Juniper SRX 構建 Remote Access ×××
1. 配置IKE Phase 1 web
set security ike policy IKE-POLICY mode aggressive //Remote Access必須的類型安全
set security ike policy IKE-POLICY proposal-set standard //實用默認proposal集app
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$SYVlvLdb2GDkbsfz" ide
set security ike gateway GW ike-policy IKE-POLICYspa
set security ike gateway GW dynamic hostname SRX-1blog
set security ike gateway GW dynamic ike-user-type shared-ike-iddns
set security ike gateway GW external-interface ge-0/0/1接口
set security ike gateway GW xauth access-profile DYNAMIC-×××ip
2. 配置IPSec Phase 2ci
set security ipsec policy IPSEC-POLICY proposal-set standard
set security ipsec *** DYNAMIC-××× ike gateway GW
set security ipsec *** DYNAMIC-××× ike ipsec-policy IPSEC-POLICY
3. 外部接口放行流量
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
4. 配置安全策略
set security policies from-zone untrust to-zone trust policy DYNAMIC match source-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match destination-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match application any
set security policies from-zone untrust to-zone trust policy DYNAMIC then permit tunnel ipsec-*** DYNAMIC-×××
5. 配置安全動態×××
set security dynamic-*** access-profile DYNAMIC-×××
set security dynamic-*** clients all remote-protected-resources 10.1.1.0/24
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** DYNAMIC-×××
set security dynamic-*** clients all user my
6.配置access profile,地址池以及認證方式
set access profile DYNAMIC-××× client my firewall-user password "$9$0-D4BEyX7Vbw2MWHq.fzFreKMxNVwYgaZN-"
set access profile DYNAMIC-××× address-assignment pool DYNAMIC-×××-POOL
set access address-assignment pool DYNAMIC-×××-POOL family inet network 192.168.1.0/24
set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE low 192.168.1.10
set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE high 192.168.1.20
set access address-assignment pool DYNAMIC-×××-POOL family inet xauth-attributes primary-dns 202.100.3.10/32
set access firewall-authentication web-authentication default-profile DYNAMIC-×××
7.驗證
root@SRX-1> show security ipsec sa detail
root@SRX-1> show security ike sa detail
root@SRX-1> show security dynamic-*** users
root@SRX-1> show security ike active-peer
- 1. Juniper SRX 構建 Remote Access ×××
- 2. juniper SRX Remoat ***配置
- 3. juniper SRX NTP
- 4. Juniper SRX動態×××配置
- 5. JUNIPER SRX dynamic ***配置實驗
- 6. juniper srx 650配置
- 7. juniper SRX DDNS
- 8. JUNIPER SRX ***排錯實驗1.0
- 9. Juniper SRX NAT詳解
- 10. Juniper SRX Junos升級
- 更多相關文章...
- • Maven 構建生命週期 - Maven教程
- • Maven 構建配置文件 - Maven教程
- • 適用於PHP初學者的學習線路和建議
- • Github 簡明教程
-
每一个你不满意的现在,都有一个你没有努力的曾经。