侧边栏壁纸
博主头像
落叶人生博主等级

走进秋风,寻找秋天的落叶

  • 累计撰写 130562 篇文章
  • 累计创建 28 个标签
  • 累计收到 9 条评论
标签搜索

目 录CONTENT

文章目录
系统/网络安全

Juniper SRX 构建 Remote Access ×××

2023-05-07 星期日 / 0 评论 / 0 点赞 / 74 阅读 / 4619 字

1. 配置IKE Phase 1 set security ike policy IKE-POLICY mode aggressive //Remote Access必须的类型set se

..

1. 配置IKE Phase 1

set security ike policy IKE-POLICY mode aggressive //Remote Access必须的类型

set security ike policy IKE-POLICY proposal-set standard //实用默认proposal集

set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$SYVlvLdb2GDkbsfz"

set security ike gateway GW ike-policy IKE-POLICY

set security ike gateway GW dynamic hostname SRX-1

set security ike gateway GW dynamic ike-user-type shared-ike-id

set security ike gateway GW external-interface ge-0/0/1

set security ike gateway GW xauth access-profile DYNAMIC-×××

2. 配置IPSec Phase 2

set security ipsec policy IPSEC-POLICY proposal-set standard

set security ipsec *** DYNAMIC-××× ike gateway GW

set security ipsec *** DYNAMIC-××× ike ipsec-policy IPSEC-POLICY

3. 外部接口放行流量

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

4. 配置安全策略

set security policies from-zone untrust to-zone trust policy DYNAMIC match source-address any

set security policies from-zone untrust to-zone trust policy DYNAMIC match destination-address any

set security policies from-zone untrust to-zone trust policy DYNAMIC match application any

set security policies from-zone untrust to-zone trust policy DYNAMIC then permit tunnel ipsec-*** DYNAMIC-×××

5. 配置安全动态×××

set security dynamic-*** access-profile DYNAMIC-×××

set security dynamic-*** clients all remote-protected-resources 10.1.1.0/24

set security dynamic-*** clients all remote-exceptions 0.0.0.0/0

set security dynamic-*** clients all ipsec-*** DYNAMIC-×××

set security dynamic-*** clients all user my

6.配置access profile,地址池以及认证方式

set access profile DYNAMIC-××× client my firewall-user password "$9$0-D4BEyX7Vbw2MWHq.fzFreKMxNVwYgaZN-"

set access profile DYNAMIC-××× address-assignment pool DYNAMIC-×××-POOL

set access address-assignment pool DYNAMIC-×××-POOL family inet network 192.168.1.0/24

set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE low 192.168.1.10

set access address-assignment pool DYNAMIC-×××-POOL family inet range POOL-RANGE high 192.168.1.20

set access address-assignment pool DYNAMIC-×××-POOL family inet xauth-attributes primary-dns 202.100.3.10/32

set access firewall-authentication web-authentication default-profile DYNAMIC-×××

7.验证

root@SRX-1> show security ipsec sa detail

root@SRX-1> show security ike sa detail

root@SRX-1> show security dynamic-*** users

root@SRX-1> show security ike active-peer

.



.

赞一下 返回首页
本文链接: https://www.qiuyue.org/internet/system/64190.html
广告 广告

评论区