##############文件來源於互聯網##############
第一節 系統配置
1.1、設備初始化
1.1.1登陸
首次登錄需要使用Console口連接SRX,root用戶登陸,密碼為空
login: root
Password:
--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC
root% cli /***進入操作模式***/
root>
root> configure
Entering configuration mode /***進入配置模式***/
[edit]
Root#
1.1.2設置root用戶口令
(必須配置root帳號密碼,否則后續所有配置及修改都無法提交)
root# set system root-authentication plain-text-password
root# new password : root123
root# retype new password: root123
密碼將以密文方式顯示
root# show system root-authentication
encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA
注意:強烈建議不要使用其它加密選項來加密root和其它user口令(如encrypted-password加密方式),此配置參數要求輸入的口令應是經加密算法加密后的字符串,采用這種加密方式手工輸入時存在密碼無法通過驗證風險。
注:root用戶僅用於console連接本地管理SRX,不能通過遠程登陸管理SRX,必須成功設置root口令后,才能執行commit提交后續配置命令。
1.1.3設置遠程登陸管理用戶
root# set system login user lab class super-user authentication plain-text-password
root# new password : juniper
root# retype new password: srx123
注:此juniper用戶擁有超級管理員權限,可用於console和遠程管理訪問,另也可自行靈活定義其它不同管理權限用戶。
2、系統管理
1.2.1 選擇時區
srx_admin# set system time-zone Asia/Shanghai /***亞洲/上海***/
1.2.2 系統時間
1.2.2.1 手動設定
srx_admin> set date 201511201537.00
srx_admin> show system uptime
Current time: 2015-11-20 15:37:14 UTC
System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)
Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)
Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin
3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14
1.2.2.2 NTP同步一次
srx_admin> set date ntp 202.120.2.101
8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec
1.2.2.3 NTP服務器
srx_admin# set system ntp server 202.100.102.1
srx_admin#set system ntp server ntp.api.bz
/***SRX系統NTP服務器,設備需要聯網可以解析ntp地址,不然命令無法輸入***/
srx_admin> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1)",
processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,
poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0,
offset=0.000, frequency=0.000, jitter=0.008, stability=0.000
srx_admin@holy-shit> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
dns.sjtu.edu.cn 15.179.156.248 3 - 16 64 1 5.473 -0.953 0.008
202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.00
1.2.3 DNS服務器
srx_admin# set system name-server 202.96.209.5 /***SRX系統DNS***/
1.2.4 系統重啟
1.2.4.1重啟系統
srx_admin >request system reboot
1.2.4.2關閉系統
srx_admin >request system power-off
1.2.5 Alarm告警處理
1.2.5.1告警查看
root# run show system alarms
2 alarms currently active
Alarm time Class Description
2015-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved
2015-11-20 14:21:49 UTC Minor Rescue configuration is not set
1.2.5.2 告警處理
告警一處理
root> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
告警二處理
root> request system configuration rescue save
1.2.6 Root密碼重置
SRX Root密碼丟失,並且沒有其他的超級用戶權限,那么就需要執行密碼恢復,該操作需要中斷設備正常運行,但不會丟失配置信息。操作步驟如下:
1.重啟防火牆,CRT上出現下面提示時,按空格鍵中斷正常啟動,然后再進入單用戶狀態,並輸入:boot –s
Loading /boot/defaults/loader.conf
/kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15]
Hit [Enter] to boot immediately, or space bar for command prompt.
