JuniperSRX详细配置手册(含注释)


    Juniper SRX标准配置
    第节系统配置 3
    11设备初始化 3
    111 登陆 3
    112 设置 root 户口令 3
    113 设置远程登陆理户 3
    2系统理 4
    121 选择时区 4
    122 系统时间 4
    123 DNS服务器 5
    124 系统重启 5
    125 Alarm 告警处理 5
    126 Root 密码重置 6
    第二节网络设置 7
    21Interface 7
    211 PPPOE 7
    212 Manual 8
    213 DHCP 8
    22Routing 9
    Static Route 9
    23SNMP 9
    第三节高级设置 9
    311 修改服务端口 9
    312 检查硬件序列号 9
    313 外网接口启端口服务 10
    314 创建端口服务 10
    315 VIP端口映射 10
    316 MIP 映射 11
    317 禁 console 口 12
    318 Juniper SRX带源 ping 外网默认通需做源址 NAT 12
    319 设置 SRX理 IP 12
    320 配置回退 13
    321 UTM 调 13
    322 网络访问缓慢解决 13
    第四节 VPN 设置 14
    41点点 IPSec VPN 14
    411 Route Basiced 14
    412 Policy Basiced 17
    42Remote VPN 19
    421 SRX端配置 19
    422 客户端配置 20
    第节系统配置
    11 设备初始化
    111 登陆
    首次登录需 Console 口连接 SRXroot 户登陆密码空
    login root
    Password
    JUNOS 95R18 built 20090716 150430 UTC
    root cli *** 进入操作模式 ***
    root>
    root> configure
    Entering configuration mode *** 进入配置模式 ***
    [edit]
    Root#
    112 设置 root 户口令
    (必须配置 root 帐号密码否续配置修改法提交)
    root# set system rootauthentication plaintextpassword
    root# new password root123
    root# retype new password root123
    密码密文方式显示
    root# show system rootauthentication
    encryptedpassword 1xavDeUe6fNM6olGU8M7B62u05D6 # SECRETDATA
    注意: 强烈建议加密选项加密 root user 口令 ( encryptedpassword
    加密方式 )配置参数求输入口令应加密算法加密字符串采种加密方
    式手工输入时存密码法通验证风险
    注: root 户仅 console 连接理 SRX通远程登陆理 SRX必须成功设
    置 root 口令执行 commit 提交续配置命令
    113 设置远程登陆理户
    root# set system login user lab class superuser authentication plaintextpassword
    root# new password juniper
    root# retype new password srx123
    注: juniper 户拥超级理员权限 console 远程理访问 行灵活
    定义理权限户
    2系统理
    121 选择时区
    srx_admin# set system timezone AsiaShanghai *** 亚洲 海 ***
    122 系统时间
    1221 手动设定
    srx_admin> set date 20151120153700
    srx_admin> show system uptime
    Current time 20151120 153714 UTC
    System booted 20151120 152148 UTC (2d 0015 ago)
    Protocols started 20151120 152445 UTC (2d 0012 ago)
    Last configured 20151120 153038 UTC (000636 ago) by srx_admin
    337PM up 2 days 15 mins 3 users load averages 007 017 014
    1222 NTP 步次
    srx_admin> set date ntp 2021202101
    8 Feb 154950 ntpdate[6616] step time server 2021202101 offset 28796357071 sec
    1223 NTP 服务器
    srx_admin# set system ntp server 2021001021
    srx_admin#set system ntp server ntpapibz
    ***SRX 系统 NTP服务器设备需联网解析 ntp 址然命令法输入 ***
    srx_admin> show ntp status
    statusc011 sync_alarm sync_unspec 1 event event_restart
    versionntpd 420a FriNov20154416 UTC 2014 (1)
    processorocteon systemJUNOS121X44D355 leap11 stratum16
    precision17 rootdelay0000 rootdispersion0105 peer0
    refidINIT reftime0000000000000000 Thu Feb 7 2036 142816000
    poll4 clockd88195bc562dc2db Sun Feb 8 2015 75852336 state0
    offset0000 frequency0000 jitter0008 stability0000
    srx_admin@holyshit> show ntp associations
    remote refid st t when poll reach delay offset jitter

