
Defina os endereços IP para interfaces de firewall virtual vSRX.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Configure a zona de segurança não confiável.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Configure a zona de segurança de confiança.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike policy ike-phase1-policyA mode main set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 52.175.210.65 set security ike gateway gw-siteB version v2-only set security ike gateway gw-siteB external-interface ge-0/0/0.0
Nota:Certifique-se de substituir
52.175.210.65neste exemplo pelo endereço IP público correto.Configure IPsec.
O exemplo a seguir ilustra uma configuração IPsec de firewall virtual vSRX usando o algoritmo de criptografia CBC:
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposalA lifetime-seconds 7200 set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000 set security ipsec policy ike-phase1-policyA proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Se necessário, você pode usar o AES-GCM como algoritmo de criptografia na configuração IPsec do firewall virtual vSRX em vez de CBC:
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-proposalA lifetime-seconds 7200 set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000 set security ipsec policy ike-phase1-policyA proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure o roteamento.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Configuração do gateway de rede virtual Microsoft Azure
Procedimento
Procedimento passo a passo
Para configurar o gateway de rede virtual Microsoft Azure, consulte o seguinte procedimento do Microsoft Azure:
Configure a política IPsec/IKE para conexões S2S VPN ou VNet-to-VNet
Garanta que os parâmetros IPSec IKE no gateway de rede virtual Microsoft Azure correspondam aos parâmetros IPSec IKE do firewall virtual vSRX quando a conexão VPN local a local for formada.
Verifique túneis VPN ativos.
Verifique se o túnel está em alta entre a instância do firewall virtual vSRX e o gateway de rede virtual Azure.
root@> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address 8290401 UP b1adf15fc3dfe0b0 89cc2a12cb7e3cd7 IKEv2 52.175.210.65
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None c0e154e2 5567/ 102399997 - root 4500 52.175.210.65 >131073 ESP:aes-gcm-256/None 383bd606 5567/ 102399997 - root 4500 52.175.210.65