¾ßÌåÅäÖùý³ÌÈçÏÂËùʾ£º
step1: Access configuration
¶¨ÒåWebµÇ¼µÄÓû§ÃûºÍÃÜÂëÒÔ¼°¶¨ÒåRADIUS·þÎñÆ÷¡£´Ë´¦µÄweb-authenticationÊDzÉÓÃRADIUS·þÎñÆ÷½øÐÐÈÏÖ¤µÄ¡£ root# show access
profile ACS_Radius { //¶¨ÒåRADIUSÈÏÖ¤·þÎñÆ÷£¬ÓÃÓÚ½øÐÐÓû§ÃûºÍÃÜÂëµÄÈÏÖ¤ authentication-order radius; radius-server {
60.60.60.1 secret \/CtOIE\ } }
profile dynamic_vpn { //¶¨Òå±¾µØÈÏÖ¤Êý¾Ý¿â£¬°üÀ¨Óû§ÃûºÍÃÜÂë client luhongc { firewall-user {
password \/t1RSM87uO87-V4oz369uOIEclvW\ ## SECRET-DATA } }
client vpntest1 { firewall-user {
password \ ## SECRET-DATA } } }
firewall-authentication { web-authentication {
default-profile ACS_Radius; //´Ë´¦ÓÃRADIUS½øÐÐWEBµÇ¼ÈÏÖ¤£¬Ò²¿ÉÒÔʹÓñ¾µØÈÏÖ¤dynamic_vpn banner {
success \ } } }
×¢Ò⣺Èç¹ûWEBÈÏÖ¤³öÏÖÎÊÌ⣬ÐèÒªÉèÖÃDEBUGÀ´ÅÅ´í¡£
set system processes general-authentication-service traceoptions flag all ²é¿´LOGÐÅÏ¢£º
root# run show log authd
Step2 HTTPS configuration - HTTPSÅäÖÃ
root# show system services web-management https system-generated-certificate;
interface [ ge-0/0/15.0 ge-0/0/0.0 ];
step3 IKE/IPSEC configuration
×¢Ò⣺ÐèҪΪÿһ¸öRemote Access VPN°ÎºÅÓû§ÉèÖÃÒ»¸öIKE GATEWAY(Phase I)ºÍVPN(Phase II)¡£ÏÖÔÚ¿Í»§Õâ±ß×¼±¸5¸ö²âÊÔÓû§£º·Ö±ðΪvpntest1,vpntest2,vpntest3, vpntest4, vpntest5
IKE Phase I configuration: IKE Phase IÅäÖÃ root# show security ike traceoptions {
file IKE size 4m; flag all; }
proposal phase1-proposal {
authentication-method pre-shared-keys; dh-group group2;
authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; }
policy ike-policy {
mode aggressive;
proposals phase1-proposal;
pre-shared-key ascii-text \}
gateway ike-gateway1 { ike-policy ike-policy;
dynamic hostname luhongc; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest5 {
ike-policy ike-policy;
dynamic hostname vpntest5; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest4 { ike-policy ike-policy;
dynamic hostname vpntest4; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest3 { ike-policy ike-policy;
dynamic hostname vpntest3; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest2 { ike-policy ike-policy;
dynamic hostname vpntest2; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest1 { ike-policy ike-policy;
dynamic hostname vpntest1; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
IPsec(Phase 2) configuration: ¶¨ÒåIPSEC VPN Phase 2µÄ²ÎÊý root# show security ipsec traceoptions { flag all; }
proposal phase2-proposal { protocol esp;
authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; }
policy ipsec-policy {
perfect-forward-secrecy { keys group2; }
proposals phase2-proposal; }
vpn dynamic-vpn-test { ike {
gateway ike-gateway1; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest1 { ike {
gateway vpn-test1-gw; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest2 { ike {
gateway ike-vpntest2; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest3 { ike {
gateway ike-vpntest3; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest4 { ike {
gateway ike-vpntest4; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest5 { ike {
gateway ike-vpntest5; ipsec-policy ipsec-policy; }