文档库

最新最全的文档下载
当前位置:文档库 > Juniper SRX 远端访问VPN Remote Access VPN

Juniper SRX 远端访问VPN Remote Access VPN

基于SRX 的远端访问VPN 相比基于SSL VPN 来说,配置起来相对复杂点,不过在MAG 或SA 设备上,是通过Web 界面进行配置的,需要熟悉参考官方文档进行配置;

Juniper SRX 远端访问VPN Remote Access VPN

网络拓扑图如下所示:

配置访问用户名及认证方式

1.root@junos# show access | display set

set access profile vpn client lab firewall-user password "$9$vj1MX-Vb2oaU"

set access profile vpn client vpn firewall-user password "$9$QV5T3A0O1hKMX"

set access profile vpn address-assignment pool pool

set access address-assignment pool pool family inet network 10.10.10.0/24

set access address-assignment pool pool family inet xauth-attributes primary-dns 10.10.10.100/32

set access firewall-authentication web-authentication default-profile vpn

set access firewall-authentication web-authentication banner success haha

[edit]

【创建两个用户名通过Web 进行认证,获取的IP 地址池及主DNS 服务器】

创建IKE,IPSEC

2.root@junos# show security ike | display set

set security ike policy dyvpn mode aggressive

set security ike policy dyvpn proposal-set standard

set security ike policy dyvpn pre-shared-key ascii-text "$9$r.IKX-db2GDk"

set security ike gateway ike2 ike-policy dyvpn

set security ike gateway ike2 dynamic hostname lab

set security ike gateway ike2 dynamic connections-limit 20

set security ike gateway ike2 dynamic ike-user-type group-ike-id

set security ike gateway ike2 external-interface ge-0/0/0.0

set security ike gateway ike2 xauth access-profile vpn

[edit]

root@junos# show security ipsec | display set

set security ipsec policy dyvpn proposal-set standard

set security ipsec vpn ipsec ike gateway ike2

set security ipsec vpn ipsec ike ipsec-policy dyvpn

【与基于策略的VPN 不同点在于需要配置动态的认证访问及主机名】

配置步骤:

Remote Access VPN

2015年4月23日

16:23

3.

动态VPN配置

[edit]

root@junos# show security dynamic-vpn | display set

set security dynamic-vpn access-profile vpn

set security dynamic-vpn clients all remote-protected-resources 10.10.10.0/24

set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0

set security dynamic-vpn clients all ipsec-vpn ipsec

set security dynamic-vpn clients all user lab

set security dynamic-vpn clients all user vpn

【关联所创建的用户,这里的访问文件可以另外再配置,在这里用的是上面一样的文件】

4.

配置策略

[edit]

root@junos# show security policies | display set

set security policies from-zone untrust to-zone trust policy vpn match source-address any

set security policies from-zone untrust to-zone trust policy vpn match destination-address any set security policies from-zone untrust to-zone trust policy vpn match application any

set security policies from-zone untrust to-zone trust policy vpn then permit tunnel ipsec-vpn ipsec set security policies from-zone trust to-zone untrust policy permit match source-address any set security policies from-zone trust to-zone untrust policy permit match destination-address any set security policies from-zone trust to-zone untrust policy permit match application any

set security policies from-zone trust to-zone untrust policy permit then permit

【从Untrust到Trust的安全策略需要关联所对应的Ipsec VPN实例,而Trust到Untrust则不需要】

5.

测试

打开网页:http://192.168.200.1

Juniper SRX 远端访问VPN Remote Access VPN

Juniper SRX 远端访问VPN Remote Access VPN

Juniper SRX 远端访问VPN Remote Access VPN

Juniper SRX 远端访问VPN Remote Access VPN

Juniper SRX 远端访问VPN Remote Access VPN

在SRX上设备上查看:

[edit]

root@junos# run show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address

6788604 UP 5a4b2c65b1e591b9 2887208747a41aa4 Aggressive 192.168.200.10

[edit]

root@junos# run show security ike active-peer

Remote Address Port Peer IKE-ID XAUTH username Assigned IP

192.168.200.10 58505 lablab lab 10.10.10.3

192.168.200.10 51918 vpnlab vpn 10.10.10.4

[edit]

root@junos# run show security ike pre-shared-key master-key junos

Pre-shared key: 67f0cb9274360752bd82a91e3b7e850d4437bbe9

root@junos# run show security ipsec security-associations

Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<268173316 ESP:aes-128/sha1 453bfb6a 3462/ 500000 -root 51918 192.168.200.10

>268173316 ESP:aes-128/sha1 cf4a66bd 3462/ 500000 -root 51918 192.168.200.10

[edit]

root@junos# run show security ipsec statistics

ESP Statistics:

Encrypted bytes: 784

Decrypted bytes: 420

Encrypted packets: 7

Decrypted packets: 7

AH Statistics:

Input bytes: 0

Output bytes: 0

Input packets: 0

Output packets: 0

Errors:

AH authentication failures: 0, Replay errors: 0

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0

[edit]

root@junos# run show security dynamic-vpn client version

Junos Pulse 2.0.3.11013

[edit]

root@junos# run show security dynamic-vpn users detail

User: vpn , Number of connections: 1

Remote IP: 10.200.168.192

IPSEC VPN: ipsec

IKE gateway: ike2

IKE ID : vpnlab

IKE Lifetime: 28800

IPSEC Lifetime: 3600

Status: CONNECTED

[edit]

root@junos# run show security dynamic-vpn users terse

User User Groups Remote IP IKE ID Status IKE Lifetime IPSEC Lifetime Client Config Name Time Established

vpn 10.200.168.192 vpnlab CONNECTED 28800 3600 all Thu Apr 23 17:10:16 2015