具体配置过程如下所示:
step1: Access configuration
定义Web登录的用户名和密码以及定义RADIUS服务器。此处的web-authentication是采用RADIUS服务器进行认证的。 root# show access
profile ACS_Radius { //定义RADIUS认证服务器,用于进行用户名和密码的认证 authentication-order radius; radius-server {
60.60.60.1 secret \/CtOIE\ } }
profile dynamic_vpn { //定义本地认证数据库,包括用户名和密码 client luhongc { firewall-user {
password \/t1RSM87uO87-V4oz369uOIEclvW\ ## SECRET-DATA } }
client vpntest1 { firewall-user {
password \ ## SECRET-DATA } } }
firewall-authentication { web-authentication {
default-profile ACS_Radius; //此处用RADIUS进行WEB登录认证,也可以使用本地认证dynamic_vpn banner {
success \ } } }
注意:如果WEB认证出现问题,需要设置DEBUG来排错。
set system processes general-authentication-service traceoptions flag all 查看LOG信息:
root# run show log authd
Step2 HTTPS configuration - HTTPS配置
root# show system services web-management https system-generated-certificate;
interface [ ge-0/0/15.0 ge-0/0/0.0 ];
step3 IKE/IPSEC configuration
注意:需要为每一个Remote Access VPN拔号用户设置一个IKE GATEWAY(Phase I)和VPN(Phase II)。现在客户这边准备5个测试用户:分别为vpntest1,vpntest2,vpntest3, vpntest4, vpntest5
IKE Phase I configuration: IKE Phase I配置 root# show security ike traceoptions {
file IKE size 4m; flag all; }
proposal phase1-proposal {
authentication-method pre-shared-keys; dh-group group2;
authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; }
policy ike-policy {
mode aggressive;
proposals phase1-proposal;
pre-shared-key ascii-text \}
gateway ike-gateway1 { ike-policy ike-policy;
dynamic hostname luhongc; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest5 {
ike-policy ike-policy;
dynamic hostname vpntest5; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest4 { ike-policy ike-policy;
dynamic hostname vpntest4; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest3 { ike-policy ike-policy;
dynamic hostname vpntest3; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest2 { ike-policy ike-policy;
dynamic hostname vpntest2; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
gateway ike-vpntest1 { ike-policy ike-policy;
dynamic hostname vpntest1; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }
IPsec(Phase 2) configuration: 定义IPSEC VPN Phase 2的参数 root# show security ipsec traceoptions { flag all; }
proposal phase2-proposal { protocol esp;
authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; }
policy ipsec-policy {
perfect-forward-secrecy { keys group2; }
proposals phase2-proposal; }
vpn dynamic-vpn-test { ike {
gateway ike-gateway1; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest1 { ike {
gateway vpn-test1-gw; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest2 { ike {
gateway ike-vpntest2; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest3 { ike {
gateway ike-vpntest3; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest4 { ike {
gateway ike-vpntest4; ipsec-policy ipsec-policy; }
establish-tunnels on-traffic; }
vpn dynamic-vpntest5 { ike {
gateway ike-vpntest5; ipsec-policy ipsec-policy; }