Juniper SRX标准配置
第一节系统配置 ....................................................................................................................... 3
1.1、设备初始化 .................................................................................................................. 3 1.1.1 登陆 .......................................................................................................................... 3 1.1.2 设置 root 用户口令 ................................................................................................. 3 1.1.3 设置远程登陆管理用户 .......................................................................................... 3 2、系统管理 ......................................................................................................................... 4 1.2.1 选择时区 ................................................................................................................. 4 1.2.2 系统时间 ................................................................................................................. 4 1.2.3 DNS服务器 .............................................................................................................. 5 1.2.4 系统重启 .................................................................................................................. 5 1.2.5 Alarm 告警处理 ....................................................................................................... 5 1.2.6 Root 密码重置 ......................................................................................................... 6
第二节网络设置 ....................................................................................................................... 7 2.1、 Interface .......................................................................................................................
2.1.1 PPPOE ....................................................................................................................... 2.1.2 Manual ...................................................................................................................... 2.1.3 DHCP......................................................................................................................... 2.2、 Routing .........................................................................................................................
Static Route ....................................................................................................................... 2.3、 SNMP ............................................................................................................................
7 7 8 8 9 9 9
第三节高级设置 ....................................................................................................................... 9 3.1.1 修改服务端口 ............................................................................................................. 9 3.1.2 检查硬件序列号 ......................................................................................................... 9 3.1.3 内接口启用端口服务 .......................................................................................
10
3.1.4 创建端口服务 ........................................................................................................... 10 3.1.5 VIP 端口映射 .............................................................................................................. 10 3.1.6 MIP 映射 .................................................................................................................... 11 3.1.7 禁用 console 口 ......................................................................................................... 3.1.8 Juniper SRX带源 ping 默认不通,需要做源地址 NAT....................................
12 12
3.1.9 设置 SRX管理 IP....................................................................................................... 12 3.2.0 配置回退 ................................................................................................................... 13 3.2.1 UTM 调用 ................................................................................................................... 13 3.2.2 网络访问缓慢解决 ................................................................................................... 13 第四节 VPN 设置 ................................................................................................................... 14
4.1、点对点 IPSec VPN....................................................................................................... 14
