Juniper SRX 構建 Remote Access ×××

1. 配置IKE Phase 1 web

set security ike policy IKE-POLICY mode aggressive //Remote Access必須的類型安全

set security ike policy IKE-POLICY proposal-set standard //實用默認proposal集app

set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$SYVlvLdb2GDkbsfz" ide

set security ike gateway GW ike-policy IKE-POLICYspa

set security ike gateway GW dynamic hostname SRX-1blog

set security ike gateway GW dynamic ike-user-type shared-ike-iddns

set security ike gateway GW external-interface ge-0/0/1接口

set security ike gateway GW xauth access-profile DYNAMIC-×××ip

2. 配置IPSec Phase 2ci

set security ipsec policy IPSEC-POLICY proposal-set standard

set security ipsec *** DYNAMIC-××× ike gateway GW

set security ipsec *** DYNAMIC-××× ike ipsec-policy IPSEC-POLICY

3. 外部接口放行流量

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

4. 配置安全策略

set security policies from-zone untrust to-zone trust policy DYNAMIC match source-address any

set security policies from-zone untrust to-zone trust policy DYNAMIC match destination-address any

set security policies from-zone untrust to-zone trust policy DYNAMIC match application any

set security policies from-zone untrust to-zone trust policy DYNAMIC then permit tunnel ipsec-*** DYNAMIC-×××

5. 配置安全動態×××

set security dynamic-*** access-profile DYNAMIC-×××

set security dynamic-*** clients all remote-protected-resources 10.1.1.0/24

set security dynamic-*** clients all remote-exceptions 0.0.0.0/0

set security dynamic-*** clients all ipsec-*** DYNAMIC-×××

set security dynamic-*** clients all user my

6.配置access profile,地址池以及認證方式

set access profile DYNAMIC-××× client my firewall-user password "$9$0-D4BEyX7Vbw2MWHq.fzFreKMxNVwYgaZN-"

set access profile DYNAMIC-××× address-assignment pool DYNAMIC-×××-POOL

set access address-assignment pool DYNAMIC-×××-POOL family inet network 192.168.1.0/24

set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE low 192.168.1.10

set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE high 192.168.1.20

set access address-assignment pool DYNAMIC-×××-POOL family inet xauth-attributes primary-dns 202.100.3.10/32

set access firewall-authentication web-authentication default-profile DYNAMIC-×××

7.驗證

root@SRX-1> show security ipsec sa detail

root@SRX-1> show security ike sa detail

root@SRX-1> show security dynamic-*** users

root@SRX-1> show security ike active-peer

220344579.jpg

220452831.jpg

220515210.jpg

220534539.jpg

220553998.jpg

相關文章
相關標籤/搜索