    dnssjtueducn 15179156248 3 16 64 1 5473 0953 0008
    2021001021 INIT 16 64 0 0000 0000 400000
    123 DNS 服务器
    srx_admin# set system nameserver 202962095 ***SRX 系统 DNS***
    124 系统重启
    1241 重启系统
    srx_admin>request system reboot
    1242 关闭系统
    srx_admin>request system poweroff
    125 Alarm 告警处理
    1251 告警查
    root# run show system alarms
    2 alarms currently active
    Alarm time Class Description
    20151120 142149 UTC Minor Autorecovery information needs to be saved
    20151120 142149 UTC Minor Rescue configuration is not set
    1252 告警处理
    告警处理
    root> request system autorecovery state save
    Saving config recovery information
    Saving license recovery information
    Saving BSD label recovery information
    告警二处理
    root> request system configuration rescue save
    126Root 密码重置
    SRX Root密码丢失没超级户权限需执行密码恢复 该操作需
    中断设备正常运行会丢失配置信息操作步骤:
    1重启防火墙 CRT 出现面提示时空格键中断正常启动然进入单户状态
    输入: boot –s
    Loading bootdefaultsloaderconf
    kernel data0xb15b3c+0x13464c syms[0x4+0x8bb00+0x4+0xcac15]
    Hit [Enter] to boot immediately or space bar for command prompt
    loader>
    loader> boot s
    2执行密码恢复:提示文字输入 recovery 设备动进行重启
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for binsh
    recovery
    ***** FILE SYSTEM WAS MODIFIED *****
    System watchdog timer disabled
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for binsh
    recovery
    3进入配置模式删 root 密码重新设置 root 密码保存重启
    root> configure
    Entering configuration mode
    [edit]
    root# delete system rootauthentication
    [edit]
    root# set system rootauthentication plaintextpassword
    New password
    Retype new password
    [edit]
    root# commit
    commit complete
    [edit]
    root# exit
    Exiting configuration mode
    root> request system reboot
    Reboot the system [yesno] (no) yes
    第二节网络设置
    21 Interface
    211 PPPOE
    ※外网接口( fe000 )封装 PPP
    srx_admin# set interfaces fe000 unit 0 encapsulation pppoverether
    ※CHAP认证配置
    srx_admin# set interfaces pp0 unit 0 pppoptions chap defaultchapsecret 1234567890
    ***PPPOE 密码 ***
    srx_admin# set interfaces pp0 unit 0 pppoptions chap localname rxgjhygs@163
    ***PPPOE 帐号 ***
    srx_admin# set interfaces pp0 unit 0 pppoptions chap passive
    *** 采动模式 ***
    ※PAP认证配置
    srx_admin# set interfaces pp0 unit 0 pppoptions pap defaultpassword 1234567890
    ***PPPOE 密码 ***
    srx_admin# set interfaces pp0 unit 0 pppoptions pap localname rxgjhygs@163
    ***PPPOE 帐号 ***
    srx_admin# set interfaces pp0 unit 0 pppoptions pap localpassword 1234567890
    ***PPPOE 密码 ***
    srx_admin# set interfaces pp0 unit 0 pppoptions pap passive
    *** 采动模式 ***
    ※PPP 接口调
    srx_admin# set interfaces pp0 unit 0 pppoeoptions underlyinginterface fe0000
    *** 外网接口( fe000 )启 PPPOE拨号 ***
    ※PPPOE拨号属性配置
    srx_admin# set interfaces pp0 unit 0 pppoeoptions idletimeout 0
    *** 空闲超时值 ***
    srx_admin# set interfaces pp0 unit 0 pppoeoptions autoreconnect 3
    ***3 秒动重拨 ***
    srx_admin# set interfaces pp0 unit 0 pppoeoptions client
    *** 表示 PPPOE客户端 ***
    srx_admin# set interfaces pp0 unit 0 family inet mtu 1492
    *** 修改接口 MTU 值改成 1492 PPPOE报头会点开销 ***
    srx_admin# set interfaces pp0 unit 0 family inet negotiateaddress
    *** 动协商址服务端分配动态址 ***
    ※默认路
    srx_admin# set routingoptions static route 00000 nexthop pp00
    ※PPPOE接口划入 untrust 接口
    srx_admin# set security zones securityzone untrust interfaces pp00
    ※验证 PPPoE否已拔通否获 IP 址
    srx_admin#run show interfaces terse | match pp
    pp0 up up
    pp00 up up inet 1921681631 > 1111
    ppd0 up up
    ppe0 up up
    注:
    PPPOE拨号成功需调整 MTU 值网体验达佳( MTU 值合适话网会卡)
    srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 *** 调整 MTU ***
    srx_admin# set security flow tcpmss alltcp mss 1304 *** 调整 TCP分片 ***
    212 Manual
    srx_admin# set interfaces fe000 unit 0 family inet address 2021054113829
    213 DHCP
    ※启 DHCP址池
    srx_admin# set system services dhcp pool 1921681024 router 19216811
    ***DHCP 网关 ***
    srx_admin# set system services dhcp pool 1921681024 addressrange low 19216812
    ***DHCP 址池第址 ***
    srx_admin# set system services dhcp pool 1921681024 addressrange high 1921681254
    ***DHCP 址池址 ***
