2020年陳姐只能宅在家裏,年後也無法上班,要求在家裏辦公,有遠程訪問公司內網文件服務器的需求,公司的防火牆是一臺Juniper SRX 240,要實現xxx連接,但只有2個默認的許可。
配置遠程認證及地址分配
遠程客戶端分配的ip地址
set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24
set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24 range d***-range low 123.1.1.100
set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24 range d***-range high 123.1.1.200
set access address-assignment pool dyn-***-address-pool family inet xauth-attributes primary-dns 114.114.114.114/32
遠程登錄的用戶的配置模板--用戶名,地址池等
set access profile dyn-***-access-profile client user01 firewall-user password Abc@123
set access profile dyn-***-access-profile client user02 firewall-user password Abc#123
set access profile dyn-***-access-profile address-assignment pool dyn-***-address-pool
web認證也使用相同模板
set access firewall-authentication web-authentication default-profile dyn-***-access-profile
啓用https的訪問
set system services web-management https system-generated-certificate
xxx隧道配置
Phase1-IKE Police
set security ike policy ike-dyn-***-policy mode aggressive
set security ike policy ike-dyn-***-policy proposal-set standard
set security ike policy ike-dyn-***-policy pre-shared-key ascii-text "#123Abc"
Phase1-IKE Gateway
set security ike gateway dyn-***-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-***-local-gw dynamic hostname mydyvpn
set security ike gateway dyn-***-local-gw dynamic connections-limit 10
set security ike gateway dyn-***-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-***-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-***-local-gw xauth access-profile dyn-***-access-profile
Phase2-IPsec Police
set security ipsec policy ipsec-dyn-***-policy proposal-set standard
Phase2-IPsec xxx
set security ipsec vpn dyn-*** ike gateway dyn-***-local-gw
set security ipsec vpn dyn-*** ike ipsec-policy ipsec-dyn-***-policy
Untrust -> Trust策略,調用隧道
set security policies from-zone untrust to-zone trust policy dyn-***-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-***-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-***-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-***-policy then permit tunnel ipsec-*** dyn-***
放行進入主機的流量
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
遠程客戶端段動態xxx的配置
remote-protected-resources:是遠程客戶端可以訪問的內網資源
set security dynamic-*** access-profile dyn-***-access-profile
set security dynamic-*** clients all remote-protected-resources 10.0.0.0/8
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** dyn-***
set security dynamic-*** clients all user user01
set security dynamic-*** clients all user user02