Juniper SRX 构建 Remote Access ***
1. 配置IKE Phase 1set security ike policy IKE-POLICY mode aggressive //Remote Access必须的类型
set security ike policy IKE-POLICY proposal-set standard//实用默认proposal集
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$SYVlvLdb2GDkbsfz"
set security ike gateway GW ike-policy IKE-POLICY
set security ike gateway GW dynamic hostname SRX-1
set security ike gateway GW dynamic ike-user-type shared-ike-id
set security ike gateway GW external-interface ge-0/0/1
set security ike gateway GW xauth access-profile DYNAMIC-***
2. 配置IPSec Phase 2
set security ipsec policy IPSEC-POLICY proposal-set standard
set security ipsec *** DYNAMIC-*** ike gateway GW
set security ipsec *** DYNAMIC-*** ike ipsec-policy IPSEC-POLICY
3. 外部接口放行流量
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
4. 配置安全策略
set security policies from-zone untrust to-zone trust policy DYNAMIC match source-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match destination-address any
set security policies from-zone untrust to-zone trust policy DYNAMIC match application any
set security policies from-zone untrust to-zone trust policy DYNAMIC then permit tunnel ipsec-*** DYNAMIC-***
5. 配置安全动态***
set security dynamic-*** access-profile DYNAMIC-***
set security dynamic-*** clients all remote-protected-resources 10.1.1.0/24
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** DYNAMIC-***
set security dynamic-*** clients all user my
6.配置access profile,地址池以及认证方式
set access profile DYNAMIC-*** client my firewall-user password "$9$0-D4BEyX7Vbw2MWHq.fzFreKMxNVwYgaZN-"
set access profile DYNAMIC-*** address-assignment pool DYNAMIC-***-POOL
set access address-assignment pool DYNAMIC-***-POOL family inet network 192.168.1.0/24
set access address-assignment pool DYNAMIC-***-POOL family inet range POOL-RANGE low 192.168.1.10
set access address-assignment pool DYNAMIC-***-POOL family inet range POOL-RANGE high 192.168.1.20
set access address-assignment pool DYNAMIC-***-POOL family inet xauth-attributes primary-dns 202.100.3.10/32
set access firewall-authentication web-authentication default-profile DYNAMIC-***
7.验证
root@SRX-1> show security ipsec sa detail
root@SRX-1> show security ike sa detail
root@SRX-1> show security dynamic-*** users
root@SRX-1> show security ike active-peer
页:
[1]