4.1.1 Route Basiced ......................................................................................................... 14 4.1.2 Policy Basiced ......................................................................................................... 17 4.2、 Remote VPN ............................................................................................................... 19
4.2.1 SRX端配置 ............................................................................................................. 19 4.2.2 客户端配置 ........................................................................................................... 20
第一节系统配置
1.1 、设备初始化
1.1.1 登陆
首次登录需要使用
Console 口连接 SRX, root 用户登陆,密码为空
login: root Password:
--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC root% cli root>
root> configure
/*** 进入操作模式 ***/
Entering configuration mode /*** 进入配置模式 ***/ [edit] Root#
1.1.2 设置 root 用户口令
(必须配置 root 帐号密码,否则后续所有配置及修改都无法提交) root# set system root-authentication plain-text-password root# new password : root123
root# retype new password: root123 密码将以密文方式显示
root# show system root-authentication
encrypted-password \"$1$xavDeUe6$fNM6olGU.8.M7B62u05D6.\"; # SECRET-DATA 注意: 强烈建议不要使用其它加密选项来加密 root 和其它 user 口令 (如 encrypted-password 加密方式 ),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方 式手工输入时存在密码无法通过验证风险。
注: root 用户仅用于 console 连接本地管理 SRX,不能通过远程登陆管理 置 root 口令后,才能执行
commit 提交后续配置命令。
SRX,必须成功设
1.1.3 设置远程登陆管理用户
root# set system login user lab class super-user authentication plain-text-password root# new password : juniper
root# retype new password: srx123
注:此 juniper 用户拥有超级管理员权限, 可用于 console 和远程管理访问, 另也可自行灵活定义其它不同管理权限用户。
2、系统管理
1.2.1 选择时区
srx_admin# set system time-zone Asia/Shanghai /*** 亚洲 / 上海 ***/
1.2.2 系统时间
1.2.2.1 手动设定
srx_admin> set date 201511201537.00
srx_admin> show system uptime Current time: 2015-11-20 15:37:14 UTC
System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago) Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)
Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin 3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14
1.2.2.2 NTP 同步一次
srx_admin> set date ntp 202.120.2.101
8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec
1.2.2.3 NTP 服务器
srx_admin# set system ntp server 202.100.102.1 srx_admin#set system ntp server ntp.api.bz
/***SRX 系统 NTP服务器,设备需要联网可以解
ntp
地址,不然命令无法输入析
srx_admin> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart, version=\"ntpd 4.2.0-a FriNov2015:44:16 UTC 2014 (1)\
processor=\"octeon\ precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0, refid=INIT, reftime=00000000.00000000
Thu, Feb 7 2036 14:28:16.000,
poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0, offset=0.000, frequency=0.000, jitter=0.008, stability=0.000 srx_admin@holy-shit> show ntp associations
***/
remote refid st t when poll reach delay offset jitter
==============================================================================
dns.sjtu.edu.cn 15.179.156.248
3 - 16 -
16
-
1 0
5.473 0.000
-0.953 0.008
202.100.102.1 .INIT. 0.000 4000.00
1.2.3 DNS 服务器
srx_admin# set system name-server 202.96.209.5 /***SRX 系统 DNS***/
1.2.4 系统重启
1.2.4.1 重启系统
srx_admin>request system reboot
1.2.4.2 关闭系统
srx_admin>request system power-off
1.2.5 Alarm 告警处理
1.2.5.1 告警查看
root# run show system alarms 2 alarms currently active Alarm time
2015-11-20 14:21:49 UTC 2015-11-20 14:21:49 UTC
Class Description
Minor Minor
Autorecovery information needs to be saved
Rescue configuration is not set
1.2.5.2 告警处理
告警一处理
root> request system autorecovery state save Saving config recovery information Saving license recovery information Saving BSD label recovery information 告警二处理
root> request system configuration rescue save
1.2.6Root 密码重置
SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复, 中断设备正常运行,但不会丢失配置信息。操作步骤如下:
该操作需要
1.重启防火墙, CRT 上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,并输入: boot –s
Loading /boot/defaults/loader.conf
/kernel data=0xb15b3c+0x134c syms=[0x4+0x8bb00+0x4+0xcac15] Hit [Enter] to boot immediately, or space bar for command prompt. loader>
loader> boot -s
2.执行密码恢复:在以下提示文字后输入 recovery
***** FILE SYSTEM WAS MODIFIED ***** System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
3.进入配置模式,删除
root> configure
Entering configuration mode
recovery ,设备将自动进行重启
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
root 密码后重新设置 root 密码,并保存重启
[edit]
root# delete system root-authentication
[edit]
root# set system root-authentication plain-text-password New password:
Retype new password:
[edit]
root# commit commit complete
[edit] root# exit
Exiting configuration mode
root> request system reboot
Reboot the system ? [yes,no] (no) yes
第二节网络设置
2.1 、 Interface
2.1.1 PPPOE
※在接口( fe-0/0/0 )下封装 PPP
srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether ※CHAP认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret
/***PPPOE 的密码 ***/
12345670
srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163
/***PPPOE 的帐号 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap passive /*** 采用被动模式 ***/ ※PAP 认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password
/***PPPOE 的密码 ***/
12345670
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163
/***PPPOE 的帐号 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password
12345670
/***PPPOE 的密码 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap passive
/*** 采用被动模式 ***/
※PPP 接口调用
srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
/*** 在接口( fe-0/0/0 )下启用
PPPOE拨号 ***/
※PPPOE拨号属性配置
srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0
/*** 空闲超时值 ***/
srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
/***3 秒自动重拨 ***/
srx_admin# set interfaces pp0 unit 0 pppoe-options client
/*** 表示为 PPPOE客户端 ***/
srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
/*** 修改此接口的 MTU 值,改成 1492。因为 PPPOE的报头会有一点的开销 ***/
srx_admin# set interfaces pp0 unit 0 family inet negotiate-address
/*** 自动协商地址,即由服务端分配动态地址
***/
※默认路由
srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0 ※PPPOE接口划入 untrust 接口
srx_admin# set security zones security-zone untrust interfaces pp0.0 ※验证 PPPoE是否已经拔通,是否获得
pp0 pp0.0 ppd0
up up up up
up up inet up up
IP 地址
srx_admin#run show interfaces terse | match pp
192.168.163.1
--> 1.1.1.1
ppe0
注:
PPPOE拨号成功后需要调整 MTU 值,使上网体验达到最佳( srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 srx_admin# set security flow tcp-mss all-tcp mss 1304
MTU 值不合适的话上网会卡)
/*** 调整 MTU 大小 ***/
/*** 调整 TCP分片大小 ***/
2.1.2 Manual
srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29
2.1.3 DHCP
※启用 DHCP地址池
srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
/***DHCP 网关 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
/***DHCP 地址池第一个地址 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
/***DHCP 地址池最后一个地址 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000
/***DHCP 地址租期 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name leadsystems.com.cn
/***DHCP 域名 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133
/***DHCP 分配 DNS***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5
srx_admin# set system services dhcp propagate-settings vlan.0 /***DHCP 分发端口 ***/ ※配置内网接口地址
srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24 ※内网接口调用 DHCP地址池
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-servicesdhcp
2.2 、 Routing
Static Route
srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153
/*** 默认路由 ***/
srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0
/***Route Basiced VPN 路由 ***/
2.3 、 SNMP
srx_admin# set snmp community Ajitec authorization read-only/read-write
/***SNMP 监控权限 ***/
srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32
/***SNMP 监控主机 ***/
第三节高级设置
3.1.1 修改服务端口
srx_admin# set system services web-management http port 8000
/*** 更改 web 的 http 管理端口号 ***/
srx_admin# set system services web-management https port 1443
/*** 更改 web 的 https 管理端口号 ***/
3.1.2 检查硬件序列号
srx# run show chassis hardware Hardware inventory: Item Chassis
Routing Engine FPC 0 PIC 0
Power Supply 0
Version Part number
BZ2615AF0491
REV 05
650-048781 FPC
Serial number
SRX100H2 BZ2615AF0491
Description RE-SRX100H2
8x FE Base PIC
3.1.3 内接口启用端口服务
※定义系统服务
srx_admin# set system services ssh srx_admin# set system services telnet
srx_admin# set system services web-management http interface vlan.0 srx_admin# set system services web-management http interface fe-0/0/0.0 srx_admin# set system services web-management https interface vlan.0 srx_admin# set system services web-management management-url admin
/*** 后期用 https://ip/admin ※内网接口启用端口服务
就可以登录管理页面,不加就直接跳转
***/
srx_admin#set security zones security-zone system-services ping/*** 开启 ping ***/ system-services http /*** 开启 http ***/ system-services telnet /*** 开启 telnet ***/ ※接口启用端口服务 srx_admin# set security
trust
interfaces
vlan.0 host-inbound-traffic
srx_admin#set security zones security-zone
trust
interfaces
vlan.0 host-inbound-traffic
srx_admin#set security zones security-zone trust interfaces vlan.0
host-inbound-traffic
zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
system-services ping/*** 开启 ping ***/ system-services telnet /*** 开启 telnet ***/ system-services http /*** 开启 http ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all/*** 开启所有服务 ***/
3.1.4 创建系统服务
srx_admin#set applications application RDP protocol tcp
srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 33 srx_admin#set applications application RDP protocol udp
srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 33
