收藏
下载资源下载资源 加入VIP,免费下载

配置SRXDyamicVPNversion2.docx

上传人:b****7 文档编号:11169226 上传时间:2023-02-25 格式:DOCX 页数:38 大小:271.71KB
下载 相关 举报
配置SRXDyamicVPNversion2.docx_第1页
第1页 / 共38页
配置SRXDyamicVPNversion2.docx_第2页
第2页 / 共38页
配置SRXDyamicVPNversion2.docx_第3页
第3页 / 共38页
配置SRXDyamicVPNversion2.docx_第4页
第4页 / 共38页
配置SRXDyamicVPNversion2.docx_第5页
第5页 / 共38页
点击查看更多>>
下载资源
资源描述

配置SRXDyamicVPNversion2.docx

《配置SRXDyamicVPNversion2.docx》由会员分享,可在线阅读,更多相关《配置SRXDyamicVPNversion2.docx(38页珍藏版)》请在冰豆网上搜索。

配置SRXDyamicVPNversion2.docx

配置SRXDyamicVPNversion2

JuniperSRX240DynamicVPN配置指南

修订记录

日期

修订版本

描述

作者

2010-3-16

1.0

初稿

卢泓

2010-4-12

2.0

修订

卢泓

 

神州数码(深圳)有限公司

 

 

1JUNIPERSRX240DynamicVPN配置拓扑图

2概述

JUNIPERSRX系列防火墙DynamicVPN是一种无客户的IPSECVPN。

客户端的PC无须安装拔号软件就可以与VPN网关建立VPN隧道。

实际上,当客户端WEB认证通过之后,SRX会自动下推一个客户端软件到客户端PC机上。

类似于,JUNIPERSA会下推一个NC(NETWORKCONNECT)客户端软件到客户端。

但是DYNAMICVPN功能现在只有若干个SRX平台支持,并且此功能需要FEATURELICENSE来支持才能激活。

平台支持

FeatureLicense支持

JUNIPERSRX需要LICENSE来激活DynamicVPN功能,请确认SRX上有相应的LICENSEKEY

root#runshowsystemlicense

Licenseusage:

LicensesLicensesLicensesExpiry

Featurenameusedinstalledneeded

dynamic-vpn0500permanent

Licensesinstalled:

Licenseidentifier:

JUNOS247349

Licenseversion:

2

Validfordevice:

AG3209AA0265

Features:

dynamic-vpn-50-clients-DynamicVPN

permanent

 

3配置步骤

3.1Accessconfiguration

定义ACCESSPROFILE,可以定义本地数据库认证和外部RADIUSSERVER认证。

3.2Httpsconfiguration

用来激活SRX上的HTTPS服务。

3.3IKE/IPSECconfiguration

用来配置IPSECVPNPHASEI和PHASEII阶段的具有参数。

3.4DynamicVPNconfiguration

用来定义受保护的资源,ProtectedResources定义能够通过IPSECVPNTUNNEL访问的网段。

3.5Policyconfiguration

用来定义防火墙的策略,通过策略来控制通过IPSECVPN访问的流量。

 

具体配置过程如下所示:

step1:

Accessconfiguration

定义Web登录的用户名和密码以及定义RADIUS服务器。

此处的web-authentication是采用RADIUS服务器进行认证的。

root#showaccess

profileACS_Radius{//定义RADIUS认证服务器,用于进行用户名和密码的认证

authentication-orderradius;

radius-server{

60.60.60.1secret"$9$jgkmT69pRhrz3hrev7Nik.Pz3/CtOIE";##SECRET-DATA

}

}

profiledynamic_vpn{//定义本地认证数据库,包括用户名和密码

clientluhongc{

firewall-user{

password"$9$Q3dQ3/t1RSM87uO87-V4oz369uOIEclvW";##SECRET-DATA

}

}

clientvpntest1{

firewall-user{

password"$9$m5nCApBSrv1RrvLXws5QFnAp";##SECRET-DATA

}

}

}

firewall-authentication{

web-authentication{

default-profileACS_Radius;//此处用RADIUS进行WEB登录认证,也可以使用本地认证dynamic_vpn

banner{

success"welcometologinVPN";

