admin 管理员组

文章数量: 887031


2024年1月5日发(作者:shell脚本编程规范和变量)

Juniper SRX标准配置

第一节 系统配置 ..................................................................................................................... 3

1.1、设备初始化 .................................................................................................................. 3

1.1.1登陆 .......................................................................................................................... 3

1.1.2设置root用户口令 ................................................................................................. 3

1.1.3设置远程登陆管理用户 .......................................................................................... 3

2、系统管理 ......................................................................................................................... 4

1.2.1 选择时区 ................................................................................................................. 4

1.2.2 系统时间 ................................................................................................................. 4

1.2.3 DNS服务器 .............................................................................................................. 5

1.2.4系统重启 .................................................................................................................. 5

1.2.5 Alarm告警处理 ....................................................................................................... 5

1.2.6 Root密码重置 ......................................................................................................... 6

第二节 网络设置 ..................................................................................................................... 7

2.1、Interface ....................................................................................................................... 7

2.1.1 PPPOE ....................................................................................................................... 7

2.1.2 Manual ...................................................................................................................... 8

2.1.3 DHCP ......................................................................................................................... 8

2.2、Routing ......................................................................................................................... 9

Static Route ....................................................................................................................... 9

2.3、SNMP ............................................................................................................................ 9

第三节 高级设置 ..................................................................................................................... 9

3.1.1 修改服务端口 ............................................................................................................. 9

3.1.2 检查硬件序列号 ......................................................................................................... 9

3.1.3 内外网接口启用端口服务 ....................................................................................... 10

3.1.4 创建端口服务 ........................................................................................................... 10

3.1.5 VIP端口映射 .............................................................................................................. 10

3.1.6 MIP映射 .................................................................................................................... 11

3.1.7禁用console口 ......................................................................................................... 12

3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT .................................... 12

3.1.9 设置SRX管理IP ....................................................................................................... 12

3.2.0 配置回退 ................................................................................................................... 13

3.2.1 UTM调用 ................................................................................................................... 13

3.2.2 网络访问缓慢解决 ................................................................................................... 13

第四节 VPN设置 ................................................................................................................... 14

4.1、点对点IPSec VPN ....................................................................................................... 14

4.1.1 Route Basiced ......................................................................................................... 14

4.1.2 Policy Basiced ......................................................................................................... 17

4.2、Remote VPN ............................................................................................................... 19

4.2.1 SRX端配置 ............................................................................................................. 19

4.2.2 客户端配置 ........................................................................................................... 20

第一节 系统配置

1.1、设备初始化

1.1.1登陆

首次登录需要使用Console口连接SRX,root用户登陆,密码为空

login: root

Password:

--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC

root% cli /***进入操作模式***/

root>

root> configure

Entering configuration mode

/***进入配置模式***/

[edit]

Root#

1.1.2设置root用户口令

(必须配置root帐号密码,否则后续所有配置及修改都无法提交)

root# set system root-authentication plain-text-password

root# new password : root123

root# retype new password: root123

密码将以密文方式显示

root# show system root-authentication

encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA

注意:强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。

注:root用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置root口令后,才能执行commit提交后续配置命令。

1.1.3设置远程登陆管理用户

root# set system login user lab class super-user authentication plain-text-password

root# new password : juniper

root# retype new password: srx123

注:此juniper用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。

2、系统管理

1.2.1 选择时区

srx_admin# set system time-zone Asia/Shanghai /***亚洲/上海***/

1.2.2 系统时间

1.2.2.1 手动设定

srx_admin> set date 2.00

srx_admin> show system uptime

Current time: 2015-11-20 15:37:14 UTC

System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)

Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)

Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin

3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14

1.2.2.2 NTP同步一次

srx_admin> set date ntp 202.120.2.101

8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec

1.2.2.3 NTP服务器

srx_admin# set system ntp server 202.100.102.1

srx_admin#set system ntp server

/***SRX系统NTP服务器,设备需要联网可以解析ntp地址,不然命令无法输入***/

srx_admin> show ntp status

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1)",

processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,

precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,

refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,

poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0,

offset=0.000, frequency=0.000, jitter=0.008, stability=0.000

srx_admin@holy-shit> show ntp associations

remote refid st t when poll reach delay offset jitter

==============================================================================

15.179.156.248 3 - 16 64 1 5.473 -0.953 0.008

202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.00

1.2.3 DNS服务器

srx_admin# set system name-server 202.96.209.5 /***SRX系统DNS***/

1.2.4 系统重启

1.2.4.1重启系统

srx_admin >request system reboot

1.2.4.2关闭系统

srx_admin >request system power-off

1.2.5 Alarm告警处理

1.2.5.1告警查看

root# run show system alarms

2 alarms currently active

Alarm time Class Description

2015-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved

2015-11-20 14:21:49 UTC Minor Rescue configuration is not set

1.2.5.2 告警处理

告警一处理

root> request system autorecovery state save

Saving config recovery information

Saving license recovery information

Saving BSD label recovery information

告警二处理

root> request system configuration rescue save

1.2.6 Root密码重置

SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息。操作步骤如下:

1.重启防火墙,CRT上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,并输入:boot –s

Loading /boot/defaults/

/kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15]

Hit [Enter] to boot immediately, or space bar for command prompt.

loader>

loader> boot -s

2. 执行密码恢复:在以下提示文字后输入recovery,设备将自动进行重启

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:

recovery

***** FILE SYSTEM WAS MODIFIED *****

System watchdog timer disabled

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:

recovery

3. 进入配置模式,删除root密码后重新设置root密码,并保存重启

root> configure

Entering configuration mode

[edit]

root# delete system root-authentication

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root# commit

commit complete

[edit]

root# exit

Exiting configuration mode

root> request system reboot

Reboot the system ? [yes,no] (no) yes

第二节 网络设置

2.1、Interface

2.1.1 PPPOE

※在外网接口(fe-0/0/0)下封装PPP

srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether

※CHAP认证配置

srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163

/***PPPOE的帐号***/

srx_admin# set interfaces pp0 unit 0 ppp-options chap passive

/***采用被动模式***/

※PAP认证配置

srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163

/***PPPOE的帐号***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap passive

/***采用被动模式***/

※PPP接口调用

srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0

/***在外网接口(fe-0/0/0)下启用PPPOE拨号***/

※PPPOE拨号属性配置

srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0

/***空闲超时值***/

srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3

/***3秒自动重拨***/

srx_admin# set interfaces pp0 unit 0 pppoe-options client

/***表示为PPPOE客户端***/

srx_admin# set interfaces pp0 unit 0 family inet mtu 1492

/***修改此接口的MTU值,改成1492。因为PPPOE的报头会有一点的开销***/

srx_admin# set interfaces pp0 unit 0 family inet negotiate-address

/***自动协商地址,即由服务端分配动态地址***/

※默认路由

srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0

※PPPOE接口划入untrust接口

srx_admin# set security zones security-zone untrust interfaces pp0.0

※验证PPPoE是否已经拔通,是否获得IP地址

srx_admin#run show interfaces terse | match pp

pp0 up up

pp0.0 up up inet 192.168.163.1 --> 1.1.1.1

ppd0 up up

ppe0 up up

注:

