juniper srx 远程访问***（dynamic-***）

基于 IPSEC 动态×××外网（untrust）用户拨入SRX防火墙，实现Untrust---->trust内网192.168.2.0/24网段的安全远程访问***，此案例与dmz无关。第一步：配置

.

基于 IPSEC 动态×××

外网（untrust）用户拨入SRX防火墙，实现Untrust---->trust内网192.168.2.0/24网段的安全远程访问***，此案例与dmz无关。

 

第一步：配置用户认证配置文件

set access profilera-users authentication-order password

setaccess profile ra-users client user1 firewall-user password user1

setaccess profile ra-users client user2 firewall-user password user2

set accessfirewall-authentication web-authentication default-profile ra-users

第二步：配置IKE Proposal

set security ikeproposal ra-pro authentication-method pre-shared-keys

set security ikeproposal ra-pro dh-group group2

set security ikeproposal ra-pro authentication-algorithm md5

set security ikeproposal ra-pro encryption-algorithm 3des-cbc

第三步：：配置IKE policy

set security ikepolicy ra-policy mode aggressive

set security ikepolicy ra-policy proposals ra-pro

setsecurity ike policy ra-policy pre-shared-key ascii-text freeit123

第四步：配置IKEGateway

set security ikegateway ra-gw ike-policy ra-policy

set security ikegateway ra-gw dynamic hostname freeit.com.cn

set security ikegateway ra-gw dynamic connections-limit 40

set security ikegateway ra-gw external-interface ge-0/0/1.0

set security ikegateway ra-gw xauth access-profile ra-users

第五步：配置IpsecProposal

set security ipsecproposal ra-ipsec-pro protocol esp

set security ipsecproposal ra-ipsec-pro authentication-algorithm hmac-md5-96

set security ipsecproposal ra-ipsec-pro encryption-algorithm 3des-cbc

第六步：配置Ipsec policy

set security ipsecpolicy ra-ipsec-policy perfect-forward-secrecy keys group2

set security ipsecpolicy ra-ipsec-policy proposals ra-ipsec-pro

第七步：配置Ipsec ×××

set security ipsec*** ra-*** ike gateway ra-gw

set security ipsec*** ra-*** ike ipsec-policy ra-ipsec-policy

第八步：配置动态×××

set securitydynamic-*** access-profile ra-users

set securitydynamic-*** clients client1 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client1 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client1 ipsec-*** ra-***

set securitydynamic-*** clients client1 user user1

set securitydynamic-*** clients client2 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client2 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client2 ipsec-*** ra-***

set securitydynamic-*** clients client2 user user2

第八步：配置××× 策略对应动态×××用户

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchsource-address any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchdestination-address trust_172.16.1.0

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchapplication any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then permittunnel ipsec-*** ra-***

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-init

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-close

第九步：客户端通过WEB-IE 访问地址：

https://192.168.114.190/dynamic-*** （仅第一次需要web访问，有续通过下载的客户端连接***）

 

输入正确的用户账户后会提示下载安装

 

安装完成后可以拨入***了，后期直接通过下载的插件连接

 

查看实验效果：

root@freeit_SRX# run show security dynamic-*** users detail

User: NULL , Usergroup: NULL , Number of connections: 0

    Remote IP: 20.114.168.192

    IKE ID  : NULL

    IKE Lifetime: 0

    IPSEC Lifetime: 0

    Status: CONNECTED

root@freeit_SRX# run show security dynamic-*** client version   

Junos Pulse2.0.3.11013

root@freeit_SRX# run show security ike active-peer

Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP

192.168.114.20                      54820    freeit.com.cn                       user1           

root@freeit_SRX# run show security ike security-associations

Index   State Initiator cookie  Respondercookie                   Mode           Remote Address   

5293799 UP     bff633e93801d22a  6821a6391ef46a44     Aggressive    192.168.114.20  

root@freeit_SRX# run show security ipsec security-associations

  Total active tunnels: 1

  ID               Algorithm       SPI      Life:sec/kb  Mon         lsys       Port  Gateway  

  <268173315 ESP:3des/md5 39226897       3150/             500000 -root      500   192.168.114.20  

  >268173315 ESP:3des/md5 9a7ad7bb       3150/             500000 -root      500   192.168.114.20  

root@freeit_SRX# run show security ipsec statistics         

ESP Statistics:

  Encrypted bytes:             1792

  Decrypted bytes:              960

Encrypted packets:             16

  Decrypted packets:             16

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors:0

  ESP authentication failures: 0, ESPdecryption failures: 0

  Bad headers: 0, Bad trailers: 0

.