JuniperSRX详细配置手册(含注释)
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Juniper SRX标准配置
第一节系统配置 (3)
1.1、设备初始化 (3)
1.1.1登陆 (3)
1.1.2设置 root 用户口令 (3)
1.1.3设置远程登陆管理用户 (3)
2、系统管理 (4)
1.2.1选择时区 (4)
1.2.2系统时间 (4)
1.2.3DNS服务器 (5)
1.2.4系统重启 (5)
1.2.5Alarm 告警处理 (5)
1.2.6Root 密码重置 (6)
第二节网络设置 (7)
2.1、 Interface (7)
2.1.1 PPPOE (7)
2.1.2 Manual (8)
2.1.3 DHCP (8)
2.2、 Routing (9)
Static Route (9)
2.3、 SNMP (9)
第三节高级设置 (9)
3.1.1修改服务端口 (9)
3.1.2检查硬件序列号 (9)
3.1.3内外网接口启用端口服务 (10)
3.1.4创建端口服务 (10)
3.1.5VIP 端口映射 (10)
3.1.6MIP 映射 (11)
3.1.7 禁用 console 口 (12)
3.1.8Juniper SRX带源 ping 外网默认不通,需要做源地址 NAT (12)
3.1.9设置 SRX管理 IP (12)
3.2.0配置回退 (13)
3.2.1 UTM 调用 (13)
3.2.2网络访问缓慢解决 (13)
第四节 VPN 设置 (14)
4.1、点对点 IPSec VPN (14)
4.1.1Route Basiced (14)
4.1.2Policy Basiced (17)
4.2、 Remote VPN (19)
4.2.1SRX端配置 (19)
4.2.2客户端配置 (20)
第一节系统配置
1.1 、设备初始化
1.1.1 登陆
首次登录需要使用Console 口连接 SRX, root 用户登陆,密码为空
login: root
Password:
--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC
root% cli/***进入操作模式***/
root>
root> configure
Entering configuration mode/*** 进入配置模式 ***/
[edit]
Root#
1.1.2 设置 root 用户口令
(必须配置root 帐号密码,否则后续所有配置及修改都无法提交)
root# set system root-authentication plain-text-password
root# new password : root123
root# retype new password: root123
密码将以密文方式显示
root# show system root-authentication
encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA
注意:强烈建议不要使用其它加密选项来加密root 和其它 user 口令 (如 encrypted-password 加密方式 ),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方
式手工输入时存在密码无法通过验证风险。
注: root 用户仅用于console 连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置 root 口令后,才能执行commit 提交后续配置命令。
1.1.3 设置远程登陆管理用户
root# set system login user lab class super-user authentication plain-text-password
root# new password : juniper
root# retype new password: srx123
注:此 juniper 用户拥有超级管理员权限,可用于 console 和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
2、系统管理
1.2.1 选择时区
srx_admin# set system time-zone Asia/Shanghai/*** 亚洲 / 上海 ***/
1.2.2 系统时间
1.2.2.1 手动设定
srx_admin> set date 201511201537.00
srx_admin> show system uptime
Current time: 2015-11-20 15:37:14 UTC
System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)
Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)
Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin
3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14
1.2.2.2 NTP 同步一次
srx_admin> set date ntp 202.120.2.101
8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec
1.2.2.3 NTP 服务器
srx_admin# set system ntp server 202.100.102.1
srx_admin#set system ntp server ntp.api.bz
ntp地址,不然命令无法输入***/ /***SRX系统NTP服务器,设备需要联网可以解
析
srx_admin> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a FriNov2015:44:16 UTC 2014 (1)",
processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,
poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0,
offset=0.000, frequency=0.000, jitter=0.008, stability=0.000
srx_admin@holy-shit> show ntp associations
remote refid st t when poll reach delay offset jitter
============================================================================== 15.179.156.248 3 -16641 5.473-0.9530.008
202.100.102.1.INIT.16--6400.0000.000 4000.00
1.2.3 DNS 服务器
srx_admin# set system name-server 202.96.209.5/***SRX 系统 DNS***/
1.2.4 系统重启
1.2.4.1 重启系统
srx_admin>request system reboot
1.2.4.2 关闭系统
srx_admin>request system power-off
1.2.5 Alarm 告警处理
1.2.5.1 告警查看
root# run show system alarms
2 alarms currently active
Alarm time
2015-11-20 14:21:49 UTC 2015-11-20 14:21:49 UTC
Class
Minor
Minor
Description
Autorecovery information needs to be saved
Rescue configuration is not set
1.2.5.2 告警处理
告警一处理
root> request system autorecovery state save Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
告警二处理
root> request system configuration rescue save
1.2.6Root 密码重置
SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息。
操作步骤如下:
1.重启防火墙, CRT 上出现下面提示时,按空格键中断正常启动,然后再进入单用户状态,
并输入: boot –s
Loading /boot/defaults/loader.conf
/kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15]
Hit [Enter] to boot immediately, or space bar for command prompt.