/*** 协议选择 tcp***/ /*** 源端口 ***/ /*** 目的端口 ***/
/*** 协议选择 udp***/ /*** 源端口 ***/ /*** 目的端口 ***/
3.1.5 VIP 端口映射
※ DestinationNAT配置
srx_admin#set security nat destination pool 22 address 192.168.1.20/32
/***Destination NAT pool 设置,为真实内网地址 ***/
srx_admin#set security nat destination pool 22 address port 33
/***Destination NAT pool 设置,为内网地址的端口号 ***/
srx_admin#set security nat destination rule-set 2 from zone untrust
/*** Destination NAT Rule 设置,访问流量从 untrust 区域过来 ***/
srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0
/*** Destination NAT Rule 设置,访问流量可以任意地址
***/
srx_admin#set security nat destination
rule-set
2 rule 111 match destination-address
116.228.60.154/32
/*** Destination NAT Rule
设置,访问的目的地址是
116.228.60.157***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 33
/*** Destination NAT Rule
设置,访问的目的地址的端口号
***/
srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22
/***Destination NAT Rule 设置,调用 pool 地址 ***/
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit
srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32
3.1.6 MIP 映射
※ Destination NAT设置
srx_admin#set security nat destination pool 111 address 192.168.1.3/32
/***Destination NAT pool 设置,为真实内网地址 ***/
srx_admin#set security nat destination rule-set 1 from zone untrust
/***Destination NAT Rule 设置,访问流量从 untrust 区域过来 ***/
srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
/***Destination NAT Rule 设置,访问流量可以任意地址
***/
srx_admin#set
security nat destination
rule-set
1 rule11
match destination-address
116.228.60.157/32
/***Destination NAT Rule 设置,访问的目的地址是 116.228.60.157***/
srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11
/***Destination NAT Rule 设置,调用 pool 地址 ***/
※配置 ARP代理
srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32 ※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit
3.1.7 禁用 console
口
juniper-srx@SRX100H2# edit system ports console/*** 进入 console 接口 ***/ juniper-srx@SRX100H2# set disable/*** 关闭端口 ***/ juniper-srx@SRX100H2# commit confirmed 3
/*** 提交 3 分钟, 3 分钟后回退 ***/
3.1.8 Juniper SRX
带源 ping 默认不通,需要做源地址
NAT
set security nat source rule-set LOCAL from zone junos-host set security nat source rule-set LOCAL to zone untrust
set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32 set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0 set security nat source rule-set LOCAL rule LOCAL then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
3.1.9 设置 SRX 管理 IP
※参照防火墙接口的端口服务
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
※定义防火墙 filter,设定允许访问的地址和端口
set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32 set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32 set firewall filter Outside_access_in term Permit_IP from protocol tcp
set firewall filter Outside_access_in term Permit_IP from destination-port ssh set firewall filter Outside_access_in term Permit_IP then accept
/*** 设置允许访问的地址和地址
***/
set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32
set firewall filter Outside_access_in term Deny_ANY from protocol tcp set firewall filter Outside_access_in term Deny_ANY from destination-port ssh set firewall filter Outside_access_in term Deny_ANY then discard set firewall filter Outside_access_in term Permit_ANY then accept
/*** 其他流量全部拒绝 ***/
※防火墙接口调用
filter
,在接口上启用
set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in
注:①在配置拒绝流量时注意在拒绝的端口后面放行其他流量,因为这个拒绝会把所有流量都拒绝掉。
②在配置拒绝流量时不能配置
all ,不然会把所有流量都拒绝掉。
3.2.0 配置回退
※查看提交过的配置
srx_admin# run show system commit 0 1 2 3 4
2016-05-04 11:47:46 UTC by root via junoscript 2016-05-04 11:40:11 UTC by root via cli 2016-05-04 11:38:36 UTC by root via cli 2016-04-27 11:41:07 UTC by root via cli 2016-04-01 17:37:22 UTC by root via button
※回退配置( “ROLLBACK 0”) srx_admin # rollback ?
Possible completions: <[Enter]>
Execute this command
0 1 2 3 4 |
2016-05-04 11:47:46 UTC by root via junoscript 2016-05-04 11:40:11 UTC by root via cli 2016-05-04 11:38:36 UTC by root via cli 2016-04-27 11:41:07 UTC by root via cli
2016-04-01 17:37:22 UTC by root via button Pipe through a command
3.2.1 UTM 调用
※在策略中调用 UTM
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy
3.2.2 网络访问缓慢解决
srx_admin #set security flow syn-flood-protection-mode syn-cookie srx_admin #set security flow tcp-mss all-tcpmss 1300
srx_admin #set security flow tcp-session rst-sequence-check srx_admin #set security flow tcp-session strict-syn-check srx_admin #set security flow tcp-session no-sequence-check
第四节 VPN 设置
4.1 、点对点 IPSec VPN
4.1.1 Route Basiced
/*** standard or compatible模式 ***/
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
/*** 新建 st0.0 接口 ***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/*** 定义 tunnel 接口 st0.0 为 untrust 接口 ***/
