ImageVerifierCode 换一换
格式:DOCX , 页数:38 ,大小:271.71KB ,
资源ID:11169226      下载积分:3 金币
快捷下载
登录下载
邮箱/手机:
温馨提示:
快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。 如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝    微信支付   
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【https://www.bdocx.com/down/11169226.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录   QQ登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(配置SRXDyamicVPNversion2.docx)为本站会员(b****7)主动上传,冰豆网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知冰豆网(发送邮件至service@bdocx.com或直接QQ联系客服),我们立即给予删除!

配置SRXDyamicVPNversion2.docx

1、配置SRXDyamicVPNversion2Juniper SRX240 Dynamic VPN配置指南修订记录日期修订版本描述作者2010-3-161.0初稿 卢 泓2010-4-122.0修订 卢 泓 神州数码(深圳)有限公司1 JUNIPER SRX240 Dynamic VPN配置拓扑图 2 概述 JUNIPER SRX系列防火墙Dynamic VPN是一种无客户的IPSEC VPN。客户端的PC无须安装拔号软件就可以与VPN网关建立VPN隧道。实际上,当客户端WEB认证通过之后,SRX会自动下推一个客户端软件到客户端PC机上。 类似于,JUNIPER SA会下推一个NC(NETWOR

2、K CONNECT)客户端软件到客户端。但是DYNAMIC VPN功能现在只有若干个SRX平台支持,并且此功能需要FEATURE LICENSE来支持才能激活。平台支持Feature License支持JUNIPER SRX需要LICENSE来激活Dynamic VPN功能,请确认SRX上有相应的LICENSE KEY root# run show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed dynamic-vpn 0 50 0 perman

3、entLicenses installed: License identifier: JUNOS247349 License version: 2 Valid for device: AG3209AA0265 Features: dynamic-vpn-50-clients - Dynamic VPN permanent3 配置步骤3.1 Access configuration 定义ACCESS PROFILE,可以定义本地数据库认证和外部RADIUS SERVER认证。3.2 Https configuration 用来激活SRX上的HTTPS服务。3.3 IKE/IPSEC config

4、uration用来配置IPSEC VPN PHASE I和PHASE II阶段的具有参数。3.4 Dynamic VPN configuration 用来定义受保护的资源,Protected Resources定义能够通过IPSEC VPN TUNNEL访问的网段。3.5 Policy configuration 用来定义防火墙的策略,通过策略来控制通过IPSEC VPN访问的流量。具体配置过程如下所示:step1: Access configuration 定义Web登录的用户名和密码以及定义RADIUS服务器。此处的web-authentication是采用RADIUS服务器进行认证的。r

5、oot# show access profile ACS_Radius /定义RADIUS认证服务器,用于进行用户名和密码的认证 authentication-order radius; radius-server 60.60.60.1 secret $9$jgkmT69pRhrz3hrev7Nik.Pz3/CtOIE; # SECRET-DATA profile dynamic_vpn /定义本地认证数据库,包括用户名和密码 client luhongc firewall-user password $9$Q3dQ3/t1RSM87uO87-V4oz369uOIEclvW; # SECRET

6、-DATA client vpntest1 firewall-user password $9$m5nCApBSrv1RrvLXws5QFnAp; # SECRET-DATA firewall-authentication web-authentication default-profile ACS_Radius; /此处用RADIUS进行WEB登录认证,也可以使用本地认证dynamic_vpn banner success welcome to login VPN; 注意:如果WEB认证出现问题,需要设置DEBUG来排错。set system processes general-authen

7、tication-service traceoptions flag all查看LOG信息:root# run show log authdStep2 HTTPS configuration - HTTPS配置root# show system services web-management https system-generated-certificate;interface ge-0/0/15.0 ge-0/0/0.0 ;step3 IKE/IPSEC configuration 注意:需要为每一个Remote Access VPN拔号用户设置一个IKE GATEWAY(Phase I)

8、和VPN(Phase II)。现在客户这边准备5个测试用户:分别为vpntest1,vpntest2,vpntest3, vpntest4, vpntest5IKE Phase I configuration: IKE Phase I配置root# show security ike traceoptions file IKE size 4m; flag all;proposal phase1-proposal authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryp

9、tion-algorithm des-cbc; lifetime-seconds 86400;policy ike-policy mode aggressive; proposals phase1-proposal; pre-shared-key ascii-text $9$PTF/uORlK8CtK8X7sYfTz3Ct0BIcre; # SECRET-DATAgateway ike-gateway1 ike-policy ike-policy; dynamic hostname luhongc; external-interface ge-0/0/0.0; xauth access-pro

10、file ACS_Radius; gateway ike-vpntest5 ike-policy ike-policy; dynamic hostname vpntest5; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest4 ike-policy ike-policy; dynamic hostname vpntest4; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-v

11、pntest3 ike-policy ike-policy; dynamic hostname vpntest3; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest2 ike-policy ike-policy; dynamic hostname vpntest2; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest1 ike-policy ike-policy;

12、 dynamic hostname vpntest1; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; IPsec(Phase 2) configuration: 定义IPSEC VPN Phase 2的参数root# show security ipsec traceoptions flag all;proposal phase2-proposal protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc;

