配置SRXDyamicVPNversion2.docx
- 文档编号:11169226
- 上传时间:2023-02-25
- 格式:DOCX
- 页数:38
- 大小:271.71KB
配置SRXDyamicVPNversion2.docx
《配置SRXDyamicVPNversion2.docx》由会员分享,可在线阅读,更多相关《配置SRXDyamicVPNversion2.docx(38页珍藏版)》请在冰豆网上搜索。
配置SRXDyamicVPNversion2
JuniperSRX240DynamicVPN配置指南
修订记录
日期
修订版本
描述
作者
2010-3-16
1.0
初稿
卢泓
2010-4-12
2.0
修订
卢泓
神州数码(深圳)有限公司
1JUNIPERSRX240DynamicVPN配置拓扑图
2概述
JUNIPERSRX系列防火墙DynamicVPN是一种无客户的IPSECVPN。
客户端的PC无须安装拔号软件就可以与VPN网关建立VPN隧道。
实际上,当客户端WEB认证通过之后,SRX会自动下推一个客户端软件到客户端PC机上。
类似于,JUNIPERSA会下推一个NC(NETWORKCONNECT)客户端软件到客户端。
但是DYNAMICVPN功能现在只有若干个SRX平台支持,并且此功能需要FEATURELICENSE来支持才能激活。
平台支持
FeatureLicense支持
JUNIPERSRX需要LICENSE来激活DynamicVPN功能,请确认SRX上有相应的LICENSEKEY
root#runshowsystemlicense
Licenseusage:
LicensesLicensesLicensesExpiry
Featurenameusedinstalledneeded
dynamic-vpn0500permanent
Licensesinstalled:
Licenseidentifier:
JUNOS247349
Licenseversion:
2
Validfordevice:
AG3209AA0265
Features:
dynamic-vpn-50-clients-DynamicVPN
permanent
3配置步骤
3.1Accessconfiguration
定义ACCESSPROFILE,可以定义本地数据库认证和外部RADIUSSERVER认证。
3.2Httpsconfiguration
用来激活SRX上的HTTPS服务。
3.3IKE/IPSECconfiguration
用来配置IPSECVPNPHASEI和PHASEII阶段的具有参数。
3.4DynamicVPNconfiguration
用来定义受保护的资源,ProtectedResources定义能够通过IPSECVPNTUNNEL访问的网段。
3.5Policyconfiguration
用来定义防火墙的策略,通过策略来控制通过IPSECVPN访问的流量。
具体配置过程如下所示:
step1:
Accessconfiguration
定义Web登录的用户名和密码以及定义RADIUS服务器。
此处的web-authentication是采用RADIUS服务器进行认证的。
root#showaccess
profileACS_Radius{//定义RADIUS认证服务器,用于进行用户名和密码的认证
authentication-orderradius;
radius-server{
60.60.60.1secret"$9$jgkmT69pRhrz3hrev7Nik.Pz3/CtOIE";##SECRET-DATA
}
}
profiledynamic_vpn{//定义本地认证数据库,包括用户名和密码
clientluhongc{
firewall-user{
password"$9$Q3dQ3/t1RSM87uO87-V4oz369uOIEclvW";##SECRET-DATA
}
}
clientvpntest1{
firewall-user{
password"$9$m5nCApBSrv1RrvLXws5QFnAp";##SECRET-DATA
}
}
}
firewall-authentication{
web-authentication{
default-profileACS_Radius;//此处用RADIUS进行WEB登录认证,也可以使用本地认证dynamic_vpn
banner{
success"welcometologinVPN";
}
}
}
注意:
如果WEB认证出现问题,需要设置DEBUG来排错。
setsystemprocessesgeneral-authentication-servicetraceoptionsflagall
查看LOG信息:
root#runshowlogauthd
Step2HTTPSconfiguration-HTTPS配置
root#showsystemservicesweb-managementhttps
system-generated-certificate;
interface[ge-0/0/15.0ge-0/0/0.0];
step3IKE/IPSECconfiguration
注意:
需要为每一个RemoteAccessVPN拔号用户设置一个IKEGATEWAY(PhaseI)和VPN(PhaseII)。
现在客户这边准备5个测试用户:
分别为vpntest1,vpntest2,vpntest3,vpntest4,vpntest5
IKEPhaseIconfiguration:
IKEPhaseI配置
root#showsecurityike
traceoptions{
fileIKEsize4m;
flagall;
}
proposalphase1-proposal{
authentication-methodpre-shared-keys;
dh-groupgroup2;
authentication-algorithmmd5;
encryption-algorithmdes-cbc;
lifetime-seconds86400;
}
policyike-policy{
modeaggressive;
proposalsphase1-proposal;
pre-shared-keyascii-text"$9$PTF/uORlK8CtK8X7sYfTz3Ct0BIcre";##SECRET-DATA
}
gatewayike-gateway1{
ike-policyike-policy;
dynamichostnameluhongc;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest5{
ike-policyike-policy;
dynamichostnamevpntest5;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest4{
ike-policyike-policy;
dynamichostnamevpntest4;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest3{
ike-policyike-policy;
dynamichostnamevpntest3;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest2{
ike-policyike-policy;
dynamichostnamevpntest2;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest1{
ike-policyike-policy;
dynamichostnamevpntest1;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
IPsec(Phase2)configuration:
定义IPSECVPNPhase2的参数
root#showsecurityipsec
traceoptions{
flagall;
}
proposalphase2-proposal{
protocolesp;
authentication-algorithmhmac-sha1-96;
encryption-algorithm3des-cbc;
}
policyipsec-policy{
perfect-forward-secrecy{
keysgroup2;
}
proposalsphase2-proposal;
}
vpndynamic-vpn-test{
ike{
gatewayike-gateway1;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
vpndynamic-vpntest1{
ike{
gatewayvpn-test1-gw;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
vpndynamic-vpntest2{
ike{
gatewayike-vpntest2;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
vpndynamic-vpntest3{
ike{
gatewayike-vpntest3;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
vpndynamic-vpntest4{
ike{
gatewayike-vpntest4;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
vpndynamic-vpntest5{
ike{
gatewayike-vpntest5;