    srx_admin# set system services dhcp pool 1921681024 defaultleasetime 36000
    ***DHCP 址租期 ***
    srx_admin# set system services dhcp pool 1921681024 domainname leadsystemscomcn
    ***DHCP 域名 ***
    srx_admin# set system services dhcp pool 1921681024 nameserver 20296209133
    ***DHCP 分配 DNS***
    srx_admin# set system services dhcp pool 1921681024 nameserver 202962095
    srx_admin# set system services dhcp propagatesettings vlan0 ***DHCP 分发端口 ***
    ※配置网接口址
    srx_admin# set interfaces vlan unit 0 family inet address 1921681124
    ※网接口调 DHCP址池
    srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
    systemservicesdhcp
    22 Routing
    Static Route
    srx_admin# set routeoption static route 00000 nexthop 11622860153
    *** 默认路 ***
    srx_admin# set routeoption static route 105010024 nexthop st00
    ***Route Basiced VPN 路 ***
    23 SNMP
    srx_admin# set snmp community Ajitec authorization readonlyreadwrite
    ***SNMP 监控权限 ***
    srx_admin# set snmp clientlist snmp_srx240 1019289932
    ***SNMP 监控机 ***
    第三节高级设置
    311 修改服务端口
    srx_admin# set system services webmanagement http port 8000
    *** 更改 web http 理端口号 ***
    srx_admin# set system services webmanagement https port 1443
    *** 更改 web https 理端口号 ***
    312 检查硬件序列号
    srx# run show chassis hardware
    Hardware inventory
    Item Version Part number Serial number Description
    Chassis BZ2615AF0491 SRX100H2
    Routing Engine REV 05 650048781 BZ2615AF0491 RESRX100H2
    FPC 0 FPC
    PIC 0 8x FE Base PIC
    Power Supply 0
    313 外网接口启端口服务
    ※定义系统服务
    srx_admin# set system services ssh
    srx_admin# set system services telnet
    srx_admin# set system services webmanagement http interface vlan0
    srx_admin# set system services webmanagement http interface fe0000
    srx_admin# set system services webmanagement https interface vlan0
    srx_admin# set system services webmanagement managementurl admin
    *** 期 httpsipadmin 登录理页面加直接跳转 ***
    ※网接口启端口服务
    srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
    systemservices ping*** 开启 ping ***
    srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
    systemservices http *** 开启 http ***
    srx_admin#set security zones securityzone trust interfaces vlan0 hostinboundtraffic
    systemservices telnet *** 开启 telnet ***
    ※外网接口启端口服务
    srx_admin# set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices ping*** 开启 ping ***
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices telnet *** 开启 telnet ***
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices http *** 开启 http ***
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices all*** 开启服务 ***
    314 创建系统服务
    srx_admin#set applications application RDP protocol tcp *** 协议选择 tcp***
    srx_admin#set applications application RDP sourceport 065535 *** 源端口 ***
    srx_admin#set applications application RDP destinationport 3389 *** 目端口 ***
    srx_admin#set applications application RDP protocol udp *** 协议选择 udp***
    srx_admin#set applications application RDP sourceport 065535 *** 源端口 ***
    srx_admin#set applications application RDP destinationport 3389 *** 目端口 ***
    315 VIP 端口映射
    ※DestinationNAT配置
    srx_admin#set security nat destination pool 22 address 19216812032
    ***Destination NAT pool 设置真实网址 ***
    srx_admin#set security nat destination pool 22 address port 3389
    ***Destination NAT pool 设置网址端口号 ***
    srx_admin#set security nat destination ruleset 2 from zone untrust
    *** Destination NAT Rule 设置访问流量 untrust 区域 ***
    srx_admin#set security nat destination ruleset 2 rule 111 match sourceaddress 00000
    *** Destination NAT Rule 设置访问流量意址 ***
    srx_admin#set security nat destination ruleset 2 rule 111 match destinationaddress
    1162286015432
    *** Destination NAT Rule 设置访问目址 11622860157***
    srx_admin#set security nat destination ruleset 2 rule 111 match destinationport 3389
    *** Destination NAT Rule 设置访问目址端口号 ***
    srx_admin#set security nat destination ruleset 2 rule 111 then destinationnat pool 22
    ***Destination NAT Rule 设置调 pool 址 ***
    ※策略配置
    srx_admin#set security policies fromzone untrust tozone trust policy vip match sourceaddress
    any
