发布时间 : 星期一 文章Juniper SRX Dynamic VPN--公司使用中更新完毕开始阅读2891e103ba1aa8114431d951
}
remote-exceptions { 0.0.0.0/0; }
ipsec-vpn dy-ipse-vpn; user { srx; } } }
7、配置从untrust to trust的VPN 策略 [edit]
srx@srx100h# show security policies from-zone untrust to-zone trust policy unt-to-tr { match {
source-address any;
destination-address any; application any; }
then {
permit { tunnel {
ipsec-vpn dy-ipse-vpn; (调用IPSEC VPN)
8、配置接口的代理, 和Cisco有些不太一样,需要把地址池的地址在trust接口上代理 srx@srx100h# show security nat proxy-arp {
interface fe-0/0/1.0 { address {
192.168.80.230/32 to 192.168.80.235/32;
9、可以选择配置debug
srx@srx# set security ike traceoptions file ike-debug srxr@srx# set security ike traceoptions flag all srx@srx# set security ipsec traceoptions flag all srx@srx# commit
srx@srx# run clear log ike-debug
user@srx# run show log ike-debug | match ike (到时候查看debug信息)
ok,配置完成,接下来来拨入
1、如果PC还没有安装JUNOS的PULSE,需要通过web 验证以后安装PULSE 浏览器输入:https://172.32.1.1/dynamic-vpn,然后输入验证的账户
验证成以后,界面会提示安装PULSE,然后选择是,一直安装下去 2、安装成功以后,PULSE会提示你再次输入VPN的账号 3、拨入成功
4、然后电脑就会获取到一个地址 5、查看相关日志 5.1 第一阶段SA
srx@srx100h# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4788399 UP 3eba8e8cc1f049bf e6a5b5a4e71e7cd2 Aggressive 172.32.1.4 5.2 第二阶段SA
srx@srx100h# run show security ipsec security-associations Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <133955587 ESP:3des/md5 9c19409a 2799/ 500000 - root 500 172.32.1.4 >133955587 ESP:3des/md5 5bb48d50 2799/ 500000 - root 500 172.32.1.4 5.3 查看IPSEC 加解密统计
srx@srx100h# run show security ipsec statistics ESP Statistics:
Encrypted bytes: 31452496 Decrypted bytes: 1111447 Encrypted packets: 30384 Decrypted packets: 20144 AH Statistics:
Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0