admin 管理员组文章数量: 887031
2024年1月5日发(作者:shell脚本编程规范和变量)
Juniper SRX标准配置
第一节 系统配置 ..................................................................................................................... 3
1.1、设备初始化 .................................................................................................................. 3
1.1.1登陆 .......................................................................................................................... 3
1.1.2设置root用户口令 ................................................................................................. 3
1.1.3设置远程登陆管理用户 .......................................................................................... 3
2、系统管理 ......................................................................................................................... 4
1.2.1 选择时区 ................................................................................................................. 4
1.2.2 系统时间 ................................................................................................................. 4
1.2.3 DNS服务器 .............................................................................................................. 5
1.2.4系统重启 .................................................................................................................. 5
1.2.5 Alarm告警处理 ....................................................................................................... 5
1.2.6 Root密码重置 ......................................................................................................... 6
第二节 网络设置 ..................................................................................................................... 7
2.1、Interface ....................................................................................................................... 7
2.1.1 PPPOE ....................................................................................................................... 7
2.1.2 Manual ...................................................................................................................... 8
2.1.3 DHCP ......................................................................................................................... 8
2.2、Routing ......................................................................................................................... 9
Static Route ....................................................................................................................... 9
2.3、SNMP ............................................................................................................................ 9
第三节 高级设置 ..................................................................................................................... 9
3.1.1 修改服务端口 ............................................................................................................. 9
3.1.2 检查硬件序列号 ......................................................................................................... 9
3.1.3 内外网接口启用端口服务 ....................................................................................... 10
3.1.4 创建端口服务 ........................................................................................................... 10
3.1.5 VIP端口映射 .............................................................................................................. 10
3.1.6 MIP映射 .................................................................................................................... 11
3.1.7禁用console口 ......................................................................................................... 12
3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT .................................... 12
3.1.9 设置SRX管理IP ....................................................................................................... 12
3.2.0 配置回退 ................................................................................................................... 13
3.2.1 UTM调用 ................................................................................................................... 13
3.2.2 网络访问缓慢解决 ................................................................................................... 13
第四节 VPN设置 ................................................................................................................... 14
4.1、点对点IPSec VPN ....................................................................................................... 14
4.1.1 Route Basiced ......................................................................................................... 14
4.1.2 Policy Basiced ......................................................................................................... 17
4.2、Remote VPN ............................................................................................................... 19
4.2.1 SRX端配置 ............................................................................................................. 19
4.2.2 客户端配置 ........................................................................................................... 20
第一节 系统配置
1.1、设备初始化
1.1.1登陆
首次登录需要使用Console口连接SRX,root用户登陆,密码为空
login: root
Password:
--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC
root% cli /***进入操作模式***/
root>
root> configure
Entering configuration mode
/***进入配置模式***/
[edit]
Root#
1.1.2设置root用户口令
(必须配置root帐号密码,否则后续所有配置及修改都无法提交)
root# set system root-authentication plain-text-password
root# new password : root123
root# retype new password: root123
密码将以密文方式显示
root# show system root-authentication
encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA
注意:强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
注:root用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置root口令后,才能执行commit提交后续配置命令。
1.1.3设置远程登陆管理用户
root# set system login user lab class super-user authentication plain-text-password
root# new password : juniper
root# retype new password: srx123
注:此juniper用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2、系统管理
1.2.1 选择时区
srx_admin# set system time-zone Asia/Shanghai /***亚洲/上海***/
1.2.2 系统时间
1.2.2.1 手动设定
srx_admin> set date 2.00
srx_admin> show system uptime
Current time: 2015-11-20 15:37:14 UTC
System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)
Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)
Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin
3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14
1.2.2.2 NTP同步一次
srx_admin> set date ntp 202.120.2.101
8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec
1.2.2.3 NTP服务器
srx_admin# set system ntp server 202.100.102.1
srx_admin#set system ntp server
/***SRX系统NTP服务器,设备需要联网可以解析ntp地址,不然命令无法输入***/
srx_admin> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1)",
processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,
poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0,
offset=0.000, frequency=0.000, jitter=0.008, stability=0.000
srx_admin@holy-shit> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
15.179.156.248 3 - 16 64 1 5.473 -0.953 0.008
202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.00
1.2.3 DNS服务器
srx_admin# set system name-server 202.96.209.5 /***SRX系统DNS***/
1.2.4 系统重启
1.2.4.1重启系统
srx_admin >request system reboot
1.2.4.2关闭系统
srx_admin >request system power-off
1.2.5 Alarm告警处理
1.2.5.1告警查看
root# run show system alarms
2 alarms currently active
Alarm time Class Description
2015-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved
2015-11-20 14:21:49 UTC Minor Rescue configuration is not set
1.2.5.2 告警处理
告警一处理
root> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
告警二处理
root> request system configuration rescue save
1.2.6 Root密码重置
SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息。操作步骤如下:
1.重启防火墙,CRT上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,并输入:boot –s
Loading /boot/defaults/
/kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15]
Hit [Enter] to boot immediately, or space bar for command prompt.