    srx_admin#set security policies fromzone untrust tozone trust policy vip match
    destinationaddress H19216812032
    srx_admin#set security policies fromzone untrust tozone trust policy vip match application any
    srx_admin#set security policies fromzone untrust tozone trust policy vip then permit
    srx_admin#set security zones securityzone trust addressbook address H19216812032
    19216812032
    316 MIP 映射
    ※Destination NAT设置
    srx_admin#set security nat destination pool 111 address 1921681332
    ***Destination NAT pool 设置真实网址 ***
    srx_admin#set security nat destination ruleset 1 from zone untrust
    ***Destination NAT Rule 设置访问流量 untrust 区域 ***
    srx_admin#set security nat destination ruleset 1 rule 111 match sourceaddress 00000
    ***Destination NAT Rule 设置访问流量意址 ***
    srx_admin#set security nat destination ruleset 1 rule 11 match destinationaddress
    1162286015732
    ***Destination NAT Rule 设置访问目址 11622860157***
    srx_admin#set security nat destination ruleset 1 rule 11 then destinationnat pool 11
    ***Destination NAT Rule 设置调 pool 址 ***
    ※配置 ARP代理
    srx_admin#set security nat proxyarp interface fe0000 address 1162286015732
    ※策略配置
    srx_admin#set security policies fromzone untrust tozone trust policy mip match sourceaddress
    any
    srx_admin#set security policies fromzone untrust tozone trust policy mip match
    destinationaddress H19216812032
    srx_admin#set security policies fromzone untrust tozone trust policy mip match application any
    srx_admin#set security policies fromzone untrust tozone trust policy mip then permit
    317 禁 console 口
    junipersrx@SRX100H2# edit system ports console*** 进入 console 接口 ***
    junipersrx@SRX100H2# set disable*** 关闭端口 ***
    junipersrx@SRX100H2# commit confirmed 3 *** 提交 3 分钟 3 分钟回退 ***
    318 Juniper SRX 带源 ping 外网默认通需做源址
    NAT
    set security nat source ruleset LOCAL from zone junoshost
    set security nat source ruleset LOCAL to zone untrust
    set security nat source ruleset LOCAL rule LOCAL match sourceaddress 1921681132
    set security nat source ruleset LOCAL rule LOCAL match destinationaddress 00000
    set security nat source ruleset LOCAL rule LOCAL then sourcenat interface
    set security nat source ruleset trusttountrust from zone trust
    set security nat source ruleset trusttountrust to zone untrust
    set security nat source ruleset trusttountrust rule sourcenatrule match sourceaddress
    00000
    set security nat source ruleset trusttountrust rule sourcenatrule then sourcenat interface
    319 设置 SRX 理 IP
    ※参防火墙外网接口端口服务
    set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ike
    set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ping
    set security zones securityzone untrust interfaces fe0000 hostinboundtraffic systemservices ssh
    ※定义防火墙 filter设定允许访问址端口
    set firewall filter Outside_access_in term Permit_IP from sourceaddress 1162286015832
    set firewall filter Outside_access_in term Permit_IP from destinationaddress 594618411432
    set firewall filter Outside_access_in term Permit_IP from protocol tcp
    set firewall filter Outside_access_in term Permit_IP from destinationport ssh
    set firewall filter Outside_access_in term Permit_IP then accept
    *** 设置允许访问址址 ***
    set firewall filter Outside_access_in term Deny_ANY from destinationaddress 594618411432
    set firewall filter Outside_access_in term Deny_ANY from protocol tcp
    set firewall filter Outside_access_in term Deny_ANY from destinationport ssh
    set firewall filter Outside_access_in term Deny_ANY then discard
    set firewall filter Outside_access_in term Permit_ANY then accept
    *** 流量全部拒绝 ***
    ※防火墙外网接口调 filter 接口启限制
    set interfaces fe000 unit 0 family inet filter input Outside_access_in
    注:①配置拒绝流量时注意拒绝端口面放行流量拒绝会流
    量拒绝掉
    ②配置拒绝流量时配置 all 然会流量拒绝掉
    320 配置回退
    ※查提交配置
    srx_admin# run show system commit
    0 20160504 114746 UTC by root via junoscript
    1 20160504 114011 UTC by root via cli
    2 20160504 113836 UTC by root via cli
    3 20160427 114107 UTC by root via cli
    4 20160401 173722 UTC by root via button
    ※回退配置( ROLLBACK 0)
    srx_admin # rollback
    Possible completions
    <[Enter]> Execute this command
