第节系统配置 3
11设备初始化 3
111 登陆 3
112 设置 root 户口令 3
113 设置远程登陆理户 3
2系统理 4
121 选择时区 4
122 系统时间 4
123 DNS服务器 5
124 系统重启 5
125 Alarm 告警处理 5
126 Root 密码重置 6
第二节网络设置 7
21Interface 7
211 PPPOE 7
212 Manual 8
213 DHCP 8
22Routing 9
Static Route 9
23SNMP 9
第三节高级设置 9
311 修改服务端口 9
312 检查硬件序列号 9
313 外网接口启端口服务 10
314 创建端口服务 10
315 VIP端口映射 10
316 MIP 映射 11
317 禁 console 口 12
318 Juniper SRX带源 ping 外网默认通需做源址 NAT 12
319 设置 SRX理 IP 12
320 配置回退 13
321 UTM 调 13
322 网络访问缓慢解决 13
第四节 VPN 设置 14
41点点 IPSec VPN 14
411 Route Basiced 14
412 Policy Basiced 17
42Remote VPN 19
421 SRX端配置 19
422 客户端配置 20
第节系统配置
11 设备初始化
111 登陆
首次登录需 Console 口连接 SRXroot 户登陆密码空
login root
Password
JUNOS 95R18 built 20090716 150430 UTC
root cli *** 进入操作模式 ***
root>
root> configure
Entering configuration mode *** 进入配置模式 ***
[edit]
Root#
112 设置 root 户口令
(必须配置 root 帐号密码否续配置修改法提交)
root# set system rootauthentication plaintextpassword
root# new password root123
root# retype new password root123
密码密文方式显示
root# show system rootauthentication
encryptedpassword 1xavDeUe6fNM6olGU8M7B62u05D6 # SECRETDATA
注意: 强烈建议加密选项加密 root user 口令 ( encryptedpassword
加密方式 )配置参数求输入口令应加密算法加密字符串采种加密方
式手工输入时存密码法通验证风险
注: root 户仅 console 连接理 SRX通远程登陆理 SRX必须成功设
置 root 口令执行 commit 提交续配置命令
113 设置远程登陆理户
root# set system login user lab class superuser authentication plaintextpassword
root# new password juniper
root# retype new password srx123
注: juniper 户拥超级理员权限 console 远程理访问 行灵活
定义理权限户
2系统理
121 选择时区
srx_admin# set system timezone AsiaShanghai *** 亚洲 海 ***
122 系统时间
1221 手动设定
srx_admin> set date 20151120153700
srx_admin> show system uptime
Current time 20151120 153714 UTC
System booted 20151120 152148 UTC (2d 0015 ago)
Protocols started 20151120 152445 UTC (2d 0012 ago)
Last configured 20151120 153038 UTC (000636 ago) by srx_admin
337PM up 2 days 15 mins 3 users load averages 007 017 014
1222 NTP 步次
srx_admin> set date ntp 2021202101
8 Feb 154950 ntpdate[6616] step time server 2021202101 offset 28796357071 sec
1223 NTP 服务器
srx_admin# set system ntp server 2021001021
srx_admin#set system ntp server ntpapibz
***SRX 系统 NTP服务器设备需联网解析 ntp 址然命令法输入 ***
srx_admin> show ntp status
statusc011 sync_alarm sync_unspec 1 event event_restart
versionntpd 420a FriNov20154416 UTC 2014 (1)
processorocteon systemJUNOS121X44D355 leap11 stratum16
precision17 rootdelay0000 rootdispersion0105 peer0
refidINIT reftime0000000000000000 Thu Feb 7 2036 142816000
poll4 clockd88195bc562dc2db Sun Feb 8 2015 75852336 state0
offset0000 frequency0000 jitter0008 stability0000
srx_admin@holyshit> show ntp associations
remote refid st t when poll reach delay offset jitter
dnssjtueducn 15179156248 3 16 64 1 5473 0953 0008
2021001021 INIT 16 64 0 0000 0000 400000
123 DNS 服务器
srx_admin# set system nameserver 202962095 ***SRX 系统 DNS***
124 系统重启
1241 重启系统
srx_admin>request system reboot
1242 关闭系统
srx_admin>request system poweroff
125 Alarm 告警处理
1251 告警查
root# run show system alarms
2 alarms currently active
Alarm time Class Description
20151120 142149 UTC Minor Autorecovery information needs to be saved
20151120 142149 UTC Minor Rescue configuration is not set
1252 告警处理
告警处理
root> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
告警二处理
root> request system configuration rescue save
126Root 密码重置
SRX Root密码丢失没超级户权限需执行密码恢复 该操作需
中断设备正常运行会丢失配置信息操作步骤:
1重启防火墙 CRT 出现面提示时空格键中断正常启动然进入单户状态
输入: boot –s
Loading bootdefaultsloaderconf
kernel data0xb15b3c+0x13464c syms[0x4+0x8bb00+0x4+0xcac15]
Hit [Enter] to boot immediately or space bar for command prompt
loader>
loader> boot s
2执行密码恢复:提示文字输入 recovery 设备动进行重启
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for binsh
recovery
