Juniper SRX и Libreswan (и ещё StrongSwan)

Тема ipsec в этом блоге поднимается часто, особенно в последнее время. Это и неудивительно – мне по работе частенько приходится объединять разные роутеры и виртуалки через IPSec (например, Mikrotik и libreswan, Mikrotik и Juniper, или Juniper и Cisco).

А теперь мы попробуем ещё одну связку – Juniper SRX и linux-виртуалку. В качестве ipsec-демона будем использовать Libreswan и Strongswan (кому что больше нравится).

Итак, поехали!

Для начала сконфигурирем наш SRX. Я использую последний доступный софт из ветки 15.1X49: JUNOS 15.1X49-D120.3. Связано это с тем, что связка IKEv2+Traffic selectors не работает на более младшем софте, а без IKEv2 у меня не получилось запустить туннель из-за NAT. Предполагаается, что у SRX есть белый статический адрес.
[cc]
set security ike policy IKE-NIXMAN mode main
set security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400
set security ike policy IKE-NIXMAN pre-shared-key ascii-text “$9$vW38-wgoZk.569RclKx7.Pf5Q369tuBR/CX-b2JZfTzF9pEcyKWXRE87”
set security ike gateway GW-NIXMAN ike-policy IKE-NIXMAN
set security ike gateway GW-NIXMAN address 1.2.3.4
set security ike gateway GW-NIXMAN external-interface ge-0/0/0.0
set security ike gateway GW-NIXMAN version v2-only
set security ipsec vpn VPN-NIXMAN bind-interface st0.1
set security ipsec vpn VPN-NIXMAN ike gateway GW-NIXMAN
set security ipsec vpn VPN-NIXMAN ike ipsec-policy MD5-AES128-3600-2-policy
set security ipsec vpn VPN-NIXMAN traffic-selector TS-01 local-ip 10.0.0.0/8
set security ipsec vpn VPN-NIXMAN traffic-selector TS-01 remote-ip 172.16.43.254/32
set security ipsec vpn VPN-NIXMAN establish-tunnels immediately

set security ike proposal MD5-AES128-2-86400 description ike-phase1-proposal1
set security ike proposal MD5-AES128-2-86400 authentication-method pre-shared-keys
set security ike proposal MD5-AES128-2-86400 dh-group group2
set security ike proposal MD5-AES128-2-86400 authentication-algorithm md5
set security ike proposal MD5-AES128-2-86400 encryption-algorithm aes-128-cbc
set security ike proposal MD5-AES128-2-86400 lifetime-seconds 86400
set security ike policy IKE-NIXMAN proposals MD5-AES128-2-86400

set security ipsec proposal MD5-AES128-3600 description ipsec-phase2-proposal
set security ipsec proposal MD5-AES128-3600 protocol esp
set security ipsec proposal MD5-AES128-3600 authentication-algorithm hmac-md5-96
set security ipsec proposal MD5-AES128-3600 encryption-algorithm aes-128-cbc
set security ipsec proposal MD5-AES128-3600 lifetime-seconds 3600
set security ipsec policy MD5-AES128-3600-2-policy description ipsec-phase2-policy
set security ipsec policy MD5-AES128-3600-2-policy perfect-forward-secrecy keys group2
set security ipsec policy MD5-AES128-3600-2-policy proposals MD5-AES128-3600
[/cc]

Здесь 1.2.3.4 – адрес удалённого пира
10.0.0.0/8 – сеть на нашей стороне
172.16.43.254/32 – сеть на удалённой стороне
Шифрование можно выбрать и посильнее, но тут надо учитывать

Конфигурация удалённого пира (в случае libreswan) будет следующая (/etc/ipsec.d/nixman.conf):
[cc]
conn srx
authby=secret
auto=start
type=tunnel
esp=aes128-md5;modp1024
ike=aes128-md5;modp1024
ikelifetime=86400s
keylife=3600s
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
fragmentation=yes
ikev2=insist
narrowing=yes
leftid=1.2.3.4
left=172.16.43.254
leftsourceip=172.16.43.254
right=4.3.2.1
leftsubnet=172.16.43.254/32
rightsubnet=10.0.0.0/8
[/cc]