    0 20160504 114746 UTC by root via junoscript
    1 20160504 114011 UTC by root via cli
    2 20160504 113836 UTC by root via cli
    3 20160427 114107 UTC by root via cli
    4 20160401 173722 UTC by root via button
    | Pipe through a command
    321 UTM 调
    ※策略中调 UTM
    srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
    sourceaddress any
    srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
    destinationaddress any
    srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust match
    application any
    srx_admin #set security policies fromzone trust tozone untrust policy trusttountrust then
    permit applicationservices utmpolicy junosavpolicy
    322 网络访问缓慢解决
    srx_admin #set security flow synfloodprotectionmode syncookie
    srx_admin #set security flow tcpmss alltcpmss 1300
    srx_admin #set security flow tcpsession rstsequencecheck
    srx_admin #set security flow tcpsession strictsyncheck
    srx_admin #set security flow tcpsession nosequencecheck
    第四节 VPN 设置
    41 点点 IPSec VPN
    411 Route Basiced
    *** standard or compatible模式 ***
    ※创建 tunnel 接口
    srx_admin#set interfaces st0 unit 0 family inet
    *** 新建 st00 接口 ***
    srx_admin#set security zones securityzone untrust interfaces st00
    *** 定义 tunnel 接口 st00 untrust 接口 ***
    ※创建 VPN 端网路
    srx_admin#srx_admin#set routingoptions static route 172161024 nexthop st00
    ※VPN 第阶段 IKE配置
    srx_admin#set security ike policy lead mode main
    *** 协商模式 main or aggressive ***
    srx_admin#set security ike policy lead proposalset standardcompatible
    *** 协商加密算法 ***
    srx_admin#set security ike policy lead presharedkey asciitext juniper123
    *** 预享密钥 ***
    ※VPN 第阶段 IKE配置
    srx_admin#set security ike gateway gw1 ikepolicy lead
    *** 调第阶段 IKE 配置 ***
    srx_admin#set security ike gateway gw1 address 11622860158
    *** 端网关址 ***
    srx_admin#set security ike gateway gw1 externalinterface fe0000
    ***VPN 出接口 ***
    注: 果 PPPOE拨号网出接口必须 ppp 接口
    srx_admin#set security ike gateway gw1 externalinterface pp00
    ※VPN 第二阶段 IPSEC配置
    srx_admin#set security ipsec policy abc proposalset standardcompatible
    *** 协商加密算法 ***
    srx_admin#set security ipsec vpn test bindinterface st00
    *** 绑定 VPN 接口 ***
    srx_admin#set security ipsec vpn test ike gateway gw1
    *** 调网关 ***
    srx_admin#set security ipsec vpn test ike ipsecpolicy abc
    *** 调加密算法策略 ***
    srx_admin#set security ipsec vpn test establishtunnels immediately
    *** 立开始协商 ***
    ※外网接口开启 IKE服务
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices ike
    ※双流量策略
    trust>untrust
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    srx_admin#sourceaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    destinationaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    application any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy then permit
    untrust>trust
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    sourceaddress any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    destinationaddress any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    application any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy then permit
    *** custom模式 ***
    ※创建 tunnel 接口
    srx_admin#set interfaces st0 unit 0 family inet
    *** 新建 st00 接口 ***
    srx_admin#set security zones securityzone untrust interfaces st00
    *** 定义 tunnel 接口 st00 untrust 接口 ***
    ※创建 VPN 端网路
    srx_admin#set routingoptions static route 172161024 nexthop st00
    ※VPN 第阶段 IKE配置
    ※※ proposal设置
    srx_admin#set security ike proposal vpn1proposal authenticationmethod presharedkeys
    *** presharedkeys 认证 ***
    srx_admin#set security ike proposal vpn1proposal dhgroup group2
    ***DH 组 group2***
    srx_admin#set security ike proposal vpn1proposal authenticationalgorithm md5
    ***MD5 认证 ***
    srx_admin#set security ike proposal vpn1proposal encryptionalgorithm 3descbc
    ***3des 加密 ***
    ※※ policy 设置
    srx_admin#set security ike policy vpn1ikepolicy mode main
    *** 协商模式 main or aggressive ***
    srx_admin#set security ike policy vpn1ikepolicy proposals vpn1proposal
    *** 调 ike proposal 配置 ***
