srx dynamic vpn 配置docWord下载.docx
《srx dynamic vpn 配置docWord下载.docx》由会员分享,可在线阅读,更多相关《srx dynamic vpn 配置docWord下载.docx(17页珍藏版)》请在冰点文库上搜索。
三配置web认证用xauthprofile
setaccessfirewall-authenticationweb-authenticationdefault-profiledyn-vpn-access-profile
然后是配置vpntunnel
四配置IKEpolicy
setsecurityikepolicyike-dyn-vpn-policymodeaggressive
setsecurityikepolicyike-dyn-vpn-policyproposal-setstandard(standard就可以,不用自定义)
setsecurityikepolicyike-dyn-vpn-policypre-shared-keyascii-text"
$9$1oJREyeK87NblegoGUHk"
(与共享密钥abc123)
五配置IKEgateway
setsecurityikegatewaydyn-vpn-local-gwike-policyike-dyn-vpn-policy
setsecurityikegatewaydyn-vpn-local-gwdynamichostnamedynvpn
setsecurityikegatewaydyn-vpn-local-gwdynamicconnections-limit10
setsecurityikegatewaydyn-vpn-local-gwdynamicike-user-typeshared-ike-id
setsecurityikegatewaydyn-vpn-local-gwexternal-interfacege-0/0/0.0(对外接口)
setsecurityikegatewaydyn-vpn-local-gwxauthaccess-profiledyn-vpn-access-profile(也调用xauthprofile)
六配置ipsec(第二阶段转换集)
setsecurityipsecpolicyipsec-dyn-vpn-policyproposal-setstandard(采用系统standard)
setsecurityipsecvpndyn-vpnikegatewaydyn-vpn-local-gw
setsecurityipsecvpndyn-vpnikeipsec-policyipsec-dyn-vpn-policy(引用ipsecpolicy)
七配置securitypolicy
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicydyn-vpn-policymatchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicydyn-vpn-policymatchdestination-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicydyn-vpn-policymatchapplicationany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicydyn-vpn-policythenpermittunnelipsec-vpndyn-vpn(引用六中的dyn-vpn)
用远程客户端关联dynamicvpn
八用远程用户去关联dynamicvpn和配置客户端来决定谁能用dynamicvpn
setsecuritydynamic-vpnaccess-profiledyn-vpn-access-profile
setsecuritydynamic-vpnclientsallremote-protected-resources10.0.0.0/8
setsecuritydynamic-vpnclientsallremote-exceptions0.0.0.0/0
setsecuritydynamic-vpnclientsallipsec-vpndyn-vpn
setsecuritydynamic-vpnclientsalluserclient1
setsecuritydynamic-vpnclientsalluserclient2
(all是clients的名字)
lab#show|no-more
##Lastchanged:
2011-03-2910:
54:
01UTC
version10.4R3.4;
system{
root-authentication{
encrypted-password"
$1$mdFhlLtS$gllI3Szu6M9wH3UcEu2Dl/"
;
##SECRET-DATA
}
name-server{
208.67.222.222;
208.67.220.220;
login{
userlab{
uid2001;
classsuper-user;
authentication{
$1$j5Obg2WE$jCYCVKcjICFSRU3e.gJp51"
services{
ssh;
telnet;
xnm-clear-text;
web-management{
http{
interface[vlan.0ge-0/0/0.0];
https{
system-generated-certificate;
interface[vlan.0ge-0/0/0.0];
------------------------必须把接口给删除,j-web的管理不在https里。
syslog{
archivesize100kfiles3;
user*{
anyemergency;
filemessages{
anycritical;
authorizationinfo;
fileinteractive-commands{
interactive-commandserror;
max-configurations-on-flash5;
max-configuration-rollbacks5;
license{
autoupdate{
url
}
interfaces{
ge-0/0/0{
unit0{
familyinet{
address192.168.0.199/24;
ge-0/0/1{
address10.10.10.1/24;
ge-0/0/2{
unit0;
ge-0/0/3{
ge-0/0/4{
ge-0/0/5{
ge-0/0/6{
ge-0/0/7{
ge-0/0/8{
ge-0/0/9{
ge-0/0/10{
ge-0/0/11{
ge-0/0/12{
ge-0/0/13{
ge-0/0/14{
ge-0/0/15{
protocols{
stp;
security{
ike{
policyike-dyn-vpn-policy{
modeaggressive;
proposal-setstandard;
pre-shared-keyascii-text"
gatewaydyn-vpn-local-gw{
ike-policyike-dyn-vpn-policy;
dynamic{
hostnamedynvpn;
connections-limit10;
ike-user-typeshared-ike-id;
external-interfacege-0/0/0.0;
xauthaccess-profiledyn-vpn-access-profile;
ipsec{
policyipsec-dyn-vpn-policy{
vpndyn-vpn{
gatewaydyn-vpn-local-gw;
ipsec-policyipsec-dyn-vpn-policy;
nat{
source{
rule-settrust-to-untrust{
fromzonetrust;
tozoneuntrust;
rulesource-nat-rule{
match{
source-address0.0.0.0/0;
then{
source-nat{
interface;
screen{
ids-optionuntrust-screen{
icmp{
ping-death;
ip{
source-route-option;
tear-drop;
tcp{
syn-flood{
alarm-threshold1024;
attack-threshold200;
source-threshold1024;
destination-threshold2048;
timeout20;
land;
zones{
security-zonetrust{
host-inbound-traffic{
system-services{
all;
protocols{
interfaces{
ge-0/0/1.0;
security-zoneuntrust{
screenuntrust-screen;
ge-0/0/0.0{
dhcp;
tftp;
policies{
from-zonetrustto-zoneuntrust{
policytrust-to-untrust{
source-addressany;
destination-addressany;
applicationany;
permit;
from-zoneuntrustto-zonetrust{
policydyn-vpn-policy{
permit{
tunnel{
ipsec-vpndyn-vpn;
dynamic-vpn{
access-profiledyn-vpn-access-profile;
clients{
all{
remote-protected-resources{
10.0.0.0/8;
remote-exceptions{
0.0.0.0/0;
user{
client1;
client2;
access{
profiledyn-vpn-access-profile{
clientclient1{
firewall-user{
password"
clientclient2{
address-assignment{
pooldyn-vpn-address-pool;
pooldyn-vpn-address-pool{
network10.10.10.0/24;
xauth-attributes{
primary-dns202.96.64.68/32;
firewall-authentication{
web-authentication{
default-profiledyn-vpn-access-profile;
测试开始
会再弹出对话框进行用户名和密码的认证
由于内部接口没启动所以分配了一个10.10.10.1
升级会员 