PPPOE拨号成功后需要调整MTU值,使上网体验达到最佳(MTU值不合适的话上网会卡)

srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /***调整MTU大小***/

srx_admin# set security flow tcp-mss all-tcp mss 1304 /***调整TCP分片大小***/

2.1.2 Manual

srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29

2.1.3 DHCP

※启用DHCP地址池

srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

/***DHCP网关***/

srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2

/***DHCP地址池第一个地址***/

srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254

/***DHCP地址池最后一个地址***/

srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000

/***DHCP地址租期***/

srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name

/***DHCP域名***/

srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133

/***DHCP 分配DNS***/

srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5

srx_admin# set system services dhcp propagate-settings vlan.0

/***DHCP分发端口***/

※配置内网接口地址

srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24

※内网接口调用DHCP地址池

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic

system-services dhcp

2.2、Routing

Static Route

srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153

/***默认路由***/

srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0

/***Route Basiced VPN路由***/

2.3、SNMP

srx_admin# set snmp community Ajitec authorization read-only/read-write

/***SNMP监控权限***/

srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32

/***SNMP监控主机***/

第三节 高级设置

3.1.1 修改服务端口

srx_admin# set system services web-management http port 8000

/***更改web的http管理端口号***/

srx_admin# set system services web-management https port 1443

/***更改web的https管理端口号***/

3.1.2 检查硬件序列号

srx# run show chassis hardware

Hardware inventory:

Item Version Part number Serial number Description

Chassis BZ2615AF0491 SRX100H2

Routing Engine REV 05 650-048781 BZ2615AF0491 RE-SRX100H2

FPC 0 FPC

PIC 0 8x FE Base PIC

Power Supply 0

3.1.3 内外网接口启用端口服务

※定义系统服务

srx_admin# set system services ssh

srx_admin# set system services telnet

srx_admin# set system services web-management http interface vlan.0

srx_admin# set system services web-management http interface fe-0/0/0.0

srx_admin# set system services web-management https interface vlan.0

srx_admin# set system services web-management management-url admin

/***后期用ip/admin就可以登录管理页面,不加就直接跳转***/

※内网接口启用端口服务

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic

system-services ping

/***开启ping ***/

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic

system-services http

/***开启http ***/

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic

system-services telnet

/***开启telnet ***/

※外网接口启用端口服务

srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services ping

/***开启ping ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services telnet

/***开启telnet ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services http

/***开启http ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services all

/***开启所有服务***/

3.1.4 创建系统服务

srx_admin#set applications application RDP protocol tcp

/***协议选择tcp***/

srx_admin#set applications application RDP source-port 0-65535

/***源端口***/

srx_admin#set applications application RDP destination-port 3389

/***目的端口***/

srx_admin#set applications application RDP protocol udp

/***协议选择udp***/

srx_admin#set applications application RDP source-port 0-65535

/***源端口***/

srx_admin#set applications application RDP destination-port 3389

/***目的端口***/

3.1.5 VIP端口映射

※Destination NAT配置

srx_admin#set security nat destination pool 22 address 192.168.1.20/32

/***Destination NAT pool设置,为真实内网地址***/

srx_admin#set security nat destination pool 22 address port 3389

/***Destination NAT pool设置,为内网地址的端口号***/

srx_admin#set security nat destination rule-set 2 from zone untrust

/*** Destination NAT Rule设置,访问流量从untrust区域过来***/

srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0

/*** Destination NAT Rule设置,访问流量可以任意地址***/

srx_admin#set security nat destination rule-set 2 rule 111 match destination-address

116.228.60.154/32

/*** Destination NAT Rule设置,访问的目的地址是116.228.60.157***/

srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389

/*** Destination NAT Rule设置,访问的目的地址的端口号***/

srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22

/***Destination NAT Rule设置,调用pool地址***/

※策略配置

srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address

any

srx_admin#set security policies from-zone untrust to-zone trust policy vip match

destination-address H192.168.1.20/32

srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any

srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit

srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32

192.168.1.20/32

3.1.6 MIP映射

※Destination NAT设置

srx_admin#set security nat destination pool 111 address 192.168.1.3/32

/***Destination NAT pool设置,为真实内网地址***/

srx_admin#set security nat destination rule-set 1 from zone untrust

/***Destination NAT Rule设置,访问流量从untrust区域过来***/

srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0

/***Destination NAT Rule设置,访问流量可以任意地址***/

srx_admin#set security nat destination rule-set 1 rule 11 match destination-address

