0

我的帖子

个人中心

设置

  发新话题
公司要求搞个VPN,现有的设备只有JUNIPR srx240r 的设备可以支持

网上搜了好久,最后只有必应才搜到,百度搜英文的东西一点都不行,测试通过分享给有需要的人

命令和图片相结合,尽量用命令配置

TOP如下:


Juniper Dynamic VPN的配置方法主要分为以下三步:
1.配置VPN tunnel
2.配置认证和IP地址分配
3.把VPN用户与dynamic-vpn配置关联。


1.配置VPN tunnel
#定义IKE网关
#Use aggressive mode
set security ike policy ike-dyn-vpn-policy mode aggressive

set security ike policy ike-dyn-vpn-policy proposal-set standard




#Use pre-shared keys
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text juniper123

set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy




#Using group-ike IDs
#Each client will have its own IKE-ID, which is derived from the username and group ID (dynvpn)
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn

set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id


#The connection limit should not be larger than the number of installed licenses

set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10


#Specify the interface to listen for connections
#This is important both for IKE and also for the authentication portal(外网的接口)

set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0





#Xauth profile determines how to authenticate the user, assign addresses and access parameters

set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile


#定义IPSEC vpn
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw

set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy


#在外网口上放行流量
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh



#定义VPN Security Policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any


#Note how the policy allows traffic only from the dyn-vpn IPSec vpn.

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn



2.配置认证和IP地址分配



#配置access-profile里的用户(也就是dynamic vpn的用户)


#This access profile has the following clients
set access profile dyn-vpn-access-profile client test firewall-user password test
set access profile dyn-vpn-access-profile client user1 firewall-user password user1

set access profile dyn-vpn-access-profile client user2 firewall-user password user2


#定义地址分配
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range low 10.10.10.10
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range high 10.10.10.20
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 114.114.114.114/32



#使用刚刚配置的access-profile进行web认证
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

3. 把VPN用户与dynamic-vpn配置关联
set security dynamic-vpn access-profile dyn-vpn-access-profile

#选中ipsec vpn将要使用的用户
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user test
set security dynamic-vpn clients all user user1

set security dynamic-vpn clients all user user2


#配置隧道分离
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8(要访问的内网网段)




#Destinations matching the exceptions will not be tunneled and will be sent out in cleat text

set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0


4.检查
#run show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode

18 172.19.100.99 UP 37b45aa1469e488b 7d4454404002e2e6 Aggressive

# run show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
172.19.100.99 500 testdynvpn test 10.10.10.2

# run show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<133955586 172.19.100.99 500 ESP:aes-128/sha1 9c23b7a9 2862/ 449996 - root
>133955586 172.19.100.99 500 ESP:aes-128/sha1 c72c8f88 2862/ 449996 - root

# run show security dynamic-vpn users
User: test , Number of connections: 1
Remote IP: 172.19.100.99
IPSEC VPN: dyn-vpn
IKE gateway: dyn-vpn-local-gw
IKE ID : testdynvpn
IKE Lifetime: 28800
IPSEC Lifetime: 3600
Status: CONNECTED

show system license

360截图20150819141938426.jpg (35.39 KB)

2015-8-19 16:11

360截图20150819141938426.jpg

360截图20150819171220183.jpg (93.99 KB)

2015-8-19 17:32

360截图20150819171220183.jpg

360截图20150819170948900.jpg (49.97 KB)

2015-8-19 17:32

360截图20150819170948900.jpg

本帖最近评分记录



本帖最后由 liuzhanxian 于 2015-8-25 14:27 编辑
WEB添加用户






本帖最后由 liuzhanxian 于 2015-8-19 17:36 编辑
支持vpn的设备多了去了



中文的资料像lz这种图文并茂的太少了



楼主,你会JUNIPER的预共享密钥L2TP VPN配置吗?可以帮我看下这个怎么配置,谢谢! http://bbs.51cto.com/thread-1375600-1.html



为什么我下载的JUNOS版本edit security dymaic-vpn打不出来??是版本更新了吗



楼主是用的什么软件来连接的



引用:
原帖由 地狱家 于 2017-3-29 21:13 发表
楼主是用的什么软件来连接的
SecureCRT  连接命令行, 用google浏览器做网页设置



引用:
原帖由 zhoutaimin 于 2016-7-18 19:46 发表
为什么我下载的JUNOS版本edit security dymaic-vpn打不出来??是版本更新了吗
我也是,你解决了吗?



楼主真乃神人也



引用:
原帖由 cxfs 于 2017-8-31 14:52 发表

我也是,你解决了吗?
打不出来,看一下版本。有些版本不支持。建议查一下官网版本支持特性。



引用:
原帖由 cxfs 于 2017-8-31 14:52 发表

我也是,你解决了吗?
show sys license
看看有没有dyn vpn 的license 默认自带两个客户端。没有就不支持。



感谢 分享    !!!



‹‹ 上一贴:juniper ssg 550防火墙双线怎么做路由?   |   下一贴:juniper SRX 3600如何配置SNMP ››
  发新话题
快速回复主题
关于我们 | 诚聘英才 | 联系我们 | 网站大事 | 友情链接 |意见反馈 | 网站地图
Copyright©2005-2017 51CTO.COM
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系:bbs@51cto.com