一、拓扑图
墙规划三个安全区域:trust,untrust,dmz。
trust接口:ge-0/0/0 管理ip:192.168.1.1/24,公司办公区。
untrust接口:ge-0/0/1管理ip:100.100.100.1/24,接外部互联网。
dmz接口:ge-0/0/2管理ip:10.10.10.1/24,公司服务器区。
远程动态vpn客户端分配地址池范围:172.16.10.0/24,分配的地址段:172.16.10.10---172.16.10.250。
二、具体配置
1、配置主机名,root账号密码,web分发pulse客户端产生证书方式https
set system host-name srx2
set system root-authentication encrypted-password "$1$iu2fOc8K$3htfeb/bly.2BfRoDsqVX."
set system services web-management https system-generated-certificate
2、配置接口ip地址
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 100.100.100.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24
3、配置vpn phase 1参数
set security ike policy ike-pol1 mode aggressive
set security ike policy ike-pol1 proposal-set standard
set security ike policy ike-pol1 pre-shared-key ascii-text "$9$/kW.Au1Srv7-wRh-wYgUD9Ap0RhylK8xN"
set security ike gateway gate-dynamic ike-policy ike-pol1
set security ike gateway gate-dynamic dynamic hostname srx2
set security ike gateway gate-dynamic dynamic connections-limit 50
set security ike gateway gate-dynamic dynamic ike-user-type group-ike-id
set security ike gateway gate-dynamic external-interface ge-0/0/1
set security ike gateway gate-dynamic xauth access-profile dynamic-users
4、配置vpn phase 2参数
set security ipsec policy ipsec-pol1 proposal-set standard
set security ipsec vpn dynamic-vpn ike gateway gate-dynamic
set security ipsec vpn dynamic-vpn ike ipsec-policy ipsec-pol1
5、配置动态vpn参数
set security dynamic-vpn access-profile dynamic-users
set security dynamic-vpn clients all remote-protected-resources 192.168.1.0/24
set security dynamic-vpn clients all remote-protected-resources 10.10.10.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dynamic-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2
set security dynamic-vpn clients all user louis.yang
6、配置安全策略
set security policies from-zone trust to-zone untrust policy p2 match source-address any
set security policies from-zone trust to-zone untrust policy p2 match destination-address any
set security policies from-zone trust to-zone untrust policy p2 match application any
set security policies from-zone trust to-zone untrust policy p2 then permit
set security policies from-zone dmz to-zone untrust policy p3 match source-address any
set security policies from-zone dmz to-zone untrust policy p3 match destination-address any
set security policies from-zone dmz to-zone untrust policy p3 match application any
set security policies from-zone dmz to-zone untrust policy p3 then permit
set security policies from-zone untrust to-zone trust policy dynamic-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dynamic-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dynamic-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dynamic-vpn-policy then permit tunnel ipsec-vpn dynamic-vpn
set security policies from-zone untrust to-zone dmz policy p4 match source-address any
set security policies from-zone untrust to-zone dmz policy p4 match destination-address any
set security policies from-zone untrust to-zone dmz policy p4 match application any
set security policies from-zone untrust to-zone dmz policy p4 then permit tunnel ipsec-vpn dynamic-vpn
7、配置安全区域
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone dmz interfaces ge-0/0/2.0
8、配置access profile
set access profile dynamic-users client client1 firewall-user password "$9$yjQeMXVwgUjq7-jqmfn6revW7-bs2aGD"
set access profile dynamic-users client client2 firewall-user password "$9$nmBV9tOhSeX7V1R7VwYZG69Ap1RcylMLx"
set access profile dynamic-users client louis.yang firewall-user password "$9$upaWBRSvWxwYoreYoJGq.0BIEreM8X-bs"
set access profile dynamic-users address-assignment pool dynamic-pool
set access address-assignment pool dynamic-pool family inet network 172.16.10.0/24
set access address-assignment pool dynamic-pool family inet range dynamic-range low 172.16.10.10
set access address-assignment pool dynamic-pool family inet range dynamic-range high 172.16.10.250
set access address-assignment pool dynamic-pool family inet xauth-attributes primary-dns 202.96.134.133/32
set access firewall-authentication web-authentication default-profile dynamic-users
三、验证
在客户端ping trust安全区域PC:192.168.1.6,DMZ区域PC:10.10.10.254通。
远程客户端获取到地址池的IP172.16.10.11,客户端连接到墙。
具体验证(略)
四、总结
juniper srx防火墙动态vpn的配置,关键是我加绿的部分。远程被保护资源和放行vpn隧道。配置排错部分推荐官网kb:https://kb.juniper.net/InfoCenter/index?page=content&id=KB17220&actp=search