***** FILE SYSTEM WAS MODIFIED *****
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for binsh
recovery
3进入配置模式删 root 密码重新设置 root 密码保存重启
root> configure
Entering configuration mode
[edit]
root# delete system rootauthentication
[edit]
root# set system rootauthentication plaintextpassword
New password
Retype new password
[edit]
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> request system reboot
Reboot the system [yesno] (no) yes
第二节网络设置
21 Interface
211 PPPOE
※外网接口( fe000 )封装 PPP
srx_admin# set interfaces fe000 unit 0 encapsulation pppoverether
※CHAP认证配置
srx_admin# set interfaces pp0 unit 0 pppoptions chap defaultchapsecret 1234567890
***PPPOE 密码 ***
srx_admin# set interfaces pp0 unit 0 pppoptions chap localname rxgjhygs@163
***PPPOE 帐号 ***
srx_admin# set interfaces pp0 unit 0 pppoptions chap passive
*** 采动模式 ***
※PAP认证配置
srx_admin# set interfaces pp0 unit 0 pppoptions pap defaultpassword 1234567890
***PPPOE 密码 ***
srx_admin# set interfaces pp0 unit 0 pppoptions pap localname rxgjhygs@163
***PPPOE 帐号 ***
srx_admin# set interfaces pp0 unit 0 pppoptions pap localpassword 1234567890
***PPPOE 密码 ***
srx_admin# set interfaces pp0 unit 0 pppoptions pap passive
*** 采动模式 ***
※PPP 接口调
srx_admin# set interfaces pp0 unit 0 pppoeoptions underlyinginterface fe0000
*** 外网接口( fe000 )启 PPPOE拨号 ***
※PPPOE拨号属性配置
srx_admin# set interfaces pp0 unit 0 pppoeoptions idletimeout 0
*** 空闲超时值 ***
srx_admin# set interfaces pp0 unit 0 pppoeoptions autoreconnect 3
***3 秒动重拨 ***
srx_admin# set interfaces pp0 unit 0 pppoeoptions client
*** 表示 PPPOE客户端 ***
srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
*** 修改接口 MTU 值改成 1492 PPPOE报头会点开销 ***
srx_admin# set interfaces pp0 unit 0 family inet negotiateaddress
*** 动协商址服务端分配动态址 ***
※默认路
srx_admin# set routingoptions static route 00000 nexthop pp00
※PPPOE接口划入 untrust 接口
srx_admin# set security zones securityzone untrust interfaces pp00
※验证 PPPoE否已拔通否获 IP 址
srx_admin#run show interfaces terse | match pp
pp0 up up
pp00 up up inet 1921681631 > 1111
ppd0 up up
ppe0 up up
注:
PPPOE拨号成功需调整 MTU 值网体验达佳( MTU 值合适话网会卡)
srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 *** 调整 MTU ***
srx_admin# set security flow tcpmss alltcp mss 1304 *** 调整 TCP分片 ***
212 Manual
srx_admin# set interfaces fe000 unit 0 family inet address 2021054113829
213 DHCP
※启 DHCP址池
srx_admin# set system services dhcp pool 1921681024 router 19216811
***DHCP 网关 ***
srx_admin# set system services dhcp pool 1921681024 addressrange low 19216812
***DHCP 址池第址 ***
srx_admin# set system services dhcp pool 1921681024 addressrange high 1921681254
***DHCP 址池址 ***
srx_admin# set system services dhcp pool 1921681024 defaultleasetime 36000
***DHCP 址租期 ***
srx_admin# set system services dhcp pool 1921681024 domainname leadsystemscomcn
***DHCP 域名 ***
srx_admin# set system services dhcp pool 1921681024 nameserver 20296209133
***DHCP 分配 DNS***
srx_admin# set system services dhcp pool 1921681024 nameserver 202962095
srx_admin# set system services dhcp propagatesettings vlan0 ***DHCP 分发端口 ***
※配置网接口址
srx_admin# set interfaces vlan unit 0 family inet address 1921681124
※网接口调 DHCP址池
srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
systemservicesdhcp
22 Routing
Static Route
srx_admin# set routeoption static route 00000 nexthop 11622860153
*** 默认路 ***
srx_admin# set routeoption static route 105010024 nexthop st00
***Route Basiced VPN 路 ***
23 SNMP
srx_admin# set snmp community Ajitec authorization readonlyreadwrite
***SNMP 监控权限 ***
srx_admin# set snmp clientlist snmp_srx240 1019289932
***SNMP 监控机 ***
第三节高级设置
311 修改服务端口
srx_admin# set system services webmanagement http port 8000
*** 更改 web http 理端口号 ***
srx_admin# set system services webmanagement https port 1443
