SSG防火墙第三方远程拨号VPN配置.docx
- 文档编号:6166963
- 上传时间:2023-01-04
- 格式:DOCX
- 页数:16
- 大小:383.98KB
SSG防火墙第三方远程拨号VPN配置.docx
《SSG防火墙第三方远程拨号VPN配置.docx》由会员分享,可在线阅读,更多相关《SSG防火墙第三方远程拨号VPN配置.docx(16页珍藏版)》请在冰豆网上搜索。
SSG防火墙第三方远程拨号VPN配置
网络环境:
所用仪器:
SSG-350M-SHOS:
6.3.0r13.0
内网口地址:
192.168.1.224/24
外网口地址:
10.10.10.1/24
内网测试机地址:
192.168.1.10/24
第三方客户端地址:
10.10.10.254/24
所用的第三方拨号VPN:
Shrewsoftvpn版本2.1.5
防火墙路由:
setroute0.0.0.0/0interfaceethernet0/2gateway10.10.10.254
1.定义客户端地址池:
2.建立IKE验证用户
3.建立IKE验证组,并将刚才新建的IKE用户放入组内
4.建立拨号用户,再将拨号用户放入拨号组(这里我为了好记忆名字写成bohao),
5.下图表示定义第一阶段VPN设置
6下图表示定义第二阶段VPN设置
7.最后增加VPN策略
防火墙部分的配置我们做完了,下面对第三方客户端进行配置,
在这里我们用的是shrewsoftvpn2.1.5能够支持WIN7,WIN8因为没装所以未做测试。
这是我应经配置好的配置,下面我会显示详细的参数设定:
设置之后我们拨号测试:
VPN拨号成功登陆后,测试是否可以访问内部测试机和防火墙内网口
成功!
!
!
!
!
!
备注防火墙的配置:
setclocktimezone0
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
setalgappleichatenable
unsetalgappleichatre-assemblyenable
setalgsctpenable
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"netscreen"
setadminpassword"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
setadminauthwebtimeout10
setadminauthserver"Local"
setadminformatdos
setzone"Trust"vrouter"trust-vr"
setzone"Untrust"vrouter"trust-vr"
setzone"DMZ"vrouter"trust-vr"
setzone"VLAN"vrouter"trust-vr"
setzone"Untrust-Tun"vrouter"trust-vr"
setzone"Trust"tcp-rst
setzone"Untrust"block
unsetzone"Untrust"tcp-rst
setzone"MGT"block
unsetzone"V1-Trust"tcp-rst
unsetzone"V1-Untrust"tcp-rst
setzone"DMZ"tcp-rst
unsetzone"V1-DMZ"tcp-rst
unsetzone"VLAN"tcp-rst
setzone"Untrust"screentear-drop
setzone"Untrust"screensyn-flood
setzone"Untrust"screenping-death
setzone"Untrust"screenip-filter-src
setzone"Untrust"screenland
setzone"V1-Untrust"screentear-drop
setzone"V1-Untrust"screensyn-flood
setzone"V1-Untrust"screenping-death
setzone"V1-Untrust"screenip-filter-src
setzone"V1-Untrust"screenland
setinterface"ethernet0/0"zone"Trust"
setinterface"ethernet0/1"zone"DMZ"
setinterface"ethernet0/2"zone"Untrust"
setinterfaceethernet0/0ip192.168.1.224/24
setinterfaceethernet0/0nat
unsetinterfacevlan1ip
setinterfaceethernet0/2ip10.10.10.1/24
setinterfaceethernet0/2route
unsetinterfacevlan1bypass-others-ipsec
unsetinterfacevlan1bypass-non-ip
setinterfaceethernet0/0ipmanageable
setinterfaceethernet0/2ipmanageable
setinterfaceethernet0/1manageweb
setinterfaceethernet0/2manageweb
unsetflowno-tcp-seq-check
setflowtcp-syn-check
unsetflowtcp-syn-bit-check
setflowreverse-routeclear-textprefer
setflowreverse-routetunnelalways
setpkiauthoritydefaultscepmode"auto"
setpkix509defaultcert-pathpartial
setaddress"Trust""tuset-add"192.168.1.0255.255.255.0
setippool"ip-vpn-pool"192.168.2.10192.168.2.100
setuser"user1"uid4
setuser"user1"ike-idfqdn""share-limit100
setuser"user1"typeike
setuser"user1""enable"
setuser"user2"uid2
setuser"user2"typexauth
setuser"user2"remoteippool"ip-vpn-pool"
setuser"user2"password"tz2QPkWlNzJRStsegaCi4UnuCTn7LJIhHw=="
unsetuser"user2"typeauth
setuser"user2""enable"
setuser"user3"uid3
setuser"user3"typexauth
setuser"user3"remoteippool"ip-vpn-pool"
setuser"user3"password"8hsT0oiTNlgvuBsAfoCXv0mcOMnofML6lQ=="
unsetuser"user3"typeauth
setuser"user3""enable"
setuser-group"bohao"id2
setuser-group"bohao"user"user2"
setuser-group"bohao"user"user3"
setuser-group"dialup"id3
setuser-group"dialup"user"user1"
setcrypto-policy
exit
setikegateway"vpn1"dialup"dialup"Aggroutgoing-interface"ethernet0/2"preshare"7ZyJuhs/NjP4FusrrJCiaenlLBnDTGMi1w=="proposal"pre-g2-3des-sha"
unsetikegateway"vpn1"nat-traversaludp-checksum
setikegateway"vpn1"nat-traversalkeepalive-frequency5
setikegateway"vpn1"xauthserver"Local"user-group"bohao"
unsetikegateway"vpn1"xauthdo-edipi-auth
setikerespond-bad-spi1
setikeikev2ike-sa-soft-lifetime60
unsetikeikeid-enumeration
unsetikedos-protection
unsetipsecaccess-sessionenable
setipsecaccess-sessionmaximum5000
setipsecaccess-sessionupper-threshold0
setipsecaccess-sessionlower-threshold0
setipsecaccess-sessiondead-p2-sa-timeout0
unsetipsecaccess-sessionlog-error
unsetipsecaccess-sessioninfo-exch-connected
unsetipsecaccess-sessionuse-error-log
setxauthdefaultippool"ip-vpn-pool"
setvpn"vpn2"gateway"vpn1"no-replaytunnelidletime0proposal"g2-esp-3des-sha"
seturlprotocolwebsense
exit
setpolicyid2from"Untrust"to"Trust""Dial-UpVPN""tuset-add""ANY"tunnelvpn"vpn2"id0x6log
setpolicyid2
exit
setnsmgmtbulkclireboot-timeout60
setsshversionv2
setconfiglocktimeout5
unsetlicense-keyauto-update
settelnetclientenable
setsnmpportlisten161
setsnmpporttrap162
setsnmpv3local-engineid"JN1195F51ADE"
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetadd-default-route
setroute0.0.0.0/0interfaceethernet0/2gateway10.10.10.254
exit
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- SSG 防火墙 第三 远程 拨号 VPN 配置