Juniper SRX Dynamic VPN

JuniperµÄDyanmic VPNÊÇÒ»ÖÖºÍCisco Remote vpn²î²»¶àµÄIPsec VPN¡£Juniper SRXĬÈÏÖ§³ÖÁ½¸öÓû§Í¬Ê±²¦È룬Èç¹ûÐèÒª¸ü¶à£¬¾ÍÐèÒªÂòÏà¹Ølicense¡£

ºÍCisco remote vpnÒ»ÑùÐèÒª°²×°Ò»¸ö¿Í»§¶Ë£¬È»ºó¿ÉÒÔͨ¹ý±¾µØºÍAAA µÄÓû§À´ÑéÖ¤¡£µ«ÊÇ»¹ÊÇÓÐЩµØ·½ºÍCisco²»Ì«Ò»Ñù£¬ÔÚʵÑéµÄ¹ý³ÌÖУ¬½«²ûÃ÷Çå³þ¡£ ÍØÆËͼºÜ¼òµ¥£º

Trust PC------------------------------SRX-------------------------Untrust VPN Client

192.168.80.0/24 172.32.1.0/24 ÅäÖò½Ö裺

1¡¢»ù±¾ interface and zone ÐÅÏ¢ÅäÖÃÊ¡ÂÔ 2¡¢ÅäÖÃaccess µÄÓû§ÑéÖ¤ºÍµØÖ·³Ø srx@srx100h# show access profile dy-vpn-pf { client srx { firewall-user {

password \## SECRET-DATA £¨ÕâÀï²ÉÓñ¾µØÑéÖ¤£¬Óû§Ãûsrx£©

address-assignment { pool dy-vpn-pool; } }

address-assignment {

pool dy-vpn-pool { family inet {

network 192.168.80.0/24; range dy-vpn-rang {

low 192.168.80.230; £¨ÕâÀï´ÓtrustµÄ192.168.80.0/24½ØÈ¡Ò»¶Î£©

high 192.168.80.235; }

xauth-attributes {

primary-dns 8.8.8.8/32; } } } }

firewall-authentication { £¨µ½Ê±ºòÐèÒªÏÈͨ¹ýwebÑéÖ¤£¬È»ºóÔÙÏÂÔØJUNOS PULSE£¬ËùÒÔwebÑéÖ¤ÕâÀïÐèÒªµ÷ÓÃprofile£©

web-authentication { default-profile dy-vpn-pf; } }

3¡¢¿ªÆôweb ¹ÜÀí£¬Í¬ÑùÕâÀïÊÇÒòΪÏÈҪͨ¹ýwebÑéÖ¤£¬À´ÏÂÔØPUlSE

srx@srx100h# show system services web-management {

https {

system-generated-certificate;

interface [ vlan.0 fe-0/0/0.0 ]; £¨ÔÚuntrust½Ó¿ÚÉÏ¿ªÆôhttps£© } }

4¡¢ÅäÖà IKE µÚÒ»½×¶Î

srx@srx100h# show security ike traceoptions { file ike-debug; flag all; }

proposal dy-ike-pp {

authentication-method pre-shared-keys; dh-group group2;

authentication-algorithm md5; encryption-algorithm 3des-cbc; }

policy dy-ike-pl {

mode aggressive; £¨×¢Ò⣬ÕâÀïÒªÓÃÒ°Âùģʽ£© proposals dy-ike-pp;

pre-shared-key ascii-text \Àï²ÉÓÃpre-share-key£¬µ«Êµ¼ÊÔÚ²¦ÈëµÄʱºò²»ÐèÒªÊäÈëÕâ¸ökey£© }

gateway dy-ike-gw {

£¨ËäÈ»Õâ ike-policy dy-ike-pl; dynamic {

hostname dynvpn;

connections-limit 10; £¨×î´óÔÊÐí10¸öͬÊÂÁ¬½Ó£© ike-user-type group-ike-id; }

external-interface fe-0/0/0; xauth access-profile dy-vpn-pf; }

5¡¢ÅäÖÃIPSEC ÐÅÏ¢

srx@srx100h# show security ipsec traceoptions { flag all; }

proposal dy-ipsec-pp { protocol esp;

authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; }

policy dy-ipsec-pl {

proposals dy-ipsec-pp; }

vpn dy-ipse-vpn { ike {

gateway dy-ike-gw;

ipsec-policy dy-ipsec-pl; } }

6¡¢ÅäÖÃDynamic-VPN access-rpofile ÐÅÏ¢£¨°üÀ¨µ÷ÓÃVPN ²¦ÈëµÄÕ˺ţ¬Êܱ£»¤µÄ×ÊÔ´£© srx@srx100h# show security dynamic-vpn access-profile dy-vpn-pf; clients { all {

remote-protected-resources { 192.168.80.0/24;