loader>
loader> boot -s
2. 執行密碼恢復:在以下提示文字后輸入recovery,設備將自動進行重啟
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
***** FILE SYSTEM WAS MODIFIED *****
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
3. 進入配置模式,刪除root密碼后重新設置root密碼,並保存重啟
root> configure
Entering configuration mode
[edit]
root# delete system root-authentication
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
[edit]
root# exit
Exiting configuration mode
root> request system reboot
Reboot the system ? [yes,no] (no) yes
第二節 網絡設置
2.1、Interface
2.1.1 PPPOE
※在外網接口(fe-0/0/0)下封裝PPP
srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
※CHAP認證配置
srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890
/***PPPOE的密碼***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163
/***PPPOE的帳號***/
srx_admin# set interfaces pp0 unit 0 ppp-options chap passive
/***采用被動模式***/
※PAP認證配置
srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890
/***PPPOE的密碼***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163
/***PPPOE的帳號***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890
/***PPPOE的密碼***/
srx_admin# set interfaces pp0 unit 0 ppp-options pap passive
/***采用被動模式***/
※PPP接口調用
srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
/***在外網接口(fe-0/0/0)下啟用PPPOE撥號***/
※PPPOE撥號屬性配置
srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0
/***空閑超時值***/
srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
/***3秒自動重撥***/
srx_admin# set interfaces pp0 unit 0 pppoe-options client
/***表示為PPPOE客戶端***/
srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
/***修改此接口的MTU值,改成1492。因為PPPOE的報頭會有一點的開銷***/
srx_admin# set interfaces pp0 unit 0 family inet negotiate-address
/***自動協商地址,即由服務端分配動態地址***/
※默認路由
srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0
※PPPOE接口划入untrust接口
srx_admin# set security zones security-zone untrust interfaces pp0.0
※驗證PPPoE是否已經拔通,是否獲得IP地址
srx_admin#run show interfaces terse | match pp
pp0 up up
pp0.0 up up inet 192.168.163.1 --> 1.1.1.1
ppd0 up up
ppe0 up up
注:
PPPOE撥號成功后需要調整MTU值,使上網體驗達到最佳(MTU值不合適的話上網會卡)
srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /***調整MTU大小***/
srx_admin# set security flow tcp-mss all-tcp mss 1304 /***調整TCP分片大小***/
2.1.2 Manual
srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29
2.1.3 DHCP
※啟用DHCP地址池
srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
/***DHCP網關***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
/***DHCP地址池第一個地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
/***DHCP地址池最后一個地址***/
srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000
/***DHCP地址租期***/
srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name leadsystems.com.cn
/***DHCP域名***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133
/***DHCP 分配DNS***/
srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5
srx_admin# set system services dhcp propagate-settings vlan.0 /***DHCP分發端口***/
※配置內網接口地址
srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24
※內網接口調用DHCP地址池
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-servicesdhcp
2.2、Routing
Static Route
srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153
/***默認路由***/
srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0
/***Route Basiced VPN路由***/
2.3、SNMP
srx_admin# set snmp community Ajitec authorization read-only/read-write
/***SNMP監控權限***/
srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32
/***SNMP監控主機***/
第三節 高級設置
3.1.1 修改服務端口
srx_admin# set system services web-management http port 8000
/***更改web的http管理端口號***/
srx_admin# set system services web-management https port 1443
/***更改web的https管理端口號***/
3.1.2 檢查硬件序列號
srx# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis BZ2615AF0491 SRX100H2
Routing Engine REV 05 650-048781 BZ2615AF0491 RE-SRX100H2
FPC 0 FPC
PIC 0 8x FE Base PIC
Power Supply 0
3.1.3 內外網接口啟用端口服務
※定義系統服務
srx_admin# set system services ssh
srx_admin# set system services telnet
srx_admin# set system services web-management http interface vlan.0
srx_admin# set system services web-management http interface fe-0/0/0.0
srx_admin# set system services web-management https interface vlan.0
srx_admin# set system services web-management management-url admin
/***后期用https://ip/admin就可以登錄管理頁面,不加就直接跳轉***/
※內網接口啟用端口服務
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /***開啟ping ***/
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /***開啟http ***/
srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /***開啟telnet ***/