13、policy ipsec-policy perfect-forward-secrecy keys group2; proposals phase2-proposal;vpn dynamic-vpn-test ike gateway ike-gateway1; ipsec-policy ipsec-policy; establish-tunnels on-traffic;vpn dynamic-vpntest1 ike gateway vpn-test1-gw; ipsec-policy ipsec-policy; establish-tunnels on-traffic;vpn dynamic

14、-vpntest2 ike gateway ike-vpntest2; ipsec-policy ipsec-policy; establish-tunnels on-traffic; vpn dynamic-vpntest3 ike gateway ike-vpntest3; ipsec-policy ipsec-policy; establish-tunnels on-traffic; vpn dynamic-vpntest4 ike gateway ike-vpntest4; ipsec-policy ipsec-policy; establish-tunnels on-traffic;

15、 vpn dynamic-vpntest5 ike gateway ike-vpntest5; ipsec-policy ipsec-policy; establish-tunnels on-traffic; 注意:调试IPSEC PHASE I和PHASE II阶段的协商。set security ike traceoptions file IKEset security ike traceoptions file size 4mset security ike traceoptions flag allStep4 Dynamic VPN configuration 动态VPN的配置实例ro

16、ot# show security dynamic-vpn access-profile ACS_Radius; clients client1 remote-protected-resources 192.168.3.0/24; remote-exceptions 0.0.0.0/0; ipsec-vpn dynamic-vpn-test; user luhongc; client2 remote-protected-resources 192.168.3.0/24; remote-exceptions 0.0.0.0/0; ipsec-vpn dynamic-vpntest1; user

17、vpntest1; vpntest2; vpntest3; vpntest4; vpntest5; Step5 policy configuration-策略配置 策略配置:从untrust区域到trust区域的策略root# show security policies from-zone untrust to-zone trust policy vpn-policy match source-address any; destination-address any; application any; then permit tunnel ipsec-vpn dynamic-vpn-test

18、; log session-init; session-close; policy vpn-test1-policy match source-address any; destination-address any; application any; then permit tunnel ipsec-vpn dynamic-vpntest1; log session-init; session-close; editJuniper SRX240上面Dynamic VPN的完整配置如下所示:editroot# show # Last changed: 2010-04-12 10:45:23 U

19、TCversion 9.6R2.11;system root-authentication encrypted-password $1$6xBteVVE$DKKL.F2lE6jQu3Vv8MzfV1; # SECRET-DATA services ssh; web-management http interface ge-0/0/0.0 ge-0/0/15.0 ; https system-generated-certificate; interface ge-0/0/15.0 ge-0/0/0.0 ge-0/0/1.0 ; syslog user * any emergency; file

20、messages any critical; authorization info; file interactive-commands interactive-commands error; max-configurations-on-flash 5; max-configuration-rollbacks 5; license autoupdate url processes general-authentication-service traceoptions flag all; interfaces traceoptions file TEST size 4m; ge-0/0/0 un

21、it 0 family inet address 218.17.165.49/26; ge-0/0/1 unit 0 family inet address 220.249.253.134/27; ge-0/0/8 unit 0 family inet address 60.60.60.2/24; ge-0/0/15 unit 0 family inet address 192.168.3.252/24; routing-options static route 0.0.0.0/0 next-hop 218.17.165.62; route 220.249.253.0/24 next-hop

22、220.249.253.129; route 211.139.188.0/24 next-hop 220.249.253.129; route 124.160.0.0/24 next-hop 220.249.253.129; route 222.248.234.0/24 next-hop 220.249.253.129; security ike traceoptions file IKE size 4m; flag all; flag ike; proposal phase1-proposal authentication-method pre-shared-keys; dh-group g

23、roup2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; proposal cnc-ike-proposal authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; policy ike-policy mode aggressive; proposal

24、s phase1-proposal; pre-shared-key ascii-text $9$Fdgm6CuRhr8X-O1X-VwaJ369AO1EcyKWL; # SECRET-DATA policy cnc-ike-policy mode aggressive; proposals cnc-ike-proposal; pre-shared-key ascii-text $9$wj2oGk.569pDi9p0BSys24aDiqmfzn/; # SECRET-DATA gateway ike-gateway1 ike-policy ike-policy; dynamic hostname

25、 vpntest12; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway vpn-test1-gw ike-policy cnc-ike-policy; dynamic hostname vpntest11; external-interface ge-0/0/1.0; xauth access-profile ACS_Radius; gateway ike-vpntest5 ike-policy ike-policy; dynamic hostname vpntest5; external-inte

26、rface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest4 ike-policy ike-policy; dynamic hostname vpntest4; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest3 ike-policy ike-policy; dynamic hostname vpntest3; external-interface ge-0/0/0.0; xauth access

27、-profile ACS_Radius; gateway ike-vpntest2 ike-policy ike-policy; dynamic hostname vpntest2; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-vpntest1 ike-policy ike-policy; dynamic hostname vpntest1; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway i

28、ke-s_huatai01 ike-policy ike-policy; dynamic hostname s_huatai01; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-s_dongfang01 ike-policy ike-policy; dynamic hostname s_dongfang01; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-s_xiangcai01 ike-policy ike-policy; dynamic hostname s_xiangcai01; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; gateway ike-s_shenywg01 ike-policy ike-po

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1