loader>
loader> boot -s
2. 执行密码恢复:在以下提示文字后输入recovery,设备将自动进行重启
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
recovery
***** FILE SYSTEM WAS MODIFIED *****
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
recovery
3. 进入配置模式,删除root密码后重新设置root密码,并保存重启
root> configure
Entering configuration mode
[edit]
root# delete system root-authentication
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> request system reboot
Reboot the system ? [yes,no] (no) yes
第二节 网络设置
2.1、Interface
2.1.1 PPPOE
※在外网接口(fe-0/0/0)下封装PPP
srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
※CHAP认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890
/***PPPOE的密码***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163
/***PPPOE的帐号***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap passive
/***采用被动模式***/
※PAP认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890
/***PPPOE的密码***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163
/***PPPOE的帐号***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890
/***PPPOE的密码***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap passive
/***采用被动模式***/
※PPP接口调用
srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
/***在外网接口(fe-0/0/0)下启用PPPOE拨号***/
※PPPOE拨号属性配置
srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0
/***空闲超时值***/
srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
/***3秒自动重拨***/
srx_admin# set interfaces pp0 unit 0 pppoe-options client
/***表示为PPPOE客户端***/
srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
/***修改此接口的MTU值,改成1492。因为PPPOE的报头会有一点的开销***/
srx_admin# set interfaces pp0 unit 0 family inet negotiate-address
/***自动协商地址,即由服务端分配动态地址***/
※默认路由
srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0
※PPPOE接口划入untrust接口
srx_admin# set security zones security-zone untrust interfaces pp0.0
※验证PPPoE是否已经拔通,是否获得IP地址
srx_admin#run show interfaces terse | match pp
pp0 up up
pp0.0 up up inet 192.168.163.1 --> 1.1.1.1
ppd0 up up
ppe0 up up
注:
PPPOE拨号成功后需要调整MTU值,使上网体验达到最佳(MTU值不合适的话上网会卡)
srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /***调整MTU大小***/
srx_admin# set security flow tcp-mss all-tcp mss 1304 /***调整TCP分片大小***/
2.1.2 Manual
srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29
2.1.3 DHCP
※启用DHCP地址池
srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
/***DHCP网关***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
/***DHCP地址池第一个地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
/***DHCP地址池最后一个地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000
/***DHCP地址租期***/
srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name
/***DHCP域名***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133
/***DHCP 分配DNS***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5
srx_admin# set system services dhcp propagate-settings vlan.0
/***DHCP分发端口***/
※配置内网接口地址
srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24
※内网接口调用DHCP地址池
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic
system-services dhcp
2.2、Routing
Static Route
srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153
/***默认路由***/
srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0
/***Route Basiced VPN路由***/
2.3、SNMP
srx_admin# set snmp community Ajitec authorization read-only/read-write
/***SNMP监控权限***/
srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32
/***SNMP监控主机***/
第三节 高级设置
3.1.1 修改服务端口
srx_admin# set system services web-management http port 8000
/***更改web的http管理端口号***/
srx_admin# set system services web-management https port 1443
/***更改web的https管理端口号***/
3.1.2 检查硬件序列号
srx# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis BZ2615AF0491 SRX100H2
Routing Engine REV 05 650-048781 BZ2615AF0491 RE-SRX100H2
FPC 0 FPC
PIC 0 8x FE Base PIC
Power Supply 0
3.1.3 内外网接口启用端口服务
※定义系统服务
srx_admin# set system services ssh
srx_admin# set system services telnet
srx_admin# set system services web-management http interface vlan.0
srx_admin# set system services web-management http interface fe-0/0/0.0
srx_admin# set system services web-management https interface vlan.0
srx_admin# set system services web-management management-url admin
/***后期用ip/admin就可以登录管理页面,不加就直接跳转***/
※内网接口启用端口服务
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic
system-services ping
/***开启ping ***/
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic
system-services http
/***开启http ***/
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic
system-services telnet
/***开启telnet ***/
※外网接口启用端口服务
srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ping
