配置SRX Dyamic VPN(version 2) 下载本文

Juniper SRX240 Dynamic

VPN配置指南

修订记录

日期 2010-3-16 2010-4-12 修订版本 1.0 2.0 初稿 修订 描述 作者 卢 泓 卢 泓

神州数码(深圳)有限公司

目 录

1 JUNIPER SRX240 Dynamic VPN配置拓扑图 ...................................................................... 3 2 概述....................................................................................................................................... 3 3 配置步骤 ............................................................................................................................... 4

3.1 Access configuration.................................................................................................... 4 3.2 Https configuration ..................................................................................................... 4 3.3 IKE/IPSEC configuration ............................................................................................... 4 3.4 Dynamic VPN configuration ........................................................................................ 4 3.5 Policy configuration ..................................................................................................... 4 step1: Access configuration ....................................................................................................... 5 Step2 HTTPS configuration - HTTPS配置 ........................................................................... 6 step3 IKE/IPSEC configuration ................................................................................................ 6 Step4 Dynamic VPN configuration –动态VPN的配置实例 ..................................................... 9 Step5 policy configuration-策略配置 .................................................................................. 10 4 测试..................................................................................................................................... 22 5 SRX Dynamic VPN排错 ..................................................................................................... 26 6结论...................................................................................................................................... 28

1 JUNIPER SRX240 Dynamic VPN配置拓扑图

Protected-Resources :192.168.3.0/24CISCO ACS Radius Server60.60.60.1电信VPN远程拔号用户

Address Pool will be delivered to dynamic VPN users_192.168.5.0/24Ge-0/0/15.0 192.168.3.252/24SRX240Ge-0/0/1.0220.249.253.134/27Ge-0/0/0.0218.17.165.49/26网通VPN远程拔号用户

2 概述

JUNIPER SRX系列防火墙Dynamic VPN是一种无客户的IPSEC VPN。客户端的PC无须安装拔号软件就可以与VPN网关建立VPN隧道。实际上,当客户端WEB认证通过之后,SRX会自动下推一个客户端软件到客户端PC机上。 类似于,JUNIPER SA会下推一个NC(NETWORK CONNECT)客户端软件到客户端。但是DYNAMIC VPN功能现在只有若干个SRX平台支持,并且此功能需要FEATURE LICENSE来支持才能激活。

平台支持

Feature License支持

JUNIPER SRX需要LICENSE来激活Dynamic VPN功能,请确认SRX上有相应的LICENSE KEY root# run show system license License usage:

Licenses Licenses Licenses Expiry Feature name used installed needed

dynamic-vpn 0 50 0 permanent

Licenses installed:

License identifier: JUNOS247349 License version: 2

Valid for device: AG3209AA0265 Features:

dynamic-vpn-50-clients - Dynamic VPN permanent

3 配置步骤

3.1 Access configuration

定义ACCESS PROFILE,可以定义本地数据库认证和外部RADIUS SERVER认证。

3.2 Https configuration

用来激活SRX上的HTTPS服务。

3.3 IKE/IPSEC configuration

用来配置IPSEC VPN PHASE I和PHASE II阶段的具有参数。

3.4 Dynamic VPN configuration

用来定义受保护的资源,Protected Resources定义能够通过IPSEC VPN TUNNEL访问的网段。

3.5 Policy configuration

用来定义防火墙的策略,通过策略来控制通过IPSEC VPN访问的流量。