1. 配置IKE Phase 1 web
set security ike policy IKE-POLICY mode aggressive //Remote Access必須的類型安全
set security ike policy IKE-POLICY proposal-set standard //實用默認proposal集app
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$SYVlvLdb2GDkbsfz" ide
set security ike gateway GW ike-policy IKE-POLICYspa
set security ike gateway GW dynamic hostname SRX-1blog
set security ike gateway GW dynamic ike-user-type shared-ike-iddns
set security ike gateway GW external-interface ge-0/0/1接口
set security ike gateway GW xauth access-profile DYNAMIC-×××ip
2. 配置IPSec Phase 2ci
set security ipsec policy IPSEC-POLICY proposal-set standard
set security ipsec *** DYNAMIC-××× ike gateway GW
set security ipsec *** DYNAMIC-××× ike ipsec-policy IPSEC-POLICY
3. 外部接口放行流量
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
4. 配置安全策略
set security policies from-zone untrust to-zone trust policy DYNAMIC match source-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match destination-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match application any
set security policies from-zone untrust to-zone trust policy DYNAMIC then permit tunnel ipsec-*** DYNAMIC-×××
5. 配置安全動態×××
set security dynamic-*** access-profile DYNAMIC-×××
set security dynamic-*** clients all remote-protected-resources 10.1.1.0/24
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** DYNAMIC-×××
set security dynamic-*** clients all user my
6.配置access profile,地址池以及認證方式
set access profile DYNAMIC-××× client my firewall-user password "$9$0-D4BEyX7Vbw2MWHq.fzFreKMxNVwYgaZN-"
set access profile DYNAMIC-××× address-assignment pool DYNAMIC-×××-POOL
set access address-assignment pool DYNAMIC-×××-POOL family inet network 192.168.1.0/24
set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE low 192.168.1.10
set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE high 192.168.1.20
set access address-assignment pool DYNAMIC-×××-POOL family inet xauth-attributes primary-dns 202.100.3.10/32
set access firewall-authentication web-authentication default-profile DYNAMIC-×××
7.驗證
root@SRX-1> show security ipsec sa detail
root@SRX-1> show security ike sa detail
root@SRX-1> show security dynamic-*** users
root@SRX-1> show security ike active-peer