ipsec-policyipsec-policy;
}
establish-tunnelson-traffic;
}
}
注意:
调试IPSECPHASEI和PHASEII阶段的协商。
setsecurityiketraceoptionsfileIKE
setsecurityiketraceoptionsfilesize4m
setsecurityiketraceoptionsflagall
Step4DynamicVPNconfiguration–动态VPN的配置实例
root#showsecuritydynamic-vpn
access-profileACS_Radius;
clients{
client1{
remote-protected-resources{
192.168.3.0/24;
}
remote-exceptions{
0.0.0.0/0;
}
ipsec-vpndynamic-vpn-test;
user{
luhongc;
}
}
client2{
remote-protected-resources{
192.168.3.0/24;
}
remote-exceptions{
0.0.0.0/0;
}
ipsec-vpndynamic-vpntest1;
user{
vpntest1;
vpntest2;
vpntest3;
vpntest4;
vpntest5;
}
}
}
Step5policyconfiguration-策略配置
策略配置:
从untrust区域到trust区域的策略
root#showsecuritypoliciesfrom-zoneuntrustto-zonetrust
policyvpn-policy{
match{
source-addressany;
destination-addressany;
applicationany;
}
then{
permit{
tunnel{
ipsec-vpndynamic-vpn-test;
}
}
log{
session-init;
session-close;
}
}
}
policyvpn-test1-policy{
match{
source-addressany;
destination-addressany;
applicationany;
}
then{
permit{
tunnel{
ipsec-vpndynamic-vpntest1;
}
}
log{
session-init;
session-close;
}
}
}
[edit]
JuniperSRX240上面DynamicVPN的完整配置如下所示:
[edit]
root#show
##Lastchanged:
2010-04-1210:
45:
23UTC
version9.6R2.11;
system{
root-authentication{
encrypted-password"$1$6xBteVVE$DKKL.F2lE6jQu3Vv8MzfV1";##SECRET-DATA
}
services{
ssh;
web-management{
http{
interface[ge-0/0/0.0ge-0/0/15.0];
}
https{
system-generated-certificate;
interface[ge-0/0/15.0ge-0/0/0.0ge-0/0/1.0];
}
}
}
syslog{
user*{
anyemergency;
}
filemessages{
anycritical;
authorizationinfo;
}
fileinteractive-commands{
interactive-commandserror;
}
}
max-configurations-on-flash5;
max-configuration-rollbacks5;
license{
autoupdate{
url
}
}
processes{
general-authentication-service{
traceoptions{
flagall;
}
}
}
}
interfaces{
traceoptions{
fileTESTsize4m;
}
ge-0/0/0{
unit0{
familyinet{
address218.17.165.49/26;
}
}
}
ge-0/0/1{
unit0{
familyinet{
address220.249.253.134/27;
}
}
}
ge-0/0/8{
unit0{
familyinet{
address60.60.60.2/24;
}
}
}
ge-0/0/15{
unit0{
familyinet{
address192.168.3.252/24;
}
}
}
}
routing-options{
static{
route0.0.0.0/0next-hop218.17.165.62;
route220.249.253.0/24next-hop220.249.253.129;
route211.139.188.0/24next-hop220.249.253.129;
route124.160.0.0/24next-hop220.249.253.129;
route222.248.234.0/24next-hop220.249.253.129;
}
}
security{
ike{
traceoptions{
fileIKEsize4m;
flagall;
flagike;
}
proposalphase1-proposal{
authentication-methodpre-shared-keys;
dh-groupgroup2;
authentication-algorithmmd5;
encryption-algorithmdes-cbc;
lifetime-seconds86400;
}
proposalcnc-ike-proposal{
authentication-methodpre-shared-keys;
dh-groupgroup2;
authentication-algorithmmd5;
encryption-algorithmdes-cbc;
lifetime-seconds86400;
}
policyike-policy{
modeaggressive;
proposalsphase1-proposal;
pre-shared-keyascii-text"$9$Fdgm6CuRhr8X-O1X-VwaJ369AO1EcyKWL";##SECRET-DATA
}
policycnc-ike-policy{
modeaggressive;
proposalscnc-ike-proposal;
pre-shared-keyascii-text"$9$wj2oGk.569pDi9p0BSys24aDiqmfzn/";##SECRET-DATA
}
gatewayike-gateway1{
ike-policyike-policy;
dynamichostnamevpntest12;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayvpn-test1-gw{
ike-policycnc-ike-policy;
dynamichostnamevpntest11;
external-interfacege-0/0/1.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest5{
ike-policyike-policy;
dynamichostnamevpntest5;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest4{
ike-policyike-policy;
dynamichostnamevpntest4;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest3{
ike-policyike-policy;
dynamichostnamevpntest3;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest2{
ike-policyike-policy;
dynamichostnamevpntest2;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-vpntest1{
ike-policyike-policy;
dynamichostnamevpntest1;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-s_huatai01{
ike-policyike-policy;
dynamichostnames_huatai01;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-s_dongfang01{
ike-policyike-policy;
dynamichostnames_dongfang01;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-s_xiangcai01{
ike-policyike-policy;
dynamichostnames_xiangcai01;
external-interfacege-0/0/0.0;
xauthaccess-profileACS_Radius;
}
gatewayike-s_shenywg01{
ike-policyike-po
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 配置 SRXDyamicVPNversion2