[Juniper SRX] Implementasi Site-to-Site VPN

Post Views: 4,409

Bagian ini perlu saya tulis, karena ini adalah salah part yang cukup penting dan banyak kebutuhan yang membutuhkan koneksi vpn. Perlu diketahui di juniper ada ada dua macam site-to-site (s2s), yaitu route based vpn dan policy based vpn. Beda nya apa? jadi klo policy based vpn itu untuk kebutuhan jika site remote adalah platform yang berbeda, sama yang kedua adalah jika ada hanya satu client atau satu subnet yang terkoneksi. Nah jadi jika ada design yang complex kira2, misalanya vpn hub-and-spoko, or site remote nya banyak, maka itu membutuhkan route based vpn, jiak nanti membutuhkan implementas nat, menghindari overlapping address, terus menggunakan dynamic routing procotol, ini juga harus menggunakan route based vpn. Jadi pada kesempatan ini kita akan coba setup route-based s2s vpn dengan konfigurasi dan design standar.

Ini adalah contoh design yang nanti akan kita konfigurasi, RouteCloud-HQ dan Branch1, keduanya menggunakan platform juniper SRX. Mari kita lihat tabel konfigurasi SRX untuk masing-masing site nya.

Kemudian yang kedua adalah konfigurasi untuk SRX Branch1

Jika anda perhatikan table di atas, maka anda seharusnya sudah tau parameter apa saja yang perlu di configure.

#RouteCloud-HQ

Interface Configuration, Zone, Routing Static, Rule-policy

set interfaces ge-0/0/0 unit 0 family inet address 172.172.16.1/29
set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.1/24
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.100.100.1/24

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping

set routing-options static route 10.30.30.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 172.172.16.6

set security policies from-zone Private to-zone VPN policy permit-private-vpn match source-address any
set security policies from-zone Private to-zone VPN policy permit-private-vpn match destination-address any
set security policies from-zone Private to-zone VPN policy permit-private-vpn match application any
set security policies from-zone Private to-zone VPN policy permit-private-vpn then permit
set security policies from-zone VPN to-zone Private policy permit-private-vpn match source-address any
set security policies from-zone VPN to-zone Private policy permit-private-vpn match destination-address any
set security policies from-zone VPN to-zone Private policy permit-private-vpn match application any
set security policies from-zone VPN to-zone Private policy permit-private-vpn then permit

set interfaces ge-0/0/0 unit 0 family inet address 172.172.16.1/29

set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.1/24

set interfaces st0 unit 0 point-to-point

set interfaces st0 unit 0 family inet address 10.100.100.1/24

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic protocols all

set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping

set routing-options static route 10.30.30.0/24 next-hop st0.0

set routing-options static route 0.0.0.0/0 next-hop 172.172.16.6

set security policies from-zone Private to-zone VPN policy permit-private-vpn match source-address any

set security policies from-zone Private to-zone VPN policy permit-private-vpn match destination-address any

set security policies from-zone Private to-zone VPN policy permit-private-vpn match application any

set security policies from-zone Private to-zone VPN policy permit-private-vpn then permit

set security policies from-zone VPN to-zone Private policy permit-private-vpn match source-address any

set security policies from-zone VPN to-zone Private policy permit-private-vpn match destination-address any

set security policies from-zone VPN to-zone Private policy permit-private-vpn match application any

set security policies from-zone VPN to-zone Private policy permit-private-vpn then permit

IKE Phase 1 Configuration:

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike proposal ike-phase1-proposal lifetime-seconds 28000

set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "bunyamin123"

set security ike gateway gw-branch1 ike-policy ike-phase1-policy
set security ike gateway gw-branch1 address 172.173.17.1
set security ike gateway gw-branch1 external-interface ge-0/0/0

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-algorithm sha1

set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc

set security ike proposal ike-phase1-proposal lifetime-seconds 28000

set security ike policy ike-phase1-policy mode main

set security ike policy ike-phase1-policy proposals ike-phase1-proposal

set security ike policy ike-phase1-policy pre-shared-key ascii-text "bunyamin123"

set security ike gateway gw-branch1 ike-policy ike-phase1-policy

set security ike gateway gw-branch1 address 172.173.17.1

set security ike gateway gw-branch1 external-interface ge-0/0/0

IPSec Phase 2 Configuration:

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn ike-vpn-branch1 bind-interface st0.0
set security ipsec vpn ike-vpn-branch1 ike gateway gw-branch1
set security ipsec vpn ike-vpn-branch1 ike ipsec-policy ipsec-phase2-policy

set security ipsec proposal ipsec-phase2-proposal protocol esp

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc

set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn ike-vpn-branch1 bind-interface st0.0

set security ipsec vpn ike-vpn-branch1 ike gateway gw-branch1

set security ipsec vpn ike-vpn-branch1 ike ipsec-policy ipsec-phase2-policy

#Branch Configuration

Interface Configuration, Zone, Routing Static, Rule-policy

set interfaces ge-0/0/0 unit 0 family inet address 172.173.17.1/29
set interfaces ge-0/0/1 unit 0 family inet address 10.30.30.1/24
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.100.100.2/24

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping


set routing-options static route 0.0.0.0/0 next-hop 172.173.17.6
set routing-options static route 10.20.20.0/24 next-hop st0.0

set security policies from-zone Private to-zone VPN policy permit-private-vpn match source-address any
set security policies from-zone Private to-zone VPN policy permit-private-vpn match destination-address any
set security policies from-zone Private to-zone VPN policy permit-private-vpn match application any
set security policies from-zone Private to-zone VPN policy permit-private-vpn then permit
set security policies from-zone VPN to-zone Private policy permit-private-vpn match source-address any
set security policies from-zone VPN to-zone Private policy permit-private-vpn match destination-address any
set security policies from-zone VPN to-zone Private policy permit-private-vpn match application any
set security policies from-zone VPN to-zone Private policy permit-private-vpn then permit

set interfaces ge-0/0/0 unit 0 family inet address 172.173.17.1/29

set interfaces ge-0/0/1 unit 0 family inet address 10.30.30.1/24

set interfaces st0 unit 0 point-to-point

set interfaces st0 unit 0 family inet address 10.100.100.2/24

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone Public interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone Private interfaces ge-0/0/1.0 host-inbound-traffic protocols all

set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping

set routing-options static route 0.0.0.0/0 next-hop 172.173.17.6

set routing-options static route 10.20.20.0/24 next-hop st0.0