※创建去往 VPN 对端内网的路由
srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※ VPN 第一阶段 IKE配置
srx_admin#set security ike policy lead mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy lead proposal-set standard/compatible
/*** 协商加密算法 ***/
srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123
/*** 预共享密钥 ***/
※ VPN 第一阶段 IKE配置
srx_admin#set security ike gateway gw1 ike-policy lead
/*** 调用第一阶段
IKE 配置 ***/
srx_admin#set security ike gateway gw1 address 116.228.60.158
/*** 对端网关地址 ***/
srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0
/***VPN 出接口 ***/
注:如果使用 PPPOE拨号上网,出接口必须使用
ppp 接口
srx_admin#set security ike gateway gw1 external-interface pp0.0 ※ VPN 第二阶段 IPSEC配置
srx_admin#set security ipsec policy abc proposal-set standard/compatible
/*** 协商加密算法 ***/
srx_admin#set security ipsec test bind-interface st0.0
/*** 绑定 VPN 接口 ***/
srx_admin#set security ipsec test ike gateway gw1
/*** 调用网关 ***/
srx_admin#set security ipsec test ike ipsec-policy abc
/*** 调用加密算法的策略 ***/
srx_admin#set security ipsec test establish-tunnels immediately
/*** 立即开始协商 ***/
※接口开启 IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike ※双向流量策略 trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match srx_admin#source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy then permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy then permit
/*** custom模式 ***/
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
/*** 新建 st0.0 接口 ***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/*** 定义 tunnel 接口 st0.0 为 untrust 接口 ***/
※创建去往 VPN 对端内网的路由
srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0 ※ VPN 第一阶段 IKE配置
※※ proposal 设置
srx_admin#set security ike proposal 1-proposal authentication-method pre-shared-keys
/*** 使用 pre-shared-keys 认证 ***/
srx_admin#set security ike proposal 1-proposal dh-group group2
/***DH 组使用 group2***/
srx_admin#set security ike proposal 1-proposal authentication-algorithm md5
/***MD5 认证 ***/
srx_admin#set security ike proposal 1-proposal encryption-algorithm 3des-cbc
/***3des 加密 ***/
※※ policy 设置
srx_admin#set security ike policy 1-ike-policy mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy 1-ike-policy proposals 1-proposal
/*** 调用 ike proposal 配置 ***/
srx_admin#set security ike policy 1-ike-policy pre-shared-key ascii-text juniper123
/*** 预共享密钥 ***/
※※ gateway 设置
srx_admin#set security ike gateway 1-gateway ike-policy 1-ike-policy
/*** 调用 ike policy 设置 ***/
srx_admin#set security ike gateway 1-gateway address 116.228.60.158
/*** 对端网关地址 ***/
srx_admin#set security ike gateway 1-gateway external-interface fe-0/0/0.0
/*** 本地出接口 ***/
※ VPN 第二阶段 IPSEC设置
※※ proposal 设置
srx_admin#set security ipsec proposal 2-ipsec-proposal protocol esp
/***ipsec proposal 协议 esp***/
srx_admin#set security ipsec proposal 2-ipsec-proposal authentication-algorithm hmac-md5-96
/*** 使用 MD5 认证 ***/
srx_admin#set security ipsec proposal 2-ipsec-proposal encryption-algorithm 3des-cbc
/*** 使用 3des 加密 ***/
※※ policy 设置
set security ipsec policy 2-ipsec-policy perfect-forward-secrecy keys group2
/*** 开启 PFS,使用 group2***/
srx_admin#set security ipsec policy 2-ipsec-policy proposals 2-ipsec-proposal /***ipsec
policy 设置,调用 ipsec proposal***/ ※※ VPN 设置
srx_admin#set security ipsec 2-ipsec- bind-interface st0.0
/***ipsec 设置,绑定 tunnel 接口 ***/
srx_admin#set security ipsec 2-ipsec- ike gateway 1-gateway
/***ipsec 设置,调用第一阶段
VPN 网关 ***/
srx_admin#set security ipsec 2-ipsec- ike ipsec-policy 2-ipsec-policy
/***ipsec 设置,调用第二阶段
ipsec policy***/
srx_admin#set security ipsec 2-ipsec- establish-tunnels immediately
/*** 立即开始建立
VPN 隧道 ***/
※接口开启 IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike ※双向流量策略 trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match destination-
address any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy -policy then permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy -policy then permit
4.1.2 Policy Basiced
※新建本地、对端内网网段,并将入其划入相应的
/*** 本地内网网段 ***/
zone
srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24 srx_admin#set security zones security-zone untrust address-book address address2 192.168.100.0/24
/*** 对端内网网段 ***/
※ VPN 第一阶段 IKE设置
※※ Proposal设置
srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
/*** 采用预共享密钥 ***/
srx_admin#set security ike proposal ike-phase1-proposal dh-group group2
/***DH Group 使用 Group2***/
srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5
/*** 使用 md5 认证 ***/
srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
/*** 使用 3des 加密 ***/
※※ Policy 设置
srx_admin#set security ike policy ike-phase1-policy mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal
/*** 调用 ike proposal 配置 ***/
srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123
/*** 预共享密钥设置 ***/
※※ gateway 设置
srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy
/*** 调用 IKE policy***/
srx_admin#set security ike gateway gw-chica address 116.228.60.157
/*** 指定对端网关地址 ***/
srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0
/*** 指定本地出街口 ***/
※ VPN 第二阶段 IPSEC设置
※※ Proposal设置
srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp
/***ipsec proposal 协议 esp***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
/*** 使用 md5 认证 ***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm
/*** 使用 3des 加密 ***/
3des-cbc
※※ policy 设置
srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
/***ipsec policy 设置,调用 ipsec proposal***/
※※ VPN 设置
srx_admin#set security ipsec ike--chica ike gateway gw-chica
/***ipsec 设置,调用第一阶段
VPN 网关 ***/
srx_admin#set security ipsec ike--chica ike ipsec-policy ipsec-phase2-policy
/***ipse
policy 设置 ***/
srx_admin#set security ipsec ike--chica establish-tunnels on-traffic
/*** 产生流量后 VPN开始建立连接 ***/
※接口开启 IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike ※VPN流量策略 trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr match source-address address1
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr match destination-address address2
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr match application any
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr then permit tunnel ipsec- ike--chica
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr then log session-init
srx_admin#set security policies from-zone trust to-zone untrust policy -tr-untr then log session-close
※上网流量策略 trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match application
any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy -untr-tr match source-address address2
srx_admin#set security policies from-zone untrust to-zone trust policy -untr-tr match destination-address address1
srx_admin#set security policies from-zone untrust to-zone trust policy -untr-tr match application any
srx_admin#set security policies from-zone untrust to-zone trust policy -untr-tr tunnel ipsec- ike--chica 注: 开启策略下 log 记录功能
set security policies from-zone untrust to-zone trust policy -untr-tr then log session-init set security policies from-zone untrust to-zone trust policy -untr-tr then log session-close
then permit
4.2 、 Remote VPN
4.2.1 SRX端配置
※ VPN 第一阶段 IKE Policy设置
srx_admin#set security ike policy remote--policy mode aggressive
srx_admin#set security ike policy remote--policy proposal-set compatible
srx_admin#set security ike policy remote--policy pre-shared-key ascii-text juniper123 ※ VPN 第一阶段 IKE Gateway设置
srx_admin#set security ike gateway remote--gateway ike-policy remote--policy srx_admin#set security ike gateway remote--gateway dynamic hostname juniper srx_admin#set security ike gateway remote--gateway dynamic connections-limit 10
srx_admin#set security ike gateway remote--gateway dynamic ike-user-type shared-ike-id srx_admin#set security ike gateway remote--gateway external-interface fe-0/0/0.0 srx_admin#set security ike gateway remote--gateway xauth access-profile xauthsrx ※ VPN 第二阶段 IPSec Policy设置
srx_admin#set security ipsec policy remote--ipsec-policy proposal-set compatible ※ VPN 第二阶段 IPSec VPN设置
srx_admin#set security ipsec remote ike gateway remote--gateway srx_admin#set security ipsec remote ike ipsec-policy remote--ipsec-policy srx_admin#set security ipsec remote establish-tunnels immediately ※ Remote 用户 DHCP设置
srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1 srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10 srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8
注: DHCP地址段最好与内网网段区别开来,不然会产生很多问题 ※创建 Remote 认证用户
srx_admin#set access profile xauthsrx authentication-order password
srx_admin#set access profile xauthsrxclient L2TP_USER_MA firewall-user password 123456 ※接口开启 IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※策略设置 untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy dail- match source-
address any
srx_admin#set security policies from-zone untrust to-zone trust policy dail- match destination-address network
srx_admin#set security policies from-zone untrust to-zone trust policy dail- match application any
srx_admin#set security policies from-zone untrust to-zone trust policy dail- then permit tunnel ipsec- remote
srx_admin#set security policies from-zone untrust to-zone trust policy dail- then log session-init srx_admin#set security policies from-zone untrust to-zone trust policy dail- then log session-close
4.2.2 客户端配置
因篇幅问题不能全部显示,请点此查看更多更全内容