loader>
loader> boot -s
2.执行密码恢复:在以下提示文字后输入recovery ,设备将自动进行重启
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
***** FILE SYSTEM WAS MODIFIED *****
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
3.进入配置模式,删除root 密码后重新设置root 密码,并保存重启
root> configure
Entering configuration mode
[edit]
root# delete system root-authentication
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> request system reboot
Reboot the system ? [yes,no] (no) yes
第二节网络设置
2.1 、 Interface
2.1.1 PPPOE
※在外网接口(fe-0/0/0 )下封装PPP
srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-
ether ※CHAP认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret1234567890 /***PPPOE 的密码 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163
/***PPPOE 的帐号 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap
passive /*** 采用被动模式 ***/
※PAP 认证配置
srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password1234567890
/***PPPOE 的密码 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163
/***PPPOE 的帐号 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password1234567890
/***PPPOE 的密码 ***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap passive
/*** 采用被动模式 ***/
※PPP 接口调用
srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
/*** 在外网接口( fe-0/0/0 )下启用PPPOE拨号 ***/
※PPPOE拨号属性配置
srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0
/*** 空闲超时值 ***/
srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
/***3秒自动重拨***/
srx_admin# set interfaces pp0 unit 0 pppoe-options client
/*** 表示为 PPPOE客户端 ***/
srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
/*** 修改此接口的MTU 值,改成1492。
因为 PPPOE的报头会有一点的开销***/
srx_admin# set interfaces pp0 unit 0 family inet negotiate-address
/*** 自动协商地址,即由服务端分配动态地址***/
※默认路由
srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0
※PPPOE接口划入untrust 接口
srx_admin# set security zones security-zone untrust interfaces pp0.0
※验证 PPPoE是否已经拔通,是否获得IP 地址
srx_admin#run show interfaces terse | match pp
pp0up up
pp0.0up up inet192.168.163.1--> 1.1.1.1 ppd0up up
ppe0up up
注:
PPPOE拨号成功后需要调整MTU 值,使上网体验达到最佳(srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 srx_admin# set security flow tcp-mss all-tcp mss 1304
MTU 值不合适的话上网会卡)/*** 调整 MTU 大小 ***/
/*** 调整 TCP分片大小 ***/
2.1.2 Manual
srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29
2.1.3 DHCP
※启用 DHCP地址池
srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
/***DHCP 网关 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
/***DHCP 地址池第一个地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 /***DHCP 地址池最后一个地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000
/***DHCP 地址租期 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name /***DHCP 域名 ***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133
/***DHCP分配DNS***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5
srx_admin# set system services dhcp propagate-settings vlan.0 /***DHCP分发端口***/
※配置内网接口地址
srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24
※内网接口调用DHCP地址池
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-servicesdhcp
2.2 、 Routing
Static Route
srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153
/*** 默认路由 ***/
srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0
/***Route Basiced VPN 路由 ***/
2.3 、 SNMP
srx_admin# set snmp community Ajitec authorization read-only/read-write
/***SNMP监控权限***/
srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32
/***SNMP监控主机***/
第三节高级设置
3.1.1修改服务端口
srx_admin# set system services web-management http port 8000
/*** 更改 web 的 http 管理端口号 ***/
srx_admin# set system services web-management https port 1443
/*** 更改 web 的 https 管理端口号 ***/
3.1.2检查硬件序列号
srx# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description Chassis BZ2615AF0491SRX100H2
Routing Engine REV 05650-048781BZ2615AF0491RE-SRX100H2 FPC 0FPC
PIC 08x FE Base PIC
Power Supply 0
3.1.3 内外网接口启用端口服务
※定义系统服务
srx_admin# set system services ssh
srx_admin# set system services telnet
srx_admin# set system services web-management http interface vlan.0
srx_admin# set system services web-management http interface fe-0/0/0.0
srx_admin# set system services web-management https interface vlan.0
srx_admin# set system services web-management management-url admin
/*** 后期用 https://ip/admin就可以登录管理页面,不加就直接跳转***/
※内网接口启用端口服务
srx_admin#set security zones security-zone trust interfaces vlan.0host-inbound-traffic system-services ping/***开启 ping ***/
srx_admin#set security zones security-zone trust interfaces vlan.0host-inbound-traffic system-services http /***开启 http ***/