※外網接口啟用端口服務
srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping /***開啟ping ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /***開啟telnet ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http /***開啟http ***/
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /***開啟所有服務***/
3.1.4 創建系統服務
srx_admin#set applications application RDP protocol tcp /***協議選擇tcp***/
srx_admin#set applications application RDP source-port 0-65535 /***源端口***/
srx_admin#set applications application RDP destination-port 3389 /***目的端口***/
srx_admin#set applications application RDP protocol udp /***協議選擇udp***/
srx_admin#set applications application RDP source-port 0-65535 /***源端口***/
srx_admin#set applications application RDP destination-port 3389 /***目的端口***/
3.1.5 VIP端口映射
※Destination NAT配置
srx_admin#set security nat destination pool 22 address 192.168.1.20/32
/***Destination NAT pool設置,為真實內網地址***/
srx_admin#set security nat destination pool 22 address port 3389
/***Destination NAT pool設置,為內網地址的端口號***/
srx_admin#set security nat destination rule-set 2 from zone untrust
/*** Destination NAT Rule設置,訪問流量從untrust區域過來***/
srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0
/*** Destination NAT Rule設置,訪問流量可以任意地址***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32
/*** Destination NAT Rule設置,訪問的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389
/*** Destination NAT Rule設置,訪問的目的地址的端口號***/
srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22
/***Destination NAT Rule設置,調用pool地址***/
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit
srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32
3.1.6 MIP映射
※Destination NAT設置
srx_admin#set security nat destination pool 111 address 192.168.1.3/32
/***Destination NAT pool設置,為真實內網地址***/
srx_admin#set security nat destination rule-set 1 from zone untrust
/***Destination NAT Rule設置,訪問流量從untrust區域過來***/
srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
/***Destination NAT Rule設置,訪問流量可以任意地址***/
srx_admin#set security nat destination rule-set 1 rule 11 match destination-address 116.228.60.157/32
/***Destination NAT Rule設置,訪問的目的地址是116.228.60.157***/
srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11
/***Destination NAT Rule設置,調用pool地址***/
※配置ARP代理
srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32
※策略配置
srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32
srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any
srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit
3.1.7禁用console口
juniper-srx@SRX100H2# edit system ports console /***進入console接口***/
juniper-srx@SRX100H2# set disable /***關閉端口***/
juniper-srx@SRX100H2# commit confirmed 3 /***提交3分鍾,3分鍾后回退***/
3.1.8 Juniper SRX帶源ping外網默認不通,需要做源地址NAT
set security nat source rule-set LOCAL from zone junos-host
set security nat source rule-set LOCAL to zone untrust
set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32
set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0
set security nat source rule-set LOCAL rule LOCAL then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
3.1.9 設置SRX管理IP
※參照防火牆外網接口的端口服務
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
※定義防火牆filter,設定允許訪問的地址和端口
set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32
set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32
set firewall filter Outside_access_in term Permit_IP from protocol tcp
set firewall filter Outside_access_in term Permit_IP from destination-port ssh
set firewall filter Outside_access_in term Permit_IP then accept
/***設置允許訪問的地址和地址***/
set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32
set firewall filter Outside_access_in term Deny_ANY from protocol tcp
set firewall filter Outside_access_in term Deny_ANY from destination-port ssh
set firewall filter Outside_access_in term Deny_ANY then discard
set firewall filter Outside_access_in term Permit_ANY then accept
/***其他流量全部拒絕***/
※防火牆外網接口調用filter,在接口上啟用限制
set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in
注:①在配置拒絕流量時注意在拒絕的端口后面放行其他流量,因為這個拒絕會把所有流量都拒絕掉。
②在配置拒絕流量時不能配置all,不然會把所有流量都拒絕掉。
3.2.0 配置回退
※查看提交過的配置
srx_admin # run show system commit
0 2016-05-04 11:47:46 UTC by root via junoscript
1 2016-05-04 11:40:11 UTC by root via cli
2 2016-05-04 11:38:36 UTC by root via cli
3 2016-04-27 11:41:07 UTC by root via cli
4 2016-04-01 17:37:22 UTC by root via button
※回退配置(“ROLLBACK 0”)
srx_admin # rollback ?
