配置SRX Dyamic VPN(version 2) 下载本文

establish-tunnels on-traffic; } }

注意:调试IPSEC PHASE I和PHASE II阶段的协商。 set security ike traceoptions file IKE set security ike traceoptions file size 4m set security ike traceoptions flag all

Step4 Dynamic VPN configuration –动态VPN的配置实例

root# show security dynamic-vpn access-profile ACS_Radius; clients {

client1 {

remote-protected-resources { 192.168.3.0/24; }

remote-exceptions { 0.0.0.0/0; }

ipsec-vpn dynamic-vpn-test; user {

luhongc; } }

client2 {

remote-protected-resources { 192.168.3.0/24; }

remote-exceptions { 0.0.0.0/0; }

ipsec-vpn dynamic-vpntest1; user {

vpntest1; vpntest2; vpntest3; vpntest4; vpntest5; } }

}

Step5 policy configuration-策略配置

策略配置:从untrust区域到trust区域的策略

root# show security policies from-zone untrust to-zone trust policy vpn-policy { match {

source-address any; destination-address any; application any; }

then {

permit { tunnel {

ipsec-vpn dynamic-vpn-test; } } log {

session-init; session-close; } } }

policy vpn-test1-policy { match {

source-address any; destination-address any; application any; }

then {

permit { tunnel {

ipsec-vpn dynamic-vpntest1; } } log {

session-init; session-close; } } }

[edit]

Juniper SRX240上面Dynamic VPN的完整配置如下所示: [edit]

root# show

## Last changed: 2010-04-12 10:45:23 UTC version 9.6R2.11; system {

root-authentication {

encrypted-password \ }

services { ssh;

web-management { http {

interface [ ge-0/0/0.0 ge-0/0/15.0 ]; }

https {

system-generated-certificate;

interface [ ge-0/0/15.0 ge-0/0/0.0 ge-0/0/1.0 ]; } } }

syslog {

user * {

any emergency; }

file messages { any critical;

authorization info; }

file interactive-commands {

interactive-commands error; } }

max-configurations-on-flash 5; max-configuration-rollbacks 5; license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval; } }

processes {

general-authentication-service { traceoptions { flag all; } } } }

interfaces {

traceoptions {

file TEST size 4m; }

ge-0/0/0 {

unit 0 { family inet {

address 218.17.165.49/26; } } }

ge-0/0/1 { unit 0 {

family inet {

address 220.249.253.134/27; } } }

ge-0/0/8 { unit 0 {

family inet {

address 60.60.60.2/24; } } }

ge-0/0/15 { unit 0 {

family inet {

address 192.168.3.252/24; }

} } }

routing-options { static {

route 0.0.0.0/0 next-hop 218.17.165.62;