*** 更改 web https 理端口号 ***
312 检查硬件序列号
srx# run show chassis hardware
Hardware inventory
Item Version Part number Serial number Description
Chassis BZ2615AF0491 SRX100H2
Routing Engine REV 05 650048781 BZ2615AF0491 RESRX100H2
FPC 0 FPC
PIC 0 8x FE Base PIC
Power Supply 0
313 外网接口启端口服务
※定义系统服务
srx_admin# set system services ssh
srx_admin# set system services telnet
srx_admin# set system services webmanagement http interface vlan0
srx_admin# set system services webmanagement http interface fe0000
srx_admin# set system services webmanagement https interface vlan0
srx_admin# set system services webmanagement managementurl admin
*** 期 httpsipadmin 登录理页面加直接跳转 ***
※网接口启端口服务
srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
systemservices ping*** 开启 ping ***
srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
systemservices http *** 开启 http ***
srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
systemservices telnet *** 开启 telnet ***
※外网接口启端口服务
srx_admin# set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices ping*** 开启 ping ***
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices telnet *** 开启 telnet ***
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices http *** 开启 http ***
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices all*** 开启服务 ***
314 创建系统服务
srx_admin#set applications application RDP protocol tcp *** 协议选择 tcp***
srx_admin#set applications application RDP sourceport 065535 *** 源端口 ***
srx_admin#set applications application RDP destinationport 3389 *** 目端口 ***
srx_admin#set applications application RDP protocol udp *** 协议选择 udp***
srx_admin#set applications application RDP sourceport 065535 *** 源端口 ***
srx_admin#set applications application RDP destinationport 3389 *** 目端口 ***
315 VIP 端口映射
※DestinationNAT配置
srx_admin#set security nat destination pool 22 address 19216812032
***Destination NAT pool 设置真实网址 ***
srx_admin#set security nat destination pool 22 address port 3389
***Destination NAT pool 设置网址端口号 ***
srx_admin#set security nat destination ruleset 2 from zone untrust
*** Destination NAT Rule 设置访问流量 untrust 区域 ***
srx_admin#set security nat destination ruleset 2 rule 111 match sourceaddress 00000
*** Destination NAT Rule 设置访问流量意址 ***
srx_admin#set security nat destination ruleset 2 rule 111 match destinationaddress
1162286015432
*** Destination NAT Rule 设置访问目址 11622860157***
srx_admin#set security nat destination ruleset 2 rule 111 match destinationport 3389
*** Destination NAT Rule 设置访问目址端口号 ***
srx_admin#set security nat destination ruleset 2 rule 111 then destinationnat pool 22
***Destination NAT Rule 设置调 pool 址 ***
※策略配置
srx_admin#set security policies fromzone untrust tozone trust policy vip match sourceaddress
any
srx_admin#set security policies fromzone untrust tozone trust policy vip match
destinationaddress H19216812032
srx_admin#set security policies fromzone untrust tozone trust policy vip match application any
srx_admin#set security policies fromzone untrust tozone trust policy vip then permit
srx_admin#set security zones securityzone trust addressbook address H19216812032
19216812032
316 MIP 映射
※Destination NAT设置
srx_admin#set security nat destination pool 111 address 1921681332
***Destination NAT pool 设置真实网址 ***
srx_admin#set security nat destination ruleset 1 from zone untrust
***Destination NAT Rule 设置访问流量 untrust 区域 ***
srx_admin#set security nat destination ruleset 1 rule 111 match sourceaddress 00000
***Destination NAT Rule 设置访问流量意址 ***
srx_admin#set security nat destination ruleset 1 rule 11 match destinationaddress
1162286015732