Possible completions:
<[Enter]> Execute this command
0 2016-05-04 11:47:46 UTC by root via junoscript
1 2016-05-04 11:40:11 UTC by root via cli
2 2016-05-04 11:38:36 UTC by root via cli
3 2016-04-27 11:41:07 UTC by root via cli
4 2016-04-01 17:37:22 UTC by root via button
| Pipe through a command
3.2.1 UTM調用
※在策略中調用UTM
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy
3.2.2 網絡訪問緩慢解決
srx_admin #set security flow syn-flood-protection-mode syn-cookie
srx_admin #set security flow tcp-mss all-tcp mss 1300
srx_admin #set security flow tcp-session rst-sequence-check
srx_admin #set security flow tcp-session strict-syn-check
srx_admin #set security flow tcp-session no-sequence-check
第四節 VPN設置
4.1、點對點IPSec VPN
4.1.1 Route Basiced
/***standard or compatible模式***/
※創建tunnel接口
srx_admin#set interfaces st0 unit 0 family inet
/***新建st0.0接口***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/***定義tunnel接口st0.0為untrust接口***/
※創建去往VPN對端內網的路由
srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※VPN第一階段IKE配置
srx_admin#set security ike policy lead mode main
/***協商模式main or aggressive ***/
srx_admin#set security ike policy lead proposal-set standard/compatible
/***協商加密算法***/
srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123
/***預共享密鑰***/
※VPN第一階段IKE配置
srx_admin#set security ike gateway gw1 ike-policy lead
/***調用第一階段IKE配置***/
srx_admin#set security ike gateway gw1 address 116.228.60.158
/***對端網關地址***/
srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0
/***VPN出接口***/
注:如果使用PPPOE撥號上網,出接口必須使用ppp接口
srx_admin#set security ike gateway gw1 external-interface pp0.0
※VPN第二階段IPSEC配置
srx_admin#set security ipsec policy abc proposal-set standard/compatible
/***協商加密算法***/
srx_admin#set security ipsec vpn test bind-interface st0.0
/***綁定VPN接口***/
srx_admin#set security ipsec vpn test ike gateway gw1
/***調用網關***/
srx_admin#set security ipsec vpn test ike ipsec-policy abc
/***調用加密算法的策略***/
srx_admin#set security ipsec vpn test establish-tunnels immediately
/***立即開始協商***/
※外網接口開啟IKE服務
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※雙向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match srx_admin#source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
/***custom模式***/
※創建tunnel接口
srx_admin#set interfaces st0 unit 0 family inet
/***新建st0.0接口***/
srx_admin#set security zones security-zone untrust interfaces st0.0
/***定義tunnel接口st0.0為untrust接口***/
※創建去往VPN對端內網的路由
srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0
※VPN第一階段IKE配置
※※proposal設置
srx_admin#set security ike proposal vpn1-proposal authentication-method pre-shared-keys
/***使用pre-shared-keys認證***/
srx_admin#set security ike proposal vpn1-proposal dh-group group2
/***DH組使用group2***/
srx_admin#set security ike proposal vpn1-proposal authentication-algorithm md5
/***MD5認證***/
srx_admin#set security ike proposal vpn1-proposal encryption-algorithm 3des-cbc
/***3des加密***/
※※policy設置
srx_admin#set security ike policy vpn1-ike-policy mode main
/***協商模式main or aggressive ***/
srx_admin#set security ike policy vpn1-ike-policy proposals vpn1-proposal
/***調用ike proposal配置***/
srx_admin#set security ike policy vpn1-ike-policy pre-shared-key ascii-text juniper123
/***預共享密鑰***/
※※gateway設置
srx_admin#set security ike gateway vpn1-gateway ike-policy vpn1-ike-policy
/***調用ike policy設置***/
srx_admin#set security ike gateway vpn1-gateway address 116.228.60.158
/***對端網關地址***/
srx_admin#set security ike gateway vpn1-gateway external-interface fe-0/0/0.0
/***本地出接口***/
※VPN第二階段IPSEC設置
※※proposal設置
srx_admin#set security ipsec proposal vpn2-ipsec-proposal protocol esp
/***ipsec proposal協議esp***/
srx_admin#set security ipsec proposal vpn2-ipsec-proposal authentication-algorithm hmac-md5-96
/***使用MD5認證***/
srx_admin#set security ipsec proposal vpn2-ipsec-proposal encryption-algorithm 3des-cbc
/***使用3des加密***/
※※policy設置
set security ipsec policy vpn2-ipsec-policy perfect-forward-secrecy keys group2
/***開啟PFS,使用group2***/
srx_admin#set security ipsec policy vpn2-ipsec-policy proposals vpn2-ipsec-proposal /***ipsec policy設置,調用ipsec proposal***/
※※VPN設置
srx_admin#set security ipsec vpn vpn2-ipsec-vpn bind-interface st0.0
/***ipsec vpn設置,綁定tunnel接口***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike gateway vpn1-gateway
/***ipsec vpn設置,調用第一階段VPN網關***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike ipsec-policy vpn2-ipsec-policy
/***ipsec vpn設置,調用第二階段ipsec policy***/
srx_admin#set security ipsec vpn vpn2-ipsec-vpn establish-tunnels immediately
/***立即開始建立VPN隧道***/
※外網接口開啟IKE服務
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※雙向流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit
4.1.2 Policy Basiced
※新建本地、對端內網網段,並將入其划入相應的zone
srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24
/***本地內網網段***/