    srx_admin#set security ike policy vpn1ikepolicy presharedkey asciitext juniper123
    *** 预享密钥 ***
    ※※ gateway 设置
    srx_admin#set security ike gateway vpn1gateway ikepolicy vpn1ikepolicy
    *** 调 ike policy 设置 ***
    srx_admin#set security ike gateway vpn1gateway address 11622860158
    *** 端网关址 ***
    srx_admin#set security ike gateway vpn1gateway externalinterface fe0000
    *** 出接口 ***
    ※VPN 第二阶段 IPSEC设置
    ※※ proposal设置
    srx_admin#set security ipsec proposal vpn2ipsecproposal protocol esp
    ***ipsec proposal 协议 esp***
    srx_admin#set security ipsec proposal vpn2ipsecproposal authenticationalgorithm
    hmacmd596
    *** MD5 认证 ***
    srx_admin#set security ipsec proposal vpn2ipsecproposal encryptionalgorithm 3descbc
    *** 3des 加密 ***
    ※※ policy 设置
    set security ipsec policy vpn2ipsecpolicy perfectforwardsecrecy keys group2
    *** 开启 PFS group2***
    srx_admin#set security ipsec policy vpn2ipsecpolicy proposals vpn2ipsecproposal
    ***ipsec policy 设置调 ipsec proposal***
    ※※ VPN 设置
    srx_admin#set security ipsec vpn vpn2ipsecvpn bindinterface st00
    ***ipsec vpn 设置绑定 tunnel 接口 ***
    srx_admin#set security ipsec vpn vpn2ipsecvpn ike gateway vpn1gateway
    ***ipsec vpn 设置调第阶段 VPN 网关 ***
    srx_admin#set security ipsec vpn vpn2ipsecvpn ike ipsecpolicy vpn2ipsecpolicy
    ***ipsec vpn 设置调第二阶段 ipsec policy***
    srx_admin#set security ipsec vpn vpn2ipsecvpn establishtunnels immediately
    *** 立开始建立 VPN 隧道 ***
    ※外网接口开启 IKE服务
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices ike
    ※双流量策略
    trust>untrust
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    sourceaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    destinationaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy match
    application any
    srx_admin#set security policies fromzone trust tozone untrust policy vpnpolicy then permit
    untrust>trust
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    sourceaddress any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    destinationaddress any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy match
    application any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnpolicy then permit
    412 Policy Basiced
    ※新建端网网段入划入相应 zone
    srx_admin#set security zones securityzone trust addressbook address address1 1921681024
    *** 网网段 ***
    srx_admin#set security zones securityzone untrust addressbook address address2
    192168100024
    *** 端网网段 ***
    ※VPN 第阶段 IKE设置
    ※※ Proposal设置
    srx_admin#set security ike proposal ikephase1proposal authenticationmethod presharedkeys
    *** 采预享密钥 ***
    srx_admin#set security ike proposal ikephase1proposal dhgroup group2
    ***DH Group Group2***
    srx_admin#set security ike proposal ikephase1proposal authenticationalgorithm md5
    *** md5 认证 ***
    srx_admin#set security ike proposal ikephase1proposal encryptionalgorithm 3descbc
    *** 3des 加密 ***
    ※※ Policy设置
    srx_admin#set security ike policy ikephase1policy mode main
    *** 协商模式 main or aggressive ***
    srx_admin#set security ike policy ikephase1policy proposals ikephase1proposal
    *** 调 ike proposal 配置 ***
    srx_admin#set security ike policy ikephase1policy presharedkey asciitext juniper123
    *** 预享密钥设置 ***
    ※※ gateway 设置
    srx_admin#set security ike gateway gwchica ikepolicy ikephase1policy
    *** 调 IKE policy***
    srx_admin#set security ike gateway gwchica address 11622860157
    *** 指定端网关址 ***
    srx_admin#set security ike gateway gwchica externalinterface fe0000
    *** 指定出街口 ***
    ※VPN 第二阶段 IPSEC设置
    ※※ Proposal设置
    srx_admin#set security ipsec proposal ipsecphase2proposal protocol esp
    ***ipsec proposal 协议 esp***
    srx_admin#set security ipsec proposal ipsecphase2proposal authenticationalgorithm
    hmacmd596
    *** md5 认证 ***
    srx_admin#set security ipsec proposal ipsecphase2proposal encryptionalgorithm 3descbc
    *** 3des 加密 ***
    ※※ policy 设置
    srx_admin#set security ipsec policy ipsecphase2policy proposals ipsecphase2proposal
    ***ipsec policy 设置调 ipsec proposal***
    ※※ VPN 设置
    srx_admin#set security ipsec vpn ikevpnchica ike gateway gwchica
    ***ipsec vpn 设置调第阶段 VPN 网关 ***