}

}

}

注意:

如果WEB认证出现问题,需要设置DEBUG来排错。

setsystemprocessesgeneral-authentication-servicetraceoptionsflagall

查看LOG信息:

root#runshowlogauthd

Step2HTTPSconfiguration-HTTPS配置

root#showsystemservicesweb-managementhttps

system-generated-certificate;

interface[ge-0/0/15.0ge-0/0/0.0];

step3IKE/IPSECconfiguration

注意:

需要为每一个RemoteAccessVPN拔号用户设置一个IKEGATEWAY(PhaseI)和VPN(PhaseII)。

现在客户这边准备5个测试用户:

分别为vpntest1,vpntest2,vpntest3,vpntest4,vpntest5

IKEPhaseIconfiguration:

IKEPhaseI配置

root#showsecurityike

traceoptions{

fileIKEsize4m;

flagall;

}

proposalphase1-proposal{

authentication-methodpre-shared-keys;

dh-groupgroup2;

authentication-algorithmmd5;

encryption-algorithmdes-cbc;

lifetime-seconds86400;

}

policyike-policy{

modeaggressive;

proposalsphase1-proposal;

pre-shared-keyascii-text"$9$PTF/uORlK8CtK8X7sYfTz3Ct0BIcre";##SECRET-DATA

}

gatewayike-gateway1{

ike-policyike-policy;

dynamichostnameluhongc;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest5{

ike-policyike-policy;

dynamichostnamevpntest5;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest4{

ike-policyike-policy;

dynamichostnamevpntest4;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest3{

ike-policyike-policy;

dynamichostnamevpntest3;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest2{

ike-policyike-policy;

dynamichostnamevpntest2;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest1{

ike-policyike-policy;

dynamichostnamevpntest1;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

IPsec(Phase2)configuration:

定义IPSECVPNPhase2的参数

root#showsecurityipsec

traceoptions{

flagall;

}

proposalphase2-proposal{

protocolesp;

authentication-algorithmhmac-sha1-96;

encryption-algorithm3des-cbc;

}

policyipsec-policy{

perfect-forward-secrecy{

keysgroup2;

}

proposalsphase2-proposal;

}

vpndynamic-vpn-test{

ike{

gatewayike-gateway1;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

vpndynamic-vpntest1{

ike{

gatewayvpn-test1-gw;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

vpndynamic-vpntest2{

ike{

gatewayike-vpntest2;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

vpndynamic-vpntest3{

ike{

gatewayike-vpntest3;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

vpndynamic-vpntest4{

ike{

gatewayike-vpntest4;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

vpndynamic-vpntest5{

ike{

gatewayike-vpntest5;

ipsec-policyipsec-policy;

}

establish-tunnelson-traffic;

}

}

 

注意:

调试IPSECPHASEI和PHASEII阶段的协商。

setsecurityiketraceoptionsfileIKE

setsecurityiketraceoptionsfilesize4m

setsecurityiketraceoptionsflagall

Step4DynamicVPNconfiguration–动态VPN的配置实例

root#showsecuritydynamic-vpn

access-profileACS_Radius;

clients{

client1{

remote-protected-resources{

192.168.3.0/24;

}

remote-exceptions{

0.0.0.0/0;

}

ipsec-vpndynamic-vpn-test;

user{

luhongc;

}

}

client2{

remote-protected-resources{

192.168.3.0/24;

}

remote-exceptions{

0.0.0.0/0;

}

ipsec-vpndynamic-vpntest1;

user{

vpntest1;

vpntest2;

vpntest3;

vpntest4;

vpntest5;

}

}

}

 

Step5policyconfiguration-策略配置

策略配置:

从untrust区域到trust区域的策略

root#showsecuritypoliciesfrom-zoneuntrustto-zonetrust

policyvpn-policy{

match{

source-addressany;

destination-addressany;

applicationany;

}

then{

permit{

tunnel{

ipsec-vpndynamic-vpn-test;

}

}

log{

session-init;

session-close;

