2024年6月13日发(作者:)
Remote Access VPN
2015年4月23日
16:23
基于
SRX
的远端访问
VPN
相比基于
SSLVPN
来说,配置起来相对复杂点,不过在
MAG
或
SA
设备上,是通过
Web
界面进行配
置的,需要熟悉参考官方文档进行配置;
网络拓扑图如下所示:
配置步骤:
1.配置访问用户名及认证方式
root@junos# show access | display set
set access profile vpn client lab firewall-user password "$9$vj1MX-Vb2oaU"
set access profile vpn client vpn firewall-user password "$9$QV5T3A0O1hKMX"
set access profile vpn address-assignment pool pool
set access address-assignment pool pool family inet network 10.10.10.0/24
set access address-assignment pool pool family inet xauth-attributes primary-dns 10.10.10.100/32
set access firewall-authentication web-authentication default-profile vpn
set access firewall-authentication web-authentication banner success haha
[edit]
【创建两个用户名通过
Web
进行认证,获取的
IP
地址池及主
DNS
服务器】
2.创建
IKE,IPSEC
root@junos# show security ike | display set
set security ike policy dyvpn mode aggressive
set security ike policy dyvpn proposal-set standard
set security ike policy dyvpn pre-shared-key ascii-text "$9$-db2GDk"
set security ike gateway ike2 ike-policy dyvpn
set security ike gateway ike2 dynamic hostname lab
set security ike gateway ike2 dynamic connections-limit 20
set security ike gateway ike2 dynamic ike-user-type group-ike-id
set security ike gateway ike2 external-interface ge-0/0/0.0
set security ike gateway ike2 xauth access-profile vpn
[edit]
root@junos# show security ipsec | display set
set security ipsec policy dyvpn proposal-set standard
set security ipsec vpn ipsec ike gateway ike2
set security ipsec vpn ipsec ike ipsec-policy dyvpn
【与基于策略的
VPN
不同点在于需要配置动态的认证访问及主机名】
分区SRX 的第1 页
3.动态
VPN
配置
[edit]
root@junos# show security dynamic-vpn | display set
set security dynamic-vpn access-profile vpn
set security dynamic-vpn clients all remote-protected-resources 10.10.10.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn ipsec
set security dynamic-vpn clients all user lab
set security dynamic-vpn clients all user vpn
【关联所创建的用户,这里的访问文件可以另外再配置,在这里用的是上面一样的文件】
4.配置策略
[edit]
root@junos# show security policies | display set
set security policies from-zone untrust to-zone trust policy vpn match source-address any
set security policies from-zone untrust to-zone trust policy vpn match destination-address any
set security policies from-zone untrust to-zone trust policy vpn match application any
set security policies from-zone untrust to-zone trust policy vpn then permit tunnel ipsec-vpn ipsec
set security policies from-zone trust to-zone untrust policy permit match source-address any
set security policies from-zone trust to-zone untrust policy permit match destination-address any
set security policies from-zone trust to-zone untrust policy permit match application any
set security policies from-zone trust to-zone untrust policy permit then permit
【从
Untrust
到
Trust
的安全策略需要关联所对应的
Ipsec VPN
实例,而
Trust
到
Untrust
则不需要】
5.测试
打开网页:
192.168.200.1
分区SRX 的第2 页
分区SRX 的第3 页
发布评论