Наша виртуалка располагается за NAT, и имеет адрес 172.16.43.254 (что мы и указываем).
Если бы у нас была виртуалка с честным белым адресом, конфиг выглядел бы чуть-чуть иначе :
[cc]
conn srx
authby=secret
auto=start
type=tunnel
esp=aes128-md5;modp1024
ike=aes128-md5;modp1024
ikelifetime=86400s
keylife=3600s
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
fragmentation=yes
ikev2=insist
narrowing=yes
left=1.2.3.4
right=4.3.2.1
leftsubnet=172.16.43.254/32
rightsubnet=10.0.0.0/8
[/cc]
В принципе, при этом даже не обязательно использовать ikev2 (я его включил просто по той причине, что с v1 не работал NAT-T).

Файл /etc/ipsec.secrets:
[cc]1.2.3.4 4.3.2.1 : PSK “VeRy$tR0nGp@s$w0rD”[/cc]

А вот так будет выглядеть конфиг для StrongSwan (/etc/ipsec.d/nixman.conf):
[cc]config setup

conn %default
keyexchange = ikev2
authby = psk
keyingtries = %forever
ike = aes128-md5-modp1024!
ikelifetime = 24h
esp = aes128-md5-modp1024!
keylife = 1h
right = 4.3.2.1
dpdaction = restart
closeaction = restart
rightsubnet = 10.0.0.0/8
auto = start

conn ts-01
leftsubnet = 172.16.43.254/32
[/cc]

/etc/ipsec.d/nixman.secret:
[cc]1.2.3.4 : PSK “VeRy$tR0nGp@s$w0rD”
4.3.2.1 : PSK “VeRy$tR0nGp@s$w0rD”[/cc]

При успешном подключении должно быть так:
[cc]
admin@srx340-02> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7937209 UP 8fb291a33b5bcbb4 742ad541fcbb8f2c IKEv2 1.2.3.4

admin@srx340-02> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108867 ESP:aes-cbc-128/md5 cd9e67ad 3169/ unlim - root 4500 1.2.3.4 >67108867 ESP:aes-cbc-128/md5 e57ed5c1 3169/ unlim – root 4500 1.2.3.4
[/cc]

и вот так (пример для libreswan):
[cc]