srx_admin#set security zones security-zone trust interfaces vlan.0host-inbound-traffic system-services telnet /***开启 telnet ***/
※外网接口启用端口服务
srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0host-inbound-traffic system-services ping/***开启 ping ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0host-inbound-traffic system-services telnet /***开启 telnet ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0host-inbound-traffic system-services http /***开启 http ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0host-inbound-traffic system-services all/***开启所有服务***/
3.1.4创建系统服务
srx_admin#set applications application RDP protocol tcp
srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 3389 srx_admin#set applications application RDP protocol udp
srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 3389
/*** 协议选择 tcp***/ /*** 源端口 ***/
/*** 目的端口 ***/
/*** 协议选择 udp***/ /*** 源端口 ***/
/*** 目的端口 ***/
3.1.5 VIP 端口映射
※DestinationNAT配置
srx_admin#set security nat destination pool 22 address 192.168.1.20/32 /***Destination NAT pool设置,为真实内网地址***/
srx_admin#set security nat destination pool 22 address port 3389
/***Destination NAT pool设置,为内网地址的端口号***/
srx_admin#set security nat destination rule-set 2 from zone untrust
/*** Destination NAT Rule设置,访问流量从untrust 区域过来 ***/
srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0
/*** Destination NAT Rule设置,访问流量可以任意地址***/
srx_admin#set security nat destination rule-set2rule111 match destination-address 116.228.60.154/32
/*** Destination NAT Rule设置,访问的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389
/*** Destination NAT Rule设置,访问的目的地址的端口号***/
srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22
/***Destination NAT Rule设置,调用pool 地址 ***/
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-
address any
srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit
srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32
3.1.6 MIP映射
※Destination NAT设置
srx_admin#set security nat destination pool 111 address 192.168.1.3/32
/***Destination NAT pool设置,为真实内网地址***/
srx_admin#set security nat destination rule-set 1 from zone untrust
/***Destination NAT Rule设置,访问流量从untrust 区域过来 ***/
srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
/***Destination NAT Rule设置,访问流量可以任意地址***/
match destination-address srx_admin#set security nat destination rule-set 1 rule
11
116.228.60.157/32
/***Destination NAT Rule设置,访问的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11
/***Destination NAT Rule设置,调用pool 地址 ***/
※配置 ARP代理
srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-
address any
srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit
3.1.7 禁用 console口
juniper-srx@SRX100H2# edit system ports console/*** 进入 console 接口 ***/
juniper-srx@SRX100H2# set disable/*** 关闭端口 ***/
juniper-srx@SRX100H2# commit confirmed 3/*** 提交 3 分钟, 3 分钟后回退 ***/ 3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT
set security nat source rule-set LOCAL from zone junos-host
set security nat source rule-set LOCAL to zone untrust
set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32
set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0
set security nat source rule-set LOCAL rule LOCAL then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
3.1.9设置SRX管理IP
※参照防火墙外网接口的端口服务
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
※定义防火墙filter,设定允许访问的地址和端口
set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32
set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32 set firewall filter Outside_access_in term Permit_IP from protocol tcp
set firewall filter Outside_access_in term Permit_IP from destination-port ssh
set firewall filter Outside_access_in term Permit_IP then accept
/*** 设置允许访问的地址和地址***/
set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32 set firewall filter Outside_access_in term Deny_ANY from protocol tcp
set firewall filter Outside_access_in term Deny_ANY from destination-port
ssh set firewall filter Outside_access_in term Deny_ANY then discard set
firewall filter Outside_access_in term Permit_ANY then accept
/*** 其他流量全部拒绝***/
※防火墙外网接口调用
filter
,在接口上启用限制
set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in
注:①在配置拒绝流量时注意在拒绝的端口后面放行其他流量,因为这个拒绝会把所有流量都拒绝掉。
②在配置拒绝流量时不能配置
all ,不然会把所有流量都拒绝掉。
3.2.0 配置回退
※查看提交过的配置
srx_admin# run show system commit 0 2016-05-04 11:47:46 UTC by root via junoscript 1 2016-05-04 11:40:11 UTC by root via cli 2 2016-05-04 11:38:36 UTC by root via cli 3 2016-04-27 11:41:07 UTC by root via cli 4
2016-04-01 17:37:22 UTC by root via button
※回退配置( “ROLLBACK 0”) srx_admin # rollback ?