}

}

}

policyvpn-test1-policy{

match{

source-addressany;

destination-addressany;

applicationany;

}

then{

permit{

tunnel{

ipsec-vpndynamic-vpntest1;

}

}

log{

session-init;

session-close;

}

}

}

[edit]

 

JuniperSRX240上面DynamicVPN的完整配置如下所示:

[edit]

root#show

##Lastchanged:

2010-04-1210:

45:

23UTC

version9.6R2.11;

system{

root-authentication{

encrypted-password"$1$6xBteVVE$DKKL.F2lE6jQu3Vv8MzfV1";##SECRET-DATA

}

services{

ssh;

web-management{

http{

interface[ge-0/0/0.0ge-0/0/15.0];

}

https{

system-generated-certificate;

interface[ge-0/0/15.0ge-0/0/0.0ge-0/0/1.0];

}

}

}

syslog{

user*{

anyemergency;

}

filemessages{

anycritical;

authorizationinfo;

}

fileinteractive-commands{

interactive-commandserror;

}

}

max-configurations-on-flash5;

max-configuration-rollbacks5;

license{

autoupdate{

url

}

}

processes{

general-authentication-service{

traceoptions{

flagall;

}

}

}

}

interfaces{

traceoptions{

fileTESTsize4m;

}

ge-0/0/0{

unit0{

familyinet{

address218.17.165.49/26;

}

}

}

ge-0/0/1{

unit0{

familyinet{

address220.249.253.134/27;

}

}

}

ge-0/0/8{

unit0{

familyinet{

address60.60.60.2/24;

}

}

}

ge-0/0/15{

unit0{

familyinet{

address192.168.3.252/24;

}

}

}

}

routing-options{

static{

route0.0.0.0/0next-hop218.17.165.62;

route220.249.253.0/24next-hop220.249.253.129;

route211.139.188.0/24next-hop220.249.253.129;

route124.160.0.0/24next-hop220.249.253.129;

route222.248.234.0/24next-hop220.249.253.129;

}

}

security{

ike{

traceoptions{

fileIKEsize4m;

flagall;

flagike;

}

proposalphase1-proposal{

authentication-methodpre-shared-keys;

dh-groupgroup2;

authentication-algorithmmd5;

encryption-algorithmdes-cbc;

lifetime-seconds86400;

}

proposalcnc-ike-proposal{

authentication-methodpre-shared-keys;

dh-groupgroup2;

authentication-algorithmmd5;

encryption-algorithmdes-cbc;

lifetime-seconds86400;

}

policyike-policy{

modeaggressive;

proposalsphase1-proposal;

pre-shared-keyascii-text"$9$Fdgm6CuRhr8X-O1X-VwaJ369AO1EcyKWL";##SECRET-DATA

}

policycnc-ike-policy{

modeaggressive;

proposalscnc-ike-proposal;

pre-shared-keyascii-text"$9$wj2oGk.569pDi9p0BSys24aDiqmfzn/";##SECRET-DATA

}

gatewayike-gateway1{

ike-policyike-policy;

dynamichostnamevpntest12;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayvpn-test1-gw{

ike-policycnc-ike-policy;

dynamichostnamevpntest11;

external-interfacege-0/0/1.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest5{

ike-policyike-policy;

dynamichostnamevpntest5;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest4{

ike-policyike-policy;

dynamichostnamevpntest4;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest3{

ike-policyike-policy;

dynamichostnamevpntest3;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest2{

ike-policyike-policy;

dynamichostnamevpntest2;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-vpntest1{

ike-policyike-policy;

dynamichostnamevpntest1;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-s_huatai01{

ike-policyike-policy;

dynamichostnames_huatai01;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-s_dongfang01{

ike-policyike-policy;

dynamichostnames_dongfang01;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-s_xiangcai01{

ike-policyike-policy;

dynamichostnames_xiangcai01;

external-interfacege-0/0/0.0;

xauthaccess-profileACS_Radius;

}

gatewayike-s_shenywg01{

ike-policyike-po

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 农林牧渔 > 畜牧兽医

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1