116.228.60.157/32

/***Destination NAT Rule设置,访问的目的地址是116.228.60.157***/

srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11

/***Destination NAT Rule设置,调用pool地址***/

※配置ARP代理

srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32

※策略配置

srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address

any

srx_admin#set security policies from-zone untrust to-zone trust policy mip match

destination-address H192.168.1.20/32

srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any

srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit

3.1.7禁用console口

juniper-srx@SRX100H2# edit system ports console /***进入console接口***/

juniper-srx@SRX100H2# set disable /***关闭端口***/

juniper-srx@SRX100H2# commit confirmed 3 /***提交3分钟,3分钟后回退***/

3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT

set security nat source rule-set LOCAL from zone junos-host

set security nat source rule-set LOCAL to zone untrust

set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32

set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0

set security nat source rule-set LOCAL rule LOCAL then source-nat interface

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address

0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

3.1.9 设置SRX管理IP

※参照防火墙外网接口的端口服务

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh

※定义防火墙filter,设定允许访问的地址和端口

set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32

set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32

set firewall filter Outside_access_in term Permit_IP from protocol tcp

set firewall filter Outside_access_in term Permit_IP from destination-port ssh

set firewall filter Outside_access_in term Permit_IP then accept

/***设置允许访问的地址和地址***/

set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32

set firewall filter Outside_access_in term Deny_ANY from protocol tcp

set firewall filter Outside_access_in term Deny_ANY from destination-port ssh

set firewall filter Outside_access_in term Deny_ANY then discard

set firewall filter Outside_access_in term Permit_ANY then accept

/***其他流量全部拒绝***/

※防火墙外网接口调用filter,在接口上启用限制

set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in

注:①在配置拒绝流量时注意在拒绝的端口后面放行其他流量,因为这个拒绝会把所有流量都拒绝掉。

②在配置拒绝流量时不能配置all,不然会把所有流量都拒绝掉。

3.2.0 配置回退

※查看提交过的配置

srx_admin # run show system commit

0 2016-05-04 11:47:46 UTC by root via junoscript

1 2016-05-04 11:40:11 UTC by root via cli

2 2016-05-04 11:38:36 UTC by root via cli

3 2016-04-27 11:41:07 UTC by root via cli

4 2016-04-01 17:37:22 UTC by root via button

※回退配置(“ROLLBACK 0”)

srx_admin # rollback ?

Possible completions:

<[Enter]> Execute this command

0 2016-05-04 11:47:46 UTC by root via junoscript

1 2016-05-04 11:40:11 UTC by root via cli

2 2016-05-04 11:38:36 UTC by root via cli

3 2016-04-27 11:41:07 UTC by root via cli

4 2016-04-01 17:37:22 UTC by root via button

| Pipe through a command

3.2.1 UTM调用

※在策略中调用UTM

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match

source-address any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match

destination-address any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match

application any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then

permit application-services utm-policy junos-av-policy

3.2.2 网络访问缓慢解决

srx_admin #set security flow syn-flood-protection-mode syn-cookie

srx_admin #set security flow tcp-mss all-tcp mss 1300

srx_admin #set security flow tcp-session rst-sequence-check

srx_admin #set security flow tcp-session strict-syn-check

srx_admin #set security flow tcp-session no-sequence-check

第四节 VPN设置

4.1、点对点IPSec VPN

4.1.1 Route Basiced

/***standard or compatible模式***/

※创建tunnel接口

srx_admin#set interfaces st0 unit 0 family inet

/***新建st0.0接口***/

srx_admin#set security zones security-zone untrust interfaces st0.0

/***定义tunnel接口st0.0为untrust接口***/

※创建去往VPN对端内网的路由

srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0

※VPN第一阶段IKE配置

srx_admin#set security ike policy lead mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy lead proposal-set standard/compatible

