配置SRX Dyamic VPN(version 2) 下载本文

具体配置过程如下所示:

step1: Access configuration

定义Web登录的用户名和密码以及定义RADIUS服务器。此处的web-authentication是采用RADIUS服务器进行认证的。 root# show access

profile ACS_Radius { //定义RADIUS认证服务器,用于进行用户名和密码的认证 authentication-order radius; radius-server {

60.60.60.1 secret \/CtOIE\ } }

profile dynamic_vpn { //定义本地认证数据库,包括用户名和密码 client luhongc { firewall-user {

password \/t1RSM87uO87-V4oz369uOIEclvW\ ## SECRET-DATA } }

client vpntest1 { firewall-user {

password \ ## SECRET-DATA } } }

firewall-authentication { web-authentication {

default-profile ACS_Radius; //此处用RADIUS进行WEB登录认证,也可以使用本地认证dynamic_vpn banner {

success \ } } }

注意:如果WEB认证出现问题,需要设置DEBUG来排错。

set system processes general-authentication-service traceoptions flag all 查看LOG信息:

root# run show log authd

Step2 HTTPS configuration - HTTPS配置

root# show system services web-management https system-generated-certificate;

interface [ ge-0/0/15.0 ge-0/0/0.0 ];

step3 IKE/IPSEC configuration

注意:需要为每一个Remote Access VPN拔号用户设置一个IKE GATEWAY(Phase I)和VPN(Phase II)。现在客户这边准备5个测试用户:分别为vpntest1,vpntest2,vpntest3, vpntest4, vpntest5

IKE Phase I configuration: IKE Phase I配置 root# show security ike traceoptions {

file IKE size 4m; flag all; }

proposal phase1-proposal {

authentication-method pre-shared-keys; dh-group group2;

authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 86400; }

policy ike-policy {

mode aggressive;

proposals phase1-proposal;

pre-shared-key ascii-text \}

gateway ike-gateway1 { ike-policy ike-policy;

dynamic hostname luhongc; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

gateway ike-vpntest5 {

ike-policy ike-policy;

dynamic hostname vpntest5; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

gateway ike-vpntest4 { ike-policy ike-policy;

dynamic hostname vpntest4; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

gateway ike-vpntest3 { ike-policy ike-policy;

dynamic hostname vpntest3; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

gateway ike-vpntest2 { ike-policy ike-policy;

dynamic hostname vpntest2; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

gateway ike-vpntest1 { ike-policy ike-policy;

dynamic hostname vpntest1; external-interface ge-0/0/0.0; xauth access-profile ACS_Radius; }

IPsec(Phase 2) configuration: 定义IPSEC VPN Phase 2的参数 root# show security ipsec traceoptions { flag all; }

proposal phase2-proposal { protocol esp;

authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; }

policy ipsec-policy {

perfect-forward-secrecy { keys group2; }

proposals phase2-proposal; }

vpn dynamic-vpn-test { ike {

gateway ike-gateway1; ipsec-policy ipsec-policy; }

establish-tunnels on-traffic; }

vpn dynamic-vpntest1 { ike {

gateway vpn-test1-gw; ipsec-policy ipsec-policy; }

establish-tunnels on-traffic; }

vpn dynamic-vpntest2 { ike {

gateway ike-vpntest2; ipsec-policy ipsec-policy; }

establish-tunnels on-traffic; }

vpn dynamic-vpntest3 { ike {

gateway ike-vpntest3; ipsec-policy ipsec-policy; }

establish-tunnels on-traffic; }

vpn dynamic-vpntest4 { ike {

gateway ike-vpntest4; ipsec-policy ipsec-policy; }

establish-tunnels on-traffic; }

vpn dynamic-vpntest5 { ike {

gateway ike-vpntest5; ipsec-policy ipsec-policy; }