    srx_admin#set security ipsec vpn ikevpnchica ike ipsecpolicy ipsecphase2policy
    ***ipse policy 设置 ***
    srx_admin#set security ipsec vpn ikevpnchica establishtunnels ontraffic
    *** 产生流量 VPN开始建立连接 ***
    ※外网接口开启 IKE服务
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices ike
    ※VPN流量策略
    trust>untrust
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
    sourceaddress address1
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
    destinationaddress address2
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr match
    application any
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then permit
    tunnel ipsecvpn ikevpnchica
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then log
    sessioninit
    srx_admin#set security policies fromzone trust tozone untrust policy vpntruntr then log
    sessionclose
    ※网流量策略
    trust>untrust
    srx_admin#set security policies fromzone trust tozone untrust policy permitany match
    sourceaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy permitany match
    destinationaddress any
    srx_admin#set security policies fromzone trust tozone untrust policy permitany match
    application any
    srx_admin#set security policies fromzone trust tozone untrust policy permitany then permit
    untrust>trust
    srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
    sourceaddress address2
    srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
    destinationaddress address1
    srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr match
    application any
    srx_admin#set security policies fromzone untrust tozone trust policy vpnuntrtr then permit
    tunnel ipsecvpn ikevpnchica
    注: 开启策略 log 记录功
    set security policies fromzone untrust tozone trust policy vpnuntrtr then log sessioninit
    set security policies fromzone untrust tozone trust policy vpnuntrtr then log sessionclose
    42 Remote VPN
    421 SRX端配置
    ※VPN 第阶段 IKE Policy设置
    srx_admin#set security ike policy remotevpnpolicy mode aggressive
    srx_admin#set security ike policy remotevpnpolicy proposalset compatible
    srx_admin#set security ike policy remotevpnpolicy presharedkey asciitext juniper123
    ※VPN 第阶段 IKE Gateway设置
    srx_admin#set security ike gateway remotevpngateway ikepolicy remotevpnpolicy
    srx_admin#set security ike gateway remotevpngateway dynamic hostname juniper
    srx_admin#set security ike gateway remotevpngateway dynamic connectionslimit 10
    srx_admin#set security ike gateway remotevpngateway dynamic ikeusertype sharedikeid
    srx_admin#set security ike gateway remotevpngateway externalinterface fe0000
    srx_admin#set security ike gateway remotevpngateway xauth accessprofile xauthsrx
    ※VPN 第二阶段 IPSec Policy设置
    srx_admin#set security ipsec policy remotevpnipsecpolicy proposalset compatible
    ※VPN 第二阶段 IPSec VPN设置
    srx_admin#set security ipsec vpn remotevpn ike gateway remotevpngateway
    srx_admin#set security ipsec vpn remotevpn ike ipsecpolicy remotevpnipsecpolicy
    srx_admin#set security ipsec vpn remotevpn establishtunnels immediately
    ※Remote 户 DHCP设置
    srx_admin#set access addresspool DHCPPOOL addressrange low 1721611
    srx_admin#set access addresspool DHCPPOOL addressrange high 17216110
    srx_admin#set access addresspool DHCPPOOL primarydns 8888
    注: DHCP址段网网段区开然会产生问题
    ※创建 Remote 认证户
    srx_admin#set access profile xauthsrx authenticationorder password
    srx_admin#set access profile xauthsrxclient L2TP_USER_MA firewalluser password 123456
    ※外网接口开启 IKE服务
    srx_admin#set security zones securityzone untrust interfaces fe0000 hostinboundtraffic
    systemservices ike
    ※策略设置 untrust>trust
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match
    sourceaddress any
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match
    destinationaddress network
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn match application
    any
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then permit
    tunnel ipsecvpn remotevpn
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then log
    sessioninit
    srx_admin#set security policies fromzone untrust tozone trust policy dailvpn then log
    sessionclose
    422 客户端配置