/***协商加密算法***/

srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123

/***预共享密钥***/

※VPN第一阶段IKE配置

srx_admin#set security ike gateway gw1 ike-policy lead

/***调用第一阶段IKE配置***/

srx_admin#set security ike gateway gw1 address 116.228.60.158

/***对端网关地址***/

srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0

/***VPN出接口***/

注:如果使用PPPOE拨号上网,出接口必须使用ppp接口

srx_admin#set security ike gateway gw1 external-interface pp0.0

※VPN第二阶段IPSEC配置

srx_admin#set security ipsec policy abc proposal-set standard/compatible

/***协商加密算法***/

srx_admin#set security ipsec vpn test bind-interface st0.0

/***绑定VPN接口***/

srx_admin#set security ipsec vpn test ike gateway gw1

/***调用网关***/

srx_admin#set security ipsec vpn test ike ipsec-policy abc

/***调用加密算法的策略***/

srx_admin#set security ipsec vpn test establish-tunnels immediately

/***立即开始协商***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services ike

※双向流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

srx_admin#source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

destination-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit

/***custom模式***/

※创建tunnel接口

srx_admin#set interfaces st0 unit 0 family inet

/***新建st0.0接口***/

srx_admin#set security zones security-zone untrust interfaces st0.0

/***定义tunnel接口st0.0为untrust接口***/

※创建去往VPN对端内网的路由

srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0

※VPN第一阶段IKE配置

※※proposal设置

srx_admin#set security ike proposal vpn1-proposal authentication-method pre-shared-keys

/***使用pre-shared-keys认证***/

srx_admin#set security ike proposal vpn1-proposal dh-group group2

/***DH组使用group2***/

srx_admin#set security ike proposal vpn1-proposal authentication-algorithm md5

/***MD5认证***/

srx_admin#set security ike proposal vpn1-proposal encryption-algorithm 3des-cbc

/***3des加密***/

※※policy设置

srx_admin#set security ike policy vpn1-ike-policy mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy vpn1-ike-policy proposals vpn1-proposal

/***调用ike proposal配置***/

srx_admin#set security ike policy vpn1-ike-policy pre-shared-key ascii-text juniper123

/***预共享密钥***/

※※gateway设置

srx_admin#set security ike gateway vpn1-gateway ike-policy vpn1-ike-policy

/***调用ike policy设置***/

srx_admin#set security ike gateway vpn1-gateway address 116.228.60.158

/***对端网关地址***/

srx_admin#set security ike gateway vpn1-gateway external-interface fe-0/0/0.0

/***本地出接口***/

※VPN第二阶段IPSEC设置

※※proposal设置

srx_admin#set security ipsec proposal vpn2-ipsec-proposal protocol esp

/***ipsec proposal协议esp***/

srx_admin#set security

hmac-md5-96

/***使用MD5认证***/

ipsec proposal vpn2-ipsec-proposal authentication-algorithm

srx_admin#set security ipsec proposal vpn2-ipsec-proposal encryption-algorithm 3des-cbc

/***使用3des加密***/

※※policy设置

set security ipsec policy vpn2-ipsec-policy perfect-forward-secrecy keys group2

/***开启PFS,使用group2***/

srx_admin#set security ipsec policy vpn2-ipsec-policy proposals vpn2-ipsec-proposal

/***ipsec policy设置,调用ipsec proposal***/

※※VPN设置

srx_admin#set security ipsec vpn vpn2-ipsec-vpn bind-interface st0.0

/***ipsec vpn设置,绑定tunnel接口***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike gateway vpn1-gateway

/***ipsec vpn设置,调用第一阶段VPN网关***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike ipsec-policy vpn2-ipsec-policy

/***ipsec vpn设置,调用第二阶段ipsec policy***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn establish-tunnels immediately

/***立即开始建立VPN隧道***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services ike