/***开启ping ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services telnet
/***开启telnet ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services http
/***开启http ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services all
/***开启所有服务***/
3.1.4 创建系统服务
srx_admin#set applications application RDP protocol tcp
/***协议选择tcp***/
srx_admin#set applications application RDP source-port 0-65535
/***源端口***/
srx_admin#set applications application RDP destination-port 3389
/***目的端口***/
srx_admin#set applications application RDP protocol udp
/***协议选择udp***/
srx_admin#set applications application RDP source-port 0-65535
/***源端口***/
srx_admin#set applications application RDP destination-port 3389
/***目的端口***/
3.1.5 VIP端口映射
※Destination NAT配置
srx_admin#set security nat destination pool 22 address 192.168.1.20/32
/***Destination NAT pool设置,为真实内网地址***/
srx_admin#set security nat destination pool 22 address port 3389
/***Destination NAT pool设置,为内网地址的端口号***/
srx_admin#set security nat destination rule-set 2 from zone untrust
/*** Destination NAT Rule设置,访问流量从untrust区域过来***/
srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0
/*** Destination NAT Rule设置,访问流量可以任意地址***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-address
116.228.60.154/32
/*** Destination NAT Rule设置,访问的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389
/*** Destination NAT Rule设置,访问的目的地址的端口号***/
srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22
/***Destination NAT Rule设置,调用pool地址***/
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address
any
srx_admin#set security policies from-zone untrust to-zone trust policy vip match
destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit
srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32
192.168.1.20/32
3.1.6 MIP映射
※Destination NAT设置
srx_admin#set security nat destination pool 111 address 192.168.1.3/32
/***Destination NAT pool设置,为真实内网地址***/
srx_admin#set security nat destination rule-set 1 from zone untrust
/***Destination NAT Rule设置,访问流量从untrust区域过来***/
srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
/***Destination NAT Rule设置,访问流量可以任意地址***/
srx_admin#set security nat destination rule-set 1 rule 11 match destination-address
116.228.60.157/32
/***Destination NAT Rule设置,访问的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11
/***Destination NAT Rule设置,调用pool地址***/
※配置ARP代理
srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address
any
srx_admin#set security policies from-zone untrust to-zone trust policy mip match
destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit
3.1.7禁用console口
juniper-srx@SRX100H2# edit system ports console /***进入console接口***/
juniper-srx@SRX100H2# set disable /***关闭端口***/
juniper-srx@SRX100H2# commit confirmed 3 /***提交3分钟,3分钟后回退***/
3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT
set security nat source rule-set LOCAL from zone junos-host
set security nat source rule-set LOCAL to zone untrust
set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32
set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0
set security nat source rule-set LOCAL rule LOCAL then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address
0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
3.1.9 设置SRX管理IP
※参照防火墙外网接口的端口服务
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
※定义防火墙filter,设定允许访问的地址和端口
set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32
set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32
set firewall filter Outside_access_in term Permit_IP from protocol tcp
set firewall filter Outside_access_in term Permit_IP from destination-port ssh
set firewall filter Outside_access_in term Permit_IP then accept
/***设置允许访问的地址和地址***/
set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32
set firewall filter Outside_access_in term Deny_ANY from protocol tcp
set firewall filter Outside_access_in term Deny_ANY from destination-port ssh
set firewall filter Outside_access_in term Deny_ANY then discard
set firewall filter Outside_access_in term Permit_ANY then accept
/***其他流量全部拒绝***/
※防火墙外网接口调用filter,在接口上启用限制
set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in
注:①在配置拒绝流量时注意在拒绝的端口后面放行其他流量,因为这个拒绝会把所有流量都拒绝掉。
②在配置拒绝流量时不能配置all,不然会把所有流量都拒绝掉。
3.2.0 配置回退
※查看提交过的配置
srx_admin # run show system commit
0 2016-05-04 11:47:46 UTC by root via junoscript
1 2016-05-04 11:40:11 UTC by root via cli
2 2016-05-04 11:38:36 UTC by root via cli
3 2016-04-27 11:41:07 UTC by root via cli
4 2016-04-01 17:37:22 UTC by root via button
※回退配置(“ROLLBACK 0”)
srx_admin # rollback ?