***Destination NAT Rule 设置访问目址 11622860157***
srx_admin#set security nat destination ruleset 1 rule 11 then destinationnat pool 11
***Destination NAT Rule 设置调 pool 址 ***
※配置 ARP代理
srx_admin#set security nat proxyarp interface fe0000 address 1162286015732
※策略配置
srx_admin#set security policies fromzone untrust tozone trust policy mip match sourceaddress
any
srx_admin#set security policies fromzone untrust tozone trust policy mip match
destinationaddress H19216812032
srx_admin#set security policies fromzone untrust tozone trust policy mip match application any
srx_admin#set security policies fromzone untrust tozone trust policy mip then permit
317 禁 console 口
junipersrx@SRX100H2# edit system ports console*** 进入 console 接口 ***
junipersrx@SRX100H2# set disable*** 关闭端口 ***
junipersrx@SRX100H2# commit confirmed 3 *** 提交 3 分钟 3 分钟回退 ***
318 Juniper SRX 带源 ping 外网默认通需做源址
NAT
set security nat source ruleset LOCAL from zone junoshost
set security nat source ruleset LOCAL to zone untrust
set security nat source ruleset LOCAL rule LOCAL match sourceaddress 1921681132
set security nat source ruleset LOCAL rule LOCAL match destinationaddress 00000
set security nat source ruleset LOCAL rule LOCAL then sourcenat interface
set security nat source ruleset trusttountrust from zone trust
set security nat source ruleset trusttountrust to zone untrust
set security nat source ruleset trusttountrust rule sourcenatrule match sourceaddress
00000
set security nat source ruleset trusttountrust rule sourcenatrule then sourcenat interface
319 设置 SRX 理 IP
※参防火墙外网接口端口服务
set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ike
set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ping
set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ssh
※定义防火墙 filter设定允许访问址端口
set firewall filter Outside_access_in term Permit_IP from sourceaddress 1162286015832
set firewall filter Outside_access_in term Permit_IP from destinationaddress 594618411432
set firewall filter Outside_access_in term Permit_IP from protocol tcp
set firewall filter Outside_access_in term Permit_IP from destinationport ssh
set firewall filter Outside_access_in term Permit_IP then accept
*** 设置允许访问址址 ***
set firewall filter Outside_access_in term Deny_ANY from destinationaddress 594618411432
set firewall filter Outside_access_in term Deny_ANY from protocol tcp
set firewall filter Outside_access_in term Deny_ANY from destinationport ssh
set firewall filter Outside_access_in term Deny_ANY then discard
set firewall filter Outside_access_in term Permit_ANY then accept
*** 流量全部拒绝 ***
※防火墙外网接口调 filter 接口启限制
set interfaces fe000 unit 0 family inet filter input Outside_access_in
注:①配置拒绝流量时注意拒绝端口面放行流量拒绝会流
量拒绝掉
②配置拒绝流量时配置 all 然会流量拒绝掉
320 配置回退
※查提交配置
srx_admin# run show system commit
0 20160504 114746 UTC by root via junoscript
1 20160504 114011 UTC by root via cli
2 20160504 113836 UTC by root via cli
3 20160427 114107 UTC by root via cli
4 20160401 173722 UTC by root via button
※回退配置( ROLLBACK 0)
srx_admin # rollback
Possible completions
<[Enter]> Execute this command
0 20160504 114746 UTC by root via junoscript
1 20160504 114011 UTC by root via cli
2 20160504 113836 UTC by root via cli
3 20160427 114107 UTC by root via cli
4 20160401 173722 UTC by root via button
| Pipe through a command
321 UTM 调
※策略中调 UTM
srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
sourceaddress any
srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
destinationaddress any
srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
application any
srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust then
permit applicationservices utmpolicy junosavpolicy
322 网络访问缓慢解决