srx_admin#set security zones security-zone untrust address-book address address2 192.168.100.0/24
/***對端內網網段***/
※VPN第一階段IKE設置
※※Proposal設置
srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys /***采用預共享密鑰***/
srx_admin#set security ike proposal ike-phase1-proposal dh-group group2
/***DH Group使用Group2***/
srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5
/***使用md5認證***/
srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
/***使用3des加密***/
※※Policy設置
srx_admin#set security ike policy ike-phase1-policy mode main
/***協商模式main or aggressive ***/
srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal
/***調用ike proposal配置***/
srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123
/***預共享密鑰設置***/
※※gateway設置
srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy
/***調用IKE policy***/
srx_admin#set security ike gateway gw-chica address 116.228.60.157
/***指定對端網關地址***/
srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0
/***指定本地出街口***/
※VPN第二階段IPSEC設置
※※Proposal設置
srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp
/***ipsec proposal協議esp***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
/***使用md5認證***/
srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc /***使用3des加密***/
※※policy設置
srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal /***ipsec policy設置,調用ipsec proposal***/
※※VPN設置
srx_admin#set security ipsec vpn ike-vpn-chica ike gateway gw-chica
/***ipsec vpn設置,調用第一階段VPN網關***/
srx_admin#set security ipsec vpn ike-vpn-chica ike ipsec-policy ipsec-phase2-policy
/***ipse policy設置***/
srx_admin#set security ipsec vpn ike-vpn-chica establish-tunnels on-traffic
/***產生流量后VPN開始建立連接***/
※外網接口開啟IKE服務
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※VPN流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address address1
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address address2
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chica
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-init
srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-close
※上網流量策略
trust->untrust
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match source-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match application any
srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit
untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address address2
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address address1
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any
srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chica
注:開啟策略下log記錄功能
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-init
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-close
4.2、Remote VPN
4.2.1 SRX端配置
※VPN第一階段IKE Policy設置
srx_admin#set security ike policy remote-vpn-policy mode aggressive
srx_admin#set security ike policy remote-vpn-policy proposal-set compatible
srx_admin#set security ike policy remote-vpn-policy pre-shared-key ascii-text juniper123
※VPN第一階段IKE Gateway設置
srx_admin#set security ike gateway remote-vpn-gateway ike-policy remote-vpn-policy
srx_admin#set security ike gateway remote-vpn-gateway dynamic hostname juniper
srx_admin#set security ike gateway remote-vpn-gateway dynamic connections-limit 10
srx_admin#set security ike gateway remote-vpn-gateway dynamic ike-user-type shared-ike-id
srx_admin#set security ike gateway remote-vpn-gateway external-interface fe-0/0/0.0
srx_admin#set security ike gateway remote-vpn-gateway xauth access-profile xauthsrx
※VPN第二階段IPSec Policy設置
srx_admin#set security ipsec policy remote-vpn-ipsec-policy proposal-set compatible
※VPN第二階段IPSec VPN設置
srx_admin#set security ipsec vpn remotevpn ike gateway remote-vpn-gateway
srx_admin#set security ipsec vpn remotevpn ike ipsec-policy remote-vpn-ipsec-policy
srx_admin#set security ipsec vpn remotevpn establish-tunnels immediately
※Remote用戶DHCP設置
srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1
srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10
srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8
注:DHCP地址段最好與內網網段區別開來,不然會產生很多問題
※創建Remote認證用戶
srx_admin#set access profile xauthsrx authentication-order password
srx_admin#set access profile xauthsrx client L2TP_USER_MA firewall-user password 123456
※外網接口開啟IKE服務
srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
※策略設置 untrust->trust
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match source-address any
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match destination-address network
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match application any
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then permit tunnel ipsec-vpn remotevpn
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log session-init
srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log session-close
4.2.2 客戶端配置