Possible completions:
<[Enter]> Execute this command
0 2016-05-04 11:47:46 UTC by root via junoscript
1 2016-05-04 11:40:11 UTC by root via cli
2 2016-05-04 11:38:36 UTC by root via cli
3 2016-04-27 11:41:07 UTC by root via cli
4 2016-04-01 17:37:22 UTC by root via button
| Pipe through a command
3.2.1 UTM调用
※在策略中调用UTM
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match
source-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match
destination-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match
application any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then
permit application-services utm-policy junos-av-policy
3.2.2 网络访问缓慢解决
srx_admin #set security flow syn-flood-protection-mode syn-cookie
srx_admin #set security flow tcp-mss all-tcp mss 1300
srx_admin #set security flow tcp-session rst-sequence-check
srx_admin #set security flow tcp-session strict-syn-check
srx_admin #set security flow tcp-session no-sequence-check
第四节 VPN设置
4.1、点对点IPSec VPN
4.1.1 Route Basiced
/***standard or compatible模式***/
※创建tunnel接口
srx_admin#set interfaces st0 unit 0 family inet
/***新建st0.0接口***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/***定义tunnel接口st0.0为untrust接口***/
※创建去往VPN对端内网的路由
srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※VPN第一阶段IKE配置
srx_admin#set security ike policy lead mode main
/***协商模式main or aggressive ***/
srx_admin#set security ike policy lead proposal-set standard/compatible
/***协商加密算法***/
srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123
/***预共享密钥***/
※VPN第一阶段IKE配置
srx_admin#set security ike gateway gw1 ike-policy lead
/***调用第一阶段IKE配置***/
srx_admin#set security ike gateway gw1 address 116.228.60.158
/***对端网关地址***/
srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0
/***VPN出接口***/
注:如果使用PPPOE拨号上网,出接口必须使用ppp接口
srx_admin#set security ike gateway gw1 external-interface pp0.0
※VPN第二阶段IPSEC配置
srx_admin#set security ipsec policy abc proposal-set standard/compatible
/***协商加密算法***/
srx_admin#set security ipsec vpn test bind-interface st0.0
/***绑定VPN接口***/
srx_admin#set security ipsec vpn test ike gateway gw1
/***调用网关***/
srx_admin#set security ipsec vpn test ike ipsec-policy abc
/***调用加密算法的策略***/
srx_admin#set security ipsec vpn test establish-tunnels immediately
/***立即开始协商***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
※双向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
srx_admin#source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
/***custom模式***/
※创建tunnel接口
srx_admin#set interfaces st0 unit 0 family inet
/***新建st0.0接口***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/***定义tunnel接口st0.0为untrust接口***/
※创建去往VPN对端内网的路由
srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※VPN第一阶段IKE配置
※※proposal设置
srx_admin#set security ike proposal vpn1-proposal authentication-method pre-shared-keys
/***使用pre-shared-keys认证***/
srx_admin#set security ike proposal vpn1-proposal dh-group group2
/***DH组使用group2***/
srx_admin#set security ike proposal vpn1-proposal authentication-algorithm md5
/***MD5认证***/
srx_admin#set security ike proposal vpn1-proposal encryption-algorithm 3des-cbc
/***3des加密***/
※※policy设置
srx_admin#set security ike policy vpn1-ike-policy mode main
/***协商模式main or aggressive ***/
srx_admin#set security ike policy vpn1-ike-policy proposals vpn1-proposal
/***调用ike proposal配置***/
srx_admin#set security ike policy vpn1-ike-policy pre-shared-key ascii-text juniper123
/***预共享密钥***/
※※gateway设置
srx_admin#set security ike gateway vpn1-gateway ike-policy vpn1-ike-policy
/***调用ike policy设置***/
srx_admin#set security ike gateway vpn1-gateway address 116.228.60.158
/***对端网关地址***/
srx_admin#set security ike gateway vpn1-gateway external-interface fe-0/0/0.0
/***本地出接口***/
※VPN第二阶段IPSEC设置
※※proposal设置
srx_admin#set security ipsec proposal vpn2-ipsec-proposal protocol esp
/***ipsec proposal协议esp***/
srx_admin#set security
hmac-md5-96
/***使用MD5认证***/
ipsec proposal vpn2-ipsec-proposal authentication-algorithm
srx_admin#set security ipsec proposal vpn2-ipsec-proposal encryption-algorithm 3des-cbc
/***使用3des加密***/
※※policy设置
set security ipsec policy vpn2-ipsec-policy perfect-forward-secrecy keys group2
/***开启PFS,使用group2***/
srx_admin#set security ipsec policy vpn2-ipsec-policy proposals vpn2-ipsec-proposal
/***ipsec policy设置,调用ipsec proposal***/
※※VPN设置
srx_admin#set security ipsec vpn vpn2-ipsec-vpn bind-interface st0.0
/***ipsec vpn设置,绑定tunnel接口***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike gateway vpn1-gateway
/***ipsec vpn设置,调用第一阶段VPN网关***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike ipsec-policy vpn2-ipsec-policy
/***ipsec vpn设置,调用第二阶段ipsec policy***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn establish-tunnels immediately
/***立即开始建立VPN隧道***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
※双向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match
application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
4.1.2 Policy Basiced
※新建本地、对端内网网段,并将入其划入相应的zone
srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24
/***本地内网网段***/