    《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
    该内容是文档的文本内容,更好的格式请下载文档

    下载pdf到电脑,查找使用更方便

    pdf的实际排版效果,会与网站的显示效果略有不同!!

    需要 10 香币 [ 分享pdf获得香币 ]

    下载pdf

    相关文档

    No1_Array_SPX工程安装配置手册_简介和基本功能配置部分

    Array SPX工程安装配置手册简介和基本功能配置部分一、 (一)概述 21. 前言 22. SSL VPN简介 23. SSL VPN 网络拓扑 24. Array SPX设备配置概述 4...

    3年前   
    509    0

    No2_Array_SPX工程安装配置手册_虚拟站点配置部分

    Array SPX工程安装配置手册虚拟站点配置部分一、 SSL VPN门户(Virtual Site)的建立 11. 增加Virtual Site 12. 配置virtual site 的SS...

    3年前   
    571    0

    《论语》全文及注释

    学而第一子曰:“学而时习之,不亦悦乎?有朋自远方来,不亦乐乎?人不知而不愠,不亦君子乎?”有子曰:“其为人也孝悌而好犯上者,鲜矣。不好犯上而好作乱者,未之有也。君子务本,本立而道生。孝悌也者,其为仁之本与?”

    5年前   
    1983    0

    No7_Array_SPX工程安装配置手册_设备管理及排错部分

    Array SPX工程安装配置手册设备管理及排错部分Syslog设置:命令行为:log {on | off}log host <ip-address> [dest-port] [tcp | u...

    3年前   
    562    0

    SAP PS模块配置和操作手册

    SAP PS模块配置和操作手册SAP PS模块配置和操作手册Overview项目管理项目管理总的来说就是需要管理整个项目实施的过程,在这个过程中,需要将各级任务进行分解,也就是通常说的WBS。...

    3年前   
    723    0

    SAP系统邮件配置操作手册

    SAP系统邮件配置操作手册1、 配置参数文件运行事务码RZ10,创建参数:参数模板:icm/server_port_<*> = PROT=SMTP,PORT=<port>参数模板:is/SMT...

    3年前   
    753    0

    惠普终端服务器配置手册12

    Windows Terminal Service终端效劳器集群系统安装配置文档修订: 神州数码-毋果津-2006年3月 版本1.0 惠普-靳玉罡-2006年7月 版本1.1 ...

    2年前   
    387    0

    CSS注释书写规范

    作者及文件版本此定义可以帮助您或其他人更了解整个网站以及这个CSS文件,格式化的注释包括:· 作者信息· 布局信息[栏,站点宽度]· 文件版本[有助于多位作者及未来更新的协同管理]内容注释内容...

    11年前   
    635    0

    配置

    各岗位人力资源配置要求 部门 岗位编制 人员配置要求 人 力 资 源 部 ...

    9年前   
    24927    0

    公司员工手册(最详细全面)

    第一部分 公司的经营理念   客户 客户的满意与成功是度量我们工作成绩最重要的标尺 员工 是公司最重要的财富,员工素质及专业知识水平的提高就是公司财富的增长, 员工的福利待遇及生活水平是公司...

    4年前   
    735    0

    配置管理

     配置管理 文件编号: NP601100 ...

    10年前   
    12012    0

    五岗位考试:银行计算机配置手册

    一、考点考试服务器管理     1、分行考试在企业网内完成,每家分行需要在省分行配置2台考试服务器,操作系统为WINDOWS SERVER 2003 企业版,数据库为SQL SERVER 2...

    10年前   
    8147    0

    异形字整理表注释及附录

    异形字整理表注释及附录【注释】1、“掺”“搀”实行分工:“掺”表混合义,“搀”表搀扶义。2、“沉”本为“沈”的俗体,后来“沉”字成了通用字,与“沈”并存并用,并形成了许多异形词,如“沉没-沈没...

    3年前   
    722    0

    电子信息产品分类注释

    电子信息产品分类注释   《电子信息产品污染控制管理办法》第三条定义术语第一款给出了电子信息产品的定义,定义中的电子信息产品共十大类,界定了《管理办法》的适用范围。为了帮助所有关注《管理办...

    10年前   
    6539    0

    常见英文注释的写作方法(补充)

    常见英文注释的写作方法(补充)常见英文注释的写作方法:关于案例汇编(补充一)一、联邦法院系统的案例汇编美国每一级联邦法院都至少有一个案例报告(case report)对其判决予以公布。美国联邦...

    11年前   
    531    0

    2018年有关论文注释格式

    有关论文注释格式  古典文学中常见论文这个词,当代,论文常用来指进行各个学术领域的研究和描述学术研究成果的文章,简称为论文。以下就是由编为您提供的论文注释格式。  1] 作者姓名,作者姓名.参...

    6年前   
    401    0

    《论语》全文带拼音注释

    《论语》全文带拼音注释

    5年前   
    16405    0

    招聘与配置

    第二章 招聘与配置 第一节 员工素质测评标准体系的构建 一、 员工素质测评的基本原理: (一)个体差异原理 (二)工作差异原理 (三)人岗匹配原理:人岗匹配包括:工作要求与员工素质相...

    12年前   
    28589    0

    配置库管理报告

       配置库管理报告 来自:http://www.chinaspis.com 作者:林锐 电子工业出版社出版发行 { 项目名称 } 配置库管理报告 文件状态: [√] 草稿...

    14年前   
    12882    0

    2021年“国际减灾日”安全宣传手册自救指南(详细版)

    2021年“国际减灾日”安全宣传手册自救指南(详细版)今年10月13日是第32个“国际减灾日”,今年的主题是“构建灾害风险适应性和抗灾力”。1989年12月第44届联合国大会通过决议指定每年1...

    1年前   
    306    0