※双向流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match

application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

destination-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match

application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit

4.1.2 Policy Basiced

※新建本地、对端内网网段,并将入其划入相应的zone

srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24

/***本地内网网段***/

srx_admin#set security zones security-zone untrust address-book address address2

192.168.100.0/24

/***对端内网网段***/

※VPN第一阶段IKE设置

※※Proposal设置

srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

/***采用预共享密钥***/

srx_admin#set security ike proposal ike-phase1-proposal dh-group group2

/***DH Group使用Group2***/

srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5

/***使用md5认证***/

srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

/***使用3des加密***/

※※Policy设置

srx_admin#set security ike policy ike-phase1-policy mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal

/***调用ike proposal配置***/

srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123

/***预共享密钥设置***/

※※gateway设置

srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy

/***调用IKE policy***/

srx_admin#set security ike gateway gw-chica address 116.228.60.157

/***指定对端网关地址***/

srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0

/***指定本地出街口***/

※VPN第二阶段IPSEC设置

※※Proposal设置

srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp

/***ipsec proposal协议esp***/

srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm

hmac-md5-96

/***使用md5认证***/

srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

/***使用3des加密***/

※※policy设置

srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

/***ipsec policy设置,调用ipsec proposal***/

※※VPN设置

srx_admin#set security ipsec vpn ike-vpn-chica ike gateway gw-chica

/***ipsec vpn设置,调用第一阶段VPN网关***/

srx_admin#set security ipsec vpn ike-vpn-chica ike ipsec-policy ipsec-phase2-policy

/***ipse policy设置***/

srx_admin#set security ipsec vpn ike-vpn-chica establish-tunnels on-traffic

/***产生流量后VPN开始建立连接***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services ike

※VPN流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match

source-address address1

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match

destination-address address2

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match

application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit

tunnel ipsec-vpn ike-vpn-chica

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log

session-init

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log

session-close

※上网流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match

source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match

destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match

application any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match

source-address address2

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match

destination-address address1

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match

application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit

tunnel ipsec-vpn ike-vpn-chica

注:开启策略下log记录功能

set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-init

set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-close

4.2、Remote VPN

4.2.1 SRX端配置

※VPN第一阶段IKE Policy设置

srx_admin#set security ike policy remote-vpn-policy mode aggressive

srx_admin#set security ike policy remote-vpn-policy proposal-set compatible

srx_admin#set security ike policy remote-vpn-policy pre-shared-key ascii-text juniper123

※VPN第一阶段IKE Gateway设置

srx_admin#set security ike gateway remote-vpn-gateway ike-policy remote-vpn-policy

srx_admin#set security ike gateway remote-vpn-gateway dynamic hostname juniper

srx_admin#set security ike gateway remote-vpn-gateway dynamic connections-limit 10

srx_admin#set security ike gateway remote-vpn-gateway dynamic ike-user-type shared-ike-id

srx_admin#set security ike gateway remote-vpn-gateway external-interface fe-0/0/0.0

srx_admin#set security ike gateway remote-vpn-gateway xauth access-profile xauthsrx

※VPN第二阶段IPSec Policy设置

srx_admin#set security ipsec policy remote-vpn-ipsec-policy proposal-set compatible

※VPN第二阶段IPSec VPN设置

srx_admin#set security ipsec vpn remotevpn ike gateway remote-vpn-gateway

srx_admin#set security ipsec vpn remotevpn ike ipsec-policy remote-vpn-ipsec-policy

srx_admin#set security ipsec vpn remotevpn establish-tunnels immediately

※Remote用户DHCP设置

srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1

srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10

srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8

注:DHCP地址段最好与内网网段区别开来,不然会产生很多问题

※创建Remote认证用户

srx_admin#set access profile xauthsrx authentication-order password

srx_admin#set access profile xauthsrx client L2TP_USER_MA firewall-user password 123456

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic

system-services ike

※策略设置 untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match

source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match

destination-address network

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match application

any

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then permit

tunnel ipsec-vpn remotevpn

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log

session-init

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log

session-close

4.2.2 客户端配置


本文标签: 配置 地址 接口 设置 流量