root@server:~# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.43.254@4500
000 interface eth0/eth0 172.16.43.254@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.16, pluto_vendorid=OE-Libreswan-3.16
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0
000 secctx-attr-type=
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 – allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,201,64} trans={0,201,6144} attrs={0,201,4096}
000
000 Connection list:
000
000 “srx”: 172.16.43.254/32===172.16.43.254<172.16.43.254>[1.2.3.4]…4.3.2.1<4.3.2.1>===10.0.0.0/8; prospective erouted; eroute owner: #0
000 “srx”: oriented; my_ip=unset; their_ip=unset
000 “srx”: xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 “srx”: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 “srx”: labeled_ipsec:no;
000 “srx”: policy_label:unset;
000 “srx”: ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 “srx”: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 “srx”: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 “srx”: policy: PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW;
000 “srx”: conn_prio: 32,8; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 “srx”: dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 “srx”: newest ISAKMP SA: #0; newest IPsec SA: #0;
000 “srx”: IKE algorithms wanted: AES_CBC(7)_128-MD5(1)_000-MODP1024(2)
000 “srx”: IKE algorithms found: AES_CBC(7)_128-MD5(1)_128-MODP1024(2)
000 “srx”: ESP algorithms wanted: AES(12)_128-MD5(1)_000; pfsgroup=MODP1024(2)
000 “srx”: ESP algorithms loaded: AES(12)_128-MD5(1)_000
000 “srx”[1]: 172.16.43.254<172.16.43.254>[1.2.3.4]…4.3.2.1<4.3.2.1>===10.0.0.0/8; erouted; eroute owner: #398
000 “srx”[1]: oriented; my_ip=unset; their_ip=unset
000 “srx”[1]: xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 “srx”[1]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 “srx”[1]: labeled_ipsec:no;
000 “srx”[1]: policy_label:unset;
000 “srx”[1]: ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 “srx”[1]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 “srx”[1]: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 “srx”[1]: policy: PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW;
000 “srx”[1]: conn_prio: 32,8; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 “srx”[1]: dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 “srx”[1]: newest ISAKMP SA: #397; newest IPsec SA: #398;
000 “srx”[1]: IKE algorithms wanted: AES_CBC(7)_128-MD5(1)_000-MODP1024(2)
000 “srx”[1]: IKE algorithms found: AES_CBC(7)_128-MD5(1)_128-MODP1024(2)
000 “srx”[1]: IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_MD5_96-PRF_HMAC_MD5-MODP1024
000 “srx”[1]: ESP algorithms wanted: AES(12)_128-MD5(1)_000; pfsgroup=MODP1024(2)
000 “srx”[1]: ESP algorithms loaded: AES(12)_128-MD5(1)_000
000 “srx”[1]: ESP algorithm newest: AES_128-HMAC_MD5; pfsgroup=MODP1024
000 “v6neighbor-hole-in”: ::/0===::1<::1>:58/34560…%any:58/34816===::/0; prospective erouted; eroute owner: #0
000 “v6neighbor-hole-in”: oriented; my_ip=unset; their_ip=unset
000 “v6neighbor-hole-in”: xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 “v6neighbor-hole-in”: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 “v6neighbor-hole-in”: labeled_ipsec:no;
000 “v6neighbor-hole-in”: policy_label:unset;
000 “v6neighbor-hole-in”: ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 “v6neighbor-hole-in”: retransmit-interval: 0ms; retransmit-timeout: 0s;
000 “v6neighbor-hole-in”: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 “v6neighbor-hole-in”: policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 “v6neighbor-hole-in”: conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset; mark: unset;
000 “v6neighbor-hole-in”: newest ISAKMP SA: #0; newest IPsec SA: #0;
000 “v6neighbor-hole-out”: ::/0===::1<::1>:58/34816…%any:58/34560===::/0; prospective erouted; eroute owner: #0
000 “v6neighbor-hole-out”: oriented; my_ip=unset; their_ip=unset
000 “v6neighbor-hole-out”: xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 “v6neighbor-hole-out”: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 “v6neighbor-hole-out”: labeled_ipsec:no;
000 “v6neighbor-hole-out”: policy_label:unset;
000 “v6neighbor-hole-out”: ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 “v6neighbor-hole-out”: retransmit-interval: 0ms; retransmit-timeout: 0s;
000 “v6neighbor-hole-out”: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 “v6neighbor-hole-out”: policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 “v6neighbor-hole-out”: conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset; mark: unset;
000 “v6neighbor-hole-out”: newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 4, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #398: “srx”[1] 4.3.2.1:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 2818s; newest IPSEC; eroute owner; isakmp#397; idle; import:respond to stranger
000 #398: “srx”[1] 4.3.2.1 esp.cd9e67ad@4.3.2.1 esp.e57ed5c1@172.16.43.254 tun.0@4.3.2.1 tun.0@172.16.43.254 ref=0 refhim=4294901761 Traffic: ESPin=33KB ESPout=304KB! ESPmax=0B
000 #397: “srx”[1] 4.3.2.1:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 85618s; newest ISAKMP; isakmp#0; idle; import:respond to stranger
000 #397: “srx”[1] 4.3.2.1 ref=0 refhim=0 Traffic:
000
000 Bare Shunt list:
000
[/cc]

наконец, проверяем, что пинги ходят в обе стороны (не забудьте про маршруты) и защищённые сети доступны с обеих сторон.

Вот, собственно, всё =)

3 Comments

  1. А если наоборот, у SRX серый адрес, а на linux ПК белый? Не получится туннель построить?

    1. Главное, чтобы трафик на udp500/udp4500 прокидывался на srx.
      В этом случае нужно будет включить опцию nat-t на коробке и проблем быть не должно

Leave a Reply