srx_admin #set security flow synfloodprotectionmode syncookie
srx_admin #set security flow tcpmss alltcpmss 1300
srx_admin #set security flow tcpsession rstsequencecheck
srx_admin #set security flow tcpsession strictsyncheck
srx_admin #set security flow tcpsession nosequencecheck
第四节 VPN 设置
41 点点 IPSec VPN
411 Route Basiced
*** standard or compatible模式 ***
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
*** 新建 st00 接口 ***
srx_admin#set security zones securityzone untrust interfaces st00
*** 定义 tunnel 接口 st00 untrust 接口 ***
※创建 VPN 端网路
srx_admin#srx_admin#set routingoptions static route 172161024 nexthop st00
※VPN 第阶段 IKE配置
srx_admin#set security ike policy lead mode main
*** 协商模式 main or aggressive ***
srx_admin#set security ike policy lead proposalset standardcompatible
*** 协商加密算法 ***
srx_admin#set security ike policy lead presharedkey asciitext juniper123
*** 预享密钥 ***
※VPN 第阶段 IKE配置
srx_admin#set security ike gateway gw1 ikepolicy lead
*** 调第阶段 IKE 配置 ***
srx_admin#set security ike gateway gw1 address 11622860158
*** 端网关址 ***
srx_admin#set security ike gateway gw1 externalinterface fe0000
***VPN 出接口 ***
注: 果 PPPOE拨号网出接口必须 ppp 接口
srx_admin#set security ike gateway gw1 externalinterface pp00
※VPN 第二阶段 IPSEC配置
srx_admin#set security ipsec policy abc proposalset standardcompatible
*** 协商加密算法 ***
srx_admin#set security ipsec vpn test bindinterface st00
*** 绑定 VPN 接口 ***
srx_admin#set security ipsec vpn test ike gateway gw1
*** 调网关 ***
srx_admin#set security ipsec vpn test ike ipsecpolicy abc
*** 调加密算法策略 ***
srx_admin#set security ipsec vpn test establishtunnels immediately
*** 立开始协商 ***
※外网接口开启 IKE服务
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices ike
※双流量策略
trust>untrust
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
srx_admin#sourceaddress any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
destinationaddress any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
application any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy then permit
untrust>trust
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
sourceaddress any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
destinationaddress any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
application any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy then permit
*** custom模式 ***
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
*** 新建 st00 接口 ***
srx_admin#set security zones securityzone untrust interfaces st00
*** 定义 tunnel 接口 st00 untrust 接口 ***
※创建 VPN 端网路
srx_admin#set routingoptions static route 172161024 nexthop st00
※VPN 第阶段 IKE配置
※※ proposal设置
srx_admin#set security ike proposal vpn1proposal authenticationmethod presharedkeys
*** presharedkeys 认证 ***
srx_admin#set security ike proposal vpn1proposal dhgroup group2
***DH 组 group2***
srx_admin#set security ike proposal vpn1proposal authenticationalgorithm md5
***MD5 认证 ***
srx_admin#set security ike proposal vpn1proposal encryptionalgorithm 3descbc
***3des 加密 ***
※※ policy 设置
srx_admin#set security ike policy vpn1ikepolicy mode main
*** 协商模式 main or aggressive ***
srx_admin#set security ike policy vpn1ikepolicy proposals vpn1proposal
*** 调 ike proposal 配置 ***
srx_admin#set security ike policy vpn1ikepolicy presharedkey asciitext juniper123
*** 预享密钥 ***
※※ gateway 设置
srx_admin#set security ike gateway vpn1gateway ikepolicy vpn1ikepolicy
*** 调 ike policy 设置 ***
srx_admin#set security ike gateway vpn1gateway address 11622860158
*** 端网关址 ***
srx_admin#set security ike gateway vpn1gateway externalinterface fe0000
*** 出接口 ***
※VPN 第二阶段 IPSEC设置
※※ proposal设置
srx_admin#set security ipsec proposal vpn2ipsecproposal protocol esp