srx_admin#set security zones security-zone untrust address-book address address2
192.168.100.0/24
/***对端内网网段***/
※VPN第一阶段IKE设置
※※Proposal设置
srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
/***采用预共享密钥***/
srx_admin#set security ike proposal ike-phase1-proposal dh-group group2
/***DH Group使用Group2***/
srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5
/***使用md5认证***/
srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
/***使用3des加密***/
※※Policy设置
srx_admin#set security ike policy ike-phase1-policy mode main
/***协商模式main or aggressive ***/
srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal
/***调用ike proposal配置***/
srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123
/***预共享密钥设置***/
※※gateway设置
srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy
/***调用IKE policy***/
srx_admin#set security ike gateway gw-chica address 116.228.60.157
/***指定对端网关地址***/
srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0
/***指定本地出街口***/
※VPN第二阶段IPSEC设置
※※Proposal设置
srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp
/***ipsec proposal协议esp***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm
hmac-md5-96
/***使用md5认证***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
/***使用3des加密***/
※※policy设置
srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
/***ipsec policy设置,调用ipsec proposal***/
※※VPN设置
srx_admin#set security ipsec vpn ike-vpn-chica ike gateway gw-chica
/***ipsec vpn设置,调用第一阶段VPN网关***/
srx_admin#set security ipsec vpn ike-vpn-chica ike ipsec-policy ipsec-phase2-policy
/***ipse policy设置***/
srx_admin#set security ipsec vpn ike-vpn-chica establish-tunnels on-traffic
/***产生流量后VPN开始建立连接***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
※VPN流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match
source-address address1
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match
destination-address address2
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match
application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit
tunnel ipsec-vpn ike-vpn-chica
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log
session-init
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log
session-close
※上网流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match
source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match
destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match
application any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match
source-address address2
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match
destination-address address1
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match
application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit
tunnel ipsec-vpn ike-vpn-chica
注:开启策略下log记录功能
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-init
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-close
4.2、Remote VPN
4.2.1 SRX端配置
※VPN第一阶段IKE Policy设置
srx_admin#set security ike policy remote-vpn-policy mode aggressive
srx_admin#set security ike policy remote-vpn-policy proposal-set compatible
srx_admin#set security ike policy remote-vpn-policy pre-shared-key ascii-text juniper123
※VPN第一阶段IKE Gateway设置
srx_admin#set security ike gateway remote-vpn-gateway ike-policy remote-vpn-policy
srx_admin#set security ike gateway remote-vpn-gateway dynamic hostname juniper
srx_admin#set security ike gateway remote-vpn-gateway dynamic connections-limit 10
srx_admin#set security ike gateway remote-vpn-gateway dynamic ike-user-type shared-ike-id
srx_admin#set security ike gateway remote-vpn-gateway external-interface fe-0/0/0.0
srx_admin#set security ike gateway remote-vpn-gateway xauth access-profile xauthsrx
※VPN第二阶段IPSec Policy设置
srx_admin#set security ipsec policy remote-vpn-ipsec-policy proposal-set compatible
※VPN第二阶段IPSec VPN设置
srx_admin#set security ipsec vpn remotevpn ike gateway remote-vpn-gateway
srx_admin#set security ipsec vpn remotevpn ike ipsec-policy remote-vpn-ipsec-policy
srx_admin#set security ipsec vpn remotevpn establish-tunnels immediately
※Remote用户DHCP设置
srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1
srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10
srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8
注:DHCP地址段最好与内网网段区别开来,不然会产生很多问题
※创建Remote认证用户
srx_admin#set access profile xauthsrx authentication-order password
srx_admin#set access profile xauthsrx client L2TP_USER_MA firewall-user password 123456
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
※策略设置 untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match
source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match
destination-address network
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match application
any
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then permit
tunnel ipsec-vpn remotevpn
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log
session-init
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log
session-close
4.2.2 客户端配置
版权声明:本文标题:Juniper SRX详细配置手册(含注释) 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/free/1704450727h460309.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论