Juniper SRX240H2 Dynamic VPN 配置

 未分类  Add comments
11 月 032014
 

Juniper SRX240H2 JunOS 11.4R7.5

Configuring the Remote User Authentication and Address Assignment

1,Create the address assignment pool.

[edit access address-assignment]
user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24
user@host# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32

2,Configure the XAuth profile.

[edit access]
user@host# set profile dyn-vpn-access-profile client client1 firewall-user password "$9$uY4o0EyMWxdwgX7"
user@host# set profile dyn-vpn-access-profile client client2 firewall-user password "$9$neNM9CuB1hyrv5Q39"
user@host# set profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

3,Configure Web authentication using the XAuth profile.

[edit access firewall-authentication]
user@host# set web-authentication default-profile dyn-vpn-access-profile

Configuring the VPN Tunnel

1,Configure the IKE policy.

[edit security ike]
user@host# set policy ike-dyn-vpn-policy mode aggressive
user@host# set policy ike-dyn-vpn-policy proposal-set standard
user@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"

2,Configure the IKE gateway.

[edit security ike]
user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
user@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpn
user@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
user@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10
user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0
user@host# set gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

3,Configure IPsec.

[edit security ipsec]
user@host# set policy ipsec-dyn-vpn-policy proposal-set standard
user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gw
user@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

4,Configure the security policy.

[edit security policies from-zone untrust to-zone trust]
user@host# set policy dyn-vpn-policy match source-address any destination-address any application any
user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

5,Configure host inbound traffic.(https ike)

[edit security zones security-zone untrust interfaces ge-0/0/15.0]
user@host# set host-inbound-traffic system-services ike
user@host# set host-inbound-traffic system-services https
user@host# set host-inbound-traffic system-services ping
user@host# set host-inbound-traffic system-services ssh

Associate the Dynamic VPN with Remote Clients

1,Specify the access profile to use with dynamic VPN.

[edit security dynamic-vpn]
user@host# set access-profile dyn-vpn-access-profile

2,Configure the clients who can use the dynamic VPN.

[edit security dynamic-vpn]
user@host# set clients all ipsec-vpn dyn-vpn
user@host# set clients all user client1
user@host# set clients all user client2
user@host# set clients all remote-protected-resources 10.0.0.0/8
user@host# set clients all remote-exceptions 0.0.0.0/0

juniper-srx240h2-dynamic-vpn-01

 

 

验证:

juniper-srx240h2-dynamic-vpn-02 juniper-srx240h2-dynamic-vpn-03 juniper-srx240h2-dynamic-vpn-04 juniper-srx240h2-dynamic-vpn-05

客户端配置:

juniper-srx240h2-dynamic-vpn-06 juniper-srx240h2-dynamic-vpn-07

juniper-srx240h2-dynamic-vpn-08

相关引用:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/vpn-security-dynamic-example-configuring.html

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)