***ipsec proposal 协议 esp***
srx_admin#set security ipsec proposal vpn2ipsecproposal authenticationalgorithm
hmacmd596
*** MD5 认证 ***
srx_admin#set security ipsec proposal vpn2ipsecproposal encryptionalgorithm 3descbc
*** 3des 加密 ***
※※ policy 设置
set security ipsec policy vpn2ipsecpolicy perfectforwardsecrecy keys group2
*** 开启 PFS group2***
srx_admin#set security ipsec policy vpn2ipsecpolicy proposals vpn2ipsecproposal
***ipsec policy 设置调 ipsec proposal***
※※ VPN 设置
srx_admin#set security ipsec vpn vpn2ipsecvpn bindinterface st00
***ipsec vpn 设置绑定 tunnel 接口 ***
srx_admin#set security ipsec vpn vpn2ipsecvpn ike gateway vpn1gateway
***ipsec vpn 设置调第阶段 VPN 网关 ***
srx_admin#set security ipsec vpn vpn2ipsecvpn ike ipsecpolicy vpn2ipsecpolicy
***ipsec vpn 设置调第二阶段 ipsec policy***
srx_admin#set security ipsec vpn vpn2ipsecvpn establishtunnels immediately
*** 立开始建立 VPN 隧道 ***
※外网接口开启 IKE服务
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices ike
※双流量策略
trust>untrust
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
sourceaddress any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
destinationaddress any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
application any
srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy then permit
untrust>trust
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
sourceaddress any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
destinationaddress any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
application any
srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy then permit
412 Policy Basiced
※新建端网网段入划入相应 zone
srx_admin#set security zones securityzone trust addressbook address address1 1921681024
*** 网网段 ***
srx_admin#set security zones securityzone untrust addressbook address address2
192168100024
*** 端网网段 ***
※VPN 第阶段 IKE设置
※※ Proposal设置
srx_admin#set security ike proposal ikephase1proposal authenticationmethod presharedkeys
*** 采预享密钥 ***
srx_admin#set security ike proposal ikephase1proposal dhgroup group2
***DH Group Group2***
srx_admin#set security ike proposal ikephase1proposal authenticationalgorithm md5
*** md5 认证 ***
srx_admin#set security ike proposal ikephase1proposal encryptionalgorithm 3descbc
*** 3des 加密 ***
※※ Policy设置
srx_admin#set security ike policy ikephase1policy mode main
*** 协商模式 main or aggressive ***
srx_admin#set security ike policy ikephase1policy proposals ikephase1proposal
*** 调 ike proposal 配置 ***
srx_admin#set security ike policy ikephase1policy presharedkey asciitext juniper123
*** 预享密钥设置 ***
※※ gateway 设置
srx_admin#set security ike gateway gwchica ikepolicy ikephase1policy
*** 调 IKE policy***
srx_admin#set security ike gateway gwchica address 11622860157
*** 指定端网关址 ***
srx_admin#set security ike gateway gwchica externalinterface fe0000
*** 指定出街口 ***
※VPN 第二阶段 IPSEC设置
※※ Proposal设置
srx_admin#set security ipsec proposal ipsecphase2proposal protocol esp
***ipsec proposal 协议 esp***
srx_admin#set security ipsec proposal ipsecphase2proposal authenticationalgorithm
hmacmd596
*** md5 认证 ***
srx_admin#set security ipsec proposal ipsecphase2proposal encryptionalgorithm 3descbc
*** 3des 加密 ***
※※ policy 设置
srx_admin#set security ipsec policy ipsecphase2policy proposals ipsecphase2proposal
***ipsec policy 设置调 ipsec proposal***
※※ VPN 设置
srx_admin#set security ipsec vpn ikevpnchica ike gateway gwchica
***ipsec vpn 设置调第阶段 VPN 网关 ***
srx_admin#set security ipsec vpn ikevpnchica ike ipsecpolicy ipsecphase2policy
***ipse policy 设置 ***
srx_admin#set security ipsec vpn ikevpnchica establishtunnels ontraffic
*** 产生流量 VPN开始建立连接 ***
※外网接口开启 IKE服务
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices ike