Possible completions: <[Enter]>
0 1 2 3 4 |
3.2.1 UTM 调用
※在策略中调用 UTM
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy
3.2.2 网络访问缓慢解决
srx_admin #set security flow syn-flood-protection-mode syn-cookie srx_admin #set security flow tcp-mss all-tcpmss 1300
Execute this command
2016-05-04 11:47:46 UTC by root via junoscript 2016-05-04 11:40:11 UTC by root via cli 2016-05-04 11:38:36 UTC by root via cli 2016-04-27 11:41:07 UTC by root via cli
2016-04-01 17:37:22 UTC by root via button Pipe through a command
srx_admin #set security flow tcp-session rst-sequence-check
srx_admin #set security flow tcp-session strict-syn-check
srx_admin #set security flow tcp-session no-sequence-check
第四节 VPN 设置
4.1 、点对点 IPSec VPN
4.1.1 Route Basiced
/*** standard or compatible模式***/
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
/*** 新建 st0.0 接口 ***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/*** 定义 tunnel 接口 st0.0 为 untrust 接口 ***/
※创建去往VPN 对端内网的路由
srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0※VPN 第一阶段 IKE配置
srx_admin#set security ike policy lead mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy lead proposal-set standard/compatible
/*** 协商加密算法 ***/
srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123
/*** 预共享密钥 ***/
※VPN 第一阶段 IKE配置
srx_admin#set security ike gateway gw1 ike-policy lead
/*** 调用第一阶段IKE 配置 ***/
srx_admin#set security ike gateway gw1 address 116.228.60.158
/*** 对端网关地址 ***/
srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0
/***VPN出接口***/
注:如果使用 PPPOE拨号上网,出接口必须使用ppp 接口
srx_admin#set security ike gateway gw1 external-interface pp0.0
※VPN 第二阶段 IPSEC配置
srx_admin#set security ipsec policy abc proposal-set standard/compatible
/*** 协商加密算法 ***/
srx_admin#set security ipsec vpn test bind-interface st0.0
/*** 绑定 VPN 接口 ***/
srx_admin#set security ipsec vpn test ike gateway gw1
/*** 调用网关 ***/
srx_admin#set security ipsec vpn test ike ipsec-policy abc
/*** 调用加密算法的策略***/
srx_admin#set security ipsec vpn test establish-tunnels immediately
/*** 立即开始协商 ***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※双向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match
srx_admin#source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then
permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
/*** custom模式***/
※创建 tunnel 接口
srx_admin#set interfaces st0 unit 0 family inet
/*** 新建 st0.0 接口 ***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/*** 定义 tunnel 接口 st0.0 为 untrust 接口 ***/
※创建去往VPN 对端内网的路由
srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※VPN 第一阶段 IKE配置
※※ proposal 设置
srx_admin#set security ike proposal vpn1-proposal authentication-method pre-shared-keys
/*** 使用 pre-shared-keys 认证 ***/
srx_admin#set security ike proposal vpn1-proposal dh-group group2
/***DH组使用group2***/
srx_admin#set security ike proposal vpn1-proposal authentication-algorithm md5
/***MD5认证***/
srx_admin#set security ike proposal vpn1-proposal encryption-algorithm 3des-cbc
/***3des加密***/
※※policy 设置
srx_admin#set security ike policy vpn1-ike-policy mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy vpn1-ike-policy proposals vpn1-proposal
/*** 调用 ike proposal 配置 ***/
srx_admin#set security ike policy vpn1-ike-policy pre-shared-key ascii-text juniper123
/*** 预共享密钥 ***/
※※gateway 设置
srx_admin#set security ike gateway vpn1-gateway ike-policy vpn1-ike-policy
/*** 调用 ike policy 设置 ***/
srx_admin#set security ike gateway vpn1-gateway address 116.228.60.158
/*** 对端网关地址 ***/
srx_admin#set security ike gateway vpn1-gateway external-interface fe-0/0/0.0
/*** 本地出接口 ***/
※VPN 第二阶段 IPSEC设置
※※ proposal 设置
srx_admin#set security ipsec proposal vpn2-ipsec-proposal protocol esp
/***ipsec proposal协议esp***/
srx_admin#set security ipsec proposal vpn2-ipsec-proposal authentication-algorithm hmac-md5-96
/*** 使用 MD5 认证 ***/
srx_admin#set security ipsec proposal vpn2-ipsec-proposal encryption-algorithm 3des-cbc
/*** 使用 3des 加密 ***/
※※policy 设置
set security ipsec policy vpn2-ipsec-policy perfect-forward-secrecy keys group2
/*** 开启 PFS,使用 group2***/
srx_admin#set security ipsec policy vpn2-ipsec-policy proposals vpn2-ipsec-proposal /***ipsec policy 设置,调用 ipsec proposal***/
※※VPN 设置
srx_admin#set security ipsec vpn vpn2-ipsec-vpn bind-interface st0.0
/***ipsec vpn设置,绑定tunnel 接口 ***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike gateway vpn1-gateway
/***ipsec vpn设置,调用第一阶段VPN 网关 ***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike ipsec-policy vpn2-ipsec-policy
