luobo2ni 发表于 2018-7-28 06:34:50

juniper srx 远程访问***(dynamic-***)

  基于 IPSEC 动态***
  外网(untrust)用户拨入SRX防火墙,实现Untrust---->trust内网192.168.2.0/24网段的安全远程访问***,此案例与dmz无关。
http://bbs.freeit.com.cn/data/attachment/forum/201407/23/115631k5ibq5hzgw5qcgcf.png
  第一步:配置用户认证配置文件
  set access profilera-users authentication-order password
  setaccess profile ra-users client user1 firewall-user password user1
  setaccess profile ra-users client user2 firewall-user password user2
  set accessfirewall-authentication web-authentication default-profile ra-users
  第二步:配置IKE Proposal
  set security ikeproposal ra-pro authentication-method pre-shared-keys
  set security ikeproposal ra-pro dh-group group2
  set security ikeproposal ra-pro authentication-algorithm md5
  set security ikeproposal ra-pro encryption-algorithm 3des-cbc
  第三步::配置IKE policy
  set security ikepolicy ra-policy mode aggressive
  set security ikepolicy ra-policy proposals ra-pro
  setsecurity ike policy ra-policy pre-shared-key ascii-text freeit123
  第四步:配置IKEGateway
  set security ikegateway ra-gw ike-policy ra-policy
  set security ikegateway ra-gw dynamic hostname freeit.com.cn
  set security ikegateway ra-gw dynamic connections-limit 40
  set security ikegateway ra-gw external-interface ge-0/0/1.0
  set security ikegateway ra-gw xauth access-profile ra-users
  第五步:配置IpsecProposal
  set security ipsecproposal ra-ipsec-pro protocol esp
  set security ipsecproposal ra-ipsec-pro authentication-algorithm hmac-md5-96
  set security ipsecproposal ra-ipsec-pro encryption-algorithm 3des-cbc
  第六步:配置Ipsec policy
  set security ipsecpolicy ra-ipsec-policy perfect-forward-secrecy keys group2
  set security ipsecpolicy ra-ipsec-policy proposals ra-ipsec-pro
  第七步:配置Ipsec ***
  set security ipsec*** ra-*** ike gateway ra-gw
  set security ipsec*** ra-*** ike ipsec-policy ra-ipsec-policy
  第八步:配置动态***
  set securitydynamic-*** access-profile ra-users
  set securitydynamic-*** clients client1 remote-protected-resources 172.16.1.0/24
  set securitydynamic-*** clients client1 remote-exceptions 0.0.0.0/0
  set securitydynamic-*** clients client1 ipsec-*** ra-***
  set securitydynamic-*** clients client1 user user1
  set securitydynamic-*** clients client2 remote-protected-resources 172.16.1.0/24
  set securitydynamic-*** clients client2 remote-exceptions 0.0.0.0/0
  set securitydynamic-*** clients client2 ipsec-*** ra-***
  set securitydynamic-*** clients client2 user user2
  第八步:配置*** 策略对应动态***用户
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchsource-address any
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchdestination-address trust_172.16.1.0
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchapplication any
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then permittunnel ipsec-*** ra-***
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-init
  set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-close
  第九步:客户端通过WEB-IE 访问地址:
  https://192.168.114.190/dynamic-*** (仅第一次需要web访问,有续通过下载的客户端连接***)
http://bbs.freeit.com.cn/data/attachment/forum/201407/23/115549pioio5167z171jdo.png
  输入正确的用户账户后会提示下载安装
http://bbs.freeit.com.cn/data/attachment/forum/201407/23/115709yg1g0h6aguhhaggr.png
  安装完成后可以拨入***了,后期直接通过下载的插件连接
http://bbs.freeit.com.cn/data/attachment/forum/201407/23/115721yrsddr3ndkzvd5hp.png
  查看实验效果:
  root@freeit_SRX#run show security dynamic-*** users detail
  User: NULL , Usergroup: NULL , Number of connections: 0
  Remote IP: 20.114.168.192

  IKE>  IKE Lifetime: 0
  IPSEC Lifetime: 0
  Status: CONNECTED
  root@freeit_SRX#run show security dynamic-*** client version   
  Junos Pulse2.0.3.11013
  root@freeit_SRX# run show security ike active-peer
  Remote Address                      Port   Peer IKE-ID                         XAUTH username                      Assigned IP
  192.168.114.20                      54820    freeit.com.cn                     user1
  root@freeit_SRX# run show security ike security-associations
  Index   State Initiator cookieRespondercookie                   Mode         Remote Address
  5293799 UP   bff633e93801d22a6821a6391ef46a44   Aggressive    192.168.114.20
  root@freeit_SRX# run show security ipsec security-associations
  Total active tunnels: 1
  ID               Algorithm       SPI      Life:sec/kbMon         lsys       PortGateway
  <268173315 ESP:3des/md5 39226897       3150/             500000 -root      500   192.168.114.20
  >268173315 ESP:3des/md5 9a7ad7bb       3150/             500000 -root      500   192.168.114.20
  root@freeit_SRX# run show security ipsec statistics         
  ESP Statistics:
  Encrypted bytes:             1792
  Decrypted bytes:            960
  Encrypted packets:             16
  Decrypted packets:             16
  AH Statistics:
  Input bytes:                  0
  Output bytes:                   0
  Input packets:                  0
  Output packets:               0
  Errors:
  AH authentication failures: 0, Replay errors:0
  ESP authentication failures: 0, ESPdecryption failures: 0
  Bad headers: 0, Bad trailers: 0
页: [1]
查看完整版本: juniper srx 远程访问***(dynamic-***)