※VPN流量策略
trust>untrust
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
sourceaddress address1
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
destinationaddress address2
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
application any
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then permit
tunnel ipsecvpn ikevpnchica
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then log
sessioninit
srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then log
sessionclose
※网流量策略
trust>untrust
srx_admin#set security policies fromzone trust tozone untrust policy permitany match
sourceaddress any
srx_admin#set security policies fromzone trust tozone untrust policy permitany match
destinationaddress any
srx_admin#set security policies fromzone trust tozone untrust policy permitany match
application any
srx_admin#set security policies fromzone trust tozone untrust policy permitany then permit
untrust>trust
srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
sourceaddress address2
srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
destinationaddress address1
srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
application any
srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr then permit
tunnel ipsecvpn ikevpnchica
注: 开启策略 log 记录功
set security policies fromzone untrust tozone trust policy vpnuntrtr then log sessioninit
set security policies fromzone untrust tozone trust policy vpnuntrtr then log sessionclose
42 Remote VPN
421 SRX端配置
※VPN 第阶段 IKE Policy设置
srx_admin#set security ike policy remotevpnpolicy mode aggressive
srx_admin#set security ike policy remotevpnpolicy proposalset compatible
srx_admin#set security ike policy remotevpnpolicy presharedkey asciitext juniper123
※VPN 第阶段 IKE Gateway设置
srx_admin#set security ike gateway remotevpngateway ikepolicy remotevpnpolicy
srx_admin#set security ike gateway remotevpngateway dynamic hostname juniper
srx_admin#set security ike gateway remotevpngateway dynamic connectionslimit 10
srx_admin#set security ike gateway remotevpngateway dynamic ikeusertype sharedikeid
srx_admin#set security ike gateway remotevpngateway externalinterface fe0000
srx_admin#set security ike gateway remotevpngateway xauth accessprofile xauthsrx
※VPN 第二阶段 IPSec Policy设置
srx_admin#set security ipsec policy remotevpnipsecpolicy proposalset compatible
※VPN 第二阶段 IPSec VPN设置
srx_admin#set security ipsec vpn remotevpn ike gateway remotevpngateway
srx_admin#set security ipsec vpn remotevpn ike ipsecpolicy remotevpnipsecpolicy
srx_admin#set security ipsec vpn remotevpn establishtunnels immediately
※Remote 户 DHCP设置
srx_admin#set access addresspool DHCPPOOL addressrange low 1721611
srx_admin#set access addresspool DHCPPOOL addressrange high 17216110
srx_admin#set access addresspool DHCPPOOL primarydns 8888
注: DHCP址段网网段区开然会产生问题
※创建 Remote 认证户
srx_admin#set access profile xauthsrx authenticationorder password
srx_admin#set access profile xauthsrxclient L2TP_USER_MA firewalluser password 123456
※外网接口开启 IKE服务
srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
systemservices ike
※策略设置 untrust>trust
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match
sourceaddress any
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match
destinationaddress network
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match application
any
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then permit
tunnel ipsecvpn remotevpn
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then log
sessioninit
srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then log
sessionclose
422 客户端配置
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档