/***ipsec vpn设置,调用第二阶段ipsec policy***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn establish-tunnels immediately
/*** 立即开始建立VPN 隧道 ***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※双向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then
permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
4.1.2 Policy Basiced
※新建本地、对端内网网段,并将入其划入相应的zone
srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24 /*** 本地内网网段 ***/
srx_admin#set security zones security-zone untrust address-book address address2
192.168.100.0/24
/*** 对端内网网段 ***/
※VPN 第一阶段 IKE设置
※※ Proposal设置
srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys /*** 采用预共享密钥***/
srx_admin#set security ike proposal ike-phase1-proposal dh-group group2
/***DH Group使用Group2***/
srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5
/*** 使用 md5 认证 ***/
srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
/*** 使用 3des 加密 ***/
※※Policy 设置
srx_admin#set security ike policy ike-phase1-policy mode main
/*** 协商模式 main or aggressive ***/
srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal
/*** 调用 ike proposal 配置 ***/
srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123
/*** 预共享密钥设置***/
※※gateway 设置
srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy
/*** 调用 IKE policy***/
srx_admin#set security ike gateway gw-chica address 116.228.60.157
/*** 指定对端网关地址***/
srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0
/*** 指定本地出街口***/
※VPN 第二阶段 IPSEC设置
※※ Proposal设置
srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp
/***ipsec proposal协议esp***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
/*** 使用 md5 认证 ***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc /*** 使用 3des 加密 ***/
※※policy 设置
srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal /***ipsec policy设置,调用ipsec proposal***/
※※VPN 设置
srx_admin#set security ipsec vpn ike-vpn-chica ike gateway gw-chica
/***ipsec vpn设置,调用第一阶段VPN 网关 ***/
srx_admin#set security ipsec vpn ike-vpn-chica ike ipsec-policy ipsec-phase2-policy
/***ipse policy 设置 ***/
srx_admin#set security ipsec vpn ike-vpn-chica establish-tunnels on-traffic
/*** 产生流量后VPN开始建立连接***/
※外网接口开启IKE服务
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※VPN流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address address1
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address address2
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chica
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-init
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-close
※上网流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match application any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address address2
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address address1
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chica
注:开启策略下log 记录功能
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-init set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-close
4.2 、 Remote VPN
4.2.1 SRX端配置
※VPN 第一阶段 IKE Policy设置
srx_admin#set security ike policy remote-vpn-policy mode aggressive
srx_admin#set security ike policy remote-vpn-policy proposal-set compatible
srx_admin#set security ike policy remote-vpn-policy pre-shared-key ascii-text juniper123
※VPN 第一阶段 IKE Gateway设置
srx_admin#set security ike gateway remote-vpn-gateway ike-policy remote-vpn-policy
srx_admin#set security ike gateway remote-vpn-gateway dynamic hostname juniper
srx_admin#set security ike gateway remote-vpn-gateway dynamic connections-limit 10
srx_admin#set security ike gateway remote-vpn-gateway dynamic ike-user-type shared-ike-id
srx_admin#set security ike gateway remote-vpn-gateway external-interface fe-0/0/0.0
srx_admin#set security ike gateway remote-vpn-gateway xauth access-profile xauthsrx
※VPN 第二阶段 IPSec Policy设置
srx_admin#set security ipsec policy remote-vpn-ipsec-policy proposal-set compatible
※VPN 第二阶段 IPSec VPN设置
srx_admin#set security ipsec vpn remotevpn ike gateway remote-vpn-gateway
srx_admin#set security ipsec vpn remotevpn ike ipsec-policy remote-vpn-ipsec-
policy srx_admin#set security ipsec vpn remotevpn establish-tunnels immediately
※R emote 用户 DHCP设置
srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1
srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10
srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8
注: DHCP地址段最好与内网网段区别开来,不然会产生很多问题
※创建 Remote 认证用户。