juniper srx 遠程訪問***（dynamic-***）

基於 IPSEC 動態***

外網（untrust）用戶撥入SRX防火牆，實現Untrust---->trust內網192.168.2.0/24網段的安全遠程訪問***，此案例與dmz無關。

 

第一步：配置用戶認證配置文件

set access profilera-users authentication-order password

setaccess profile ra-users client user1 firewall-user password user1

setaccess profile ra-users client user2 firewall-user password user2

set accessfirewall-authentication web-authentication default-profile ra-users

第二步：配置IKE Proposal

set security ikeproposal ra-pro authentication-method pre-shared-keys

set security ikeproposal ra-pro dh-group group2

set security ikeproposal ra-pro authentication-algorithm md5

set security ikeproposal ra-pro encryption-algorithm 3des-cbc

第三步：：配置IKE policy

set security ikepolicy ra-policy mode aggressive

set security ikepolicy ra-policy proposals ra-pro

setsecurity ike policy ra-policy pre-shared-key ascii-text freeit123

第四步：配置IKEGateway

set security ikegateway ra-gw ike-policy ra-policy

set security ikegateway ra-gw dynamic hostname freeit.com.cn

set security ikegateway ra-gw dynamic connections-limit 40

set security ikegateway ra-gw external-interface ge-0/0/1.0

set security ikegateway ra-gw xauth access-profile ra-users

第五步：配置IpsecProposal

set security ipsecproposal ra-ipsec-pro protocol esp

set security ipsecproposal ra-ipsec-pro authentication-algorithm hmac-md5-96

set security ipsecproposal ra-ipsec-pro encryption-algorithm 3des-cbc

第六步：配置Ipsec policy

set security ipsecpolicy ra-ipsec-policy perfect-forward-secrecy keys group2

set security ipsecpolicy ra-ipsec-policy proposals ra-ipsec-pro

第七步：配置Ipsec ***

set security ipsec*** ra-*** ike gateway ra-gw

set security ipsec*** ra-*** ike ipsec-policy ra-ipsec-policy

第八步：配置動態***

set securitydynamic-*** access-profile ra-users

set securitydynamic-*** clients client1 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client1 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client1 ipsec-*** ra-***

set securitydynamic-*** clients client1 user user1

set securitydynamic-*** clients client2 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client2 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client2 ipsec-*** ra-***

set securitydynamic-*** clients client2 user user2

第八步：配置*** 策略對應動態***用戶

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchsource-address any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchdestination-address trust_172.16.1.0

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchapplication any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then permittunnel ipsec-*** ra-***

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-init

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-close

第九步：客戶端通過WEB-IE 訪問地址：

https://192.168.114.190/dynamic-*** （僅第一次需要web訪問，有續通過下載的客戶端連接***）

 

輸入正確的用戶賬戶後會提示下載安裝

 

安裝完成後可以撥入***了，後期直接通過下載的插件連接

 

查看實驗效果：

root@freeit_SRX# run show security dynamic-*** users detail

User: NULL , Usergroup: NULL , Number of connections: 0

    Remote IP: 20.114.168.192

    IKE ID  : NULL

    IKE Lifetime: 0

    IPSEC Lifetime: 0

    Status: CONNECTED

root@freeit_SRX# run show security dynamic-*** client version   

Junos Pulse2.0.3.11013

root@freeit_SRX# run show security ike active-peer

Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP

192.168.114.20                      54820    freeit.com.cn                       user1           

root@freeit_SRX# run show security ike security-associations

Index   State Initiator cookie  Respondercookie                   Mode           Remote Address   

5293799 UP     bff633e93801d22a  6821a6391ef46a44     Aggressive    192.168.114.20  

root@freeit_SRX# run show security ipsec security-associations

  Total active tunnels: 1

  ID               Algorithm       SPI      Life:sec/kb  Mon         lsys       Port  Gateway  

  <268173315 ESP:3des/md5 39226897       3150/             500000 -root      500   192.168.114.20  

  >268173315 ESP:3des/md5 9a7ad7bb       3150/             500000 -root      500   192.168.114.20  

root@freeit_SRX# run show security ipsec statistics         

ESP Statistics:

  Encrypted bytes:             1792

  Decrypted bytes:              960

Encrypted packets:             16

  Decrypted packets:             16

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors:0

  ESP authentication failures: 0, ESPdecryption failures: 0

  Bad headers: 0, Bad trailers: 0