11月 032014
Juniper SRX240H2 JunOS 11.4R7.5
Configuring the Remote User Authentication and Address Assignment
1,Create the address assignment pool.
[edit access address-assignment] user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24 user@host# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
2,Configure the XAuth profile.
[edit access] user@host# set profile dyn-vpn-access-profile client client1 firewall-user password "$9$uY4o0EyMWxdwgX7" user@host# set profile dyn-vpn-access-profile client client2 firewall-user password "$9$neNM9CuB1hyrv5Q39" user@host# set profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
3,Configure Web authentication using the XAuth profile.
[edit access firewall-authentication] user@host# set web-authentication default-profile dyn-vpn-access-profile
Configuring the VPN Tunnel
1,Configure the IKE policy.
[edit security ike] user@host# set policy ike-dyn-vpn-policy mode aggressive user@host# set policy ike-dyn-vpn-policy proposal-set standard user@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"
2,Configure the IKE gateway.
[edit security ike] user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy user@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpn user@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id user@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10 user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0 user@host# set gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
3,Configure IPsec.
[edit security ipsec] user@host# set policy ipsec-dyn-vpn-policy proposal-set standard user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gw user@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
4,Configure the security policy.
[edit security policies from-zone untrust to-zone trust] user@host# set policy dyn-vpn-policy match source-address any destination-address any application any user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
5,Configure host inbound traffic.(https ike)
[edit security zones security-zone untrust interfaces ge-0/0/15.0] user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services https user@host# set host-inbound-traffic system-services ping user@host# set host-inbound-traffic system-services ssh
Associate the Dynamic VPN with Remote Clients
1,Specify the access profile to use with dynamic VPN.
[edit security dynamic-vpn] user@host# set access-profile dyn-vpn-access-profile
2,Configure the clients who can use the dynamic VPN.
[edit security dynamic-vpn] user@host# set clients all ipsec-vpn dyn-vpn user@host# set clients all user client1 user@host# set clients all user client2 user@host# set clients all remote-protected-resources 10.0.0.0/8 user@host# set clients all remote-exceptions 0.0.0.0/0
验证:
客户端配置:
相关引用:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/vpn-security-dynamic-example-configuring.html