我一直试图在 Juniper SRX1400 上设置客户端 VPN,但没有成功。我从 Juniper 和其他地方找到的所有文档都做了很多其他(困难和美妙的)事情,而不是我想要做的简单事情。我们已经有一个在 CISCO PIX 硬件上运行的 VPN,我们需要停止使用,我们非常想复制它的功能,即:1) 客户端向 SRX1400 的外部接口发出请求,2) 客户端获得身份验证,3) 如果成功,则客户端被分配所有常见的 DHCP 内容并成为网络的一部分。这个 DHCP 分配的网络具有哪些权限,当然应该可以使用常见的路由/过滤方法来配置。
我对 SRX 的要求是不是太高了?我是否应该放弃使用 SRX 的 VPN,转而使用 OpenVPN 解决方案?我之前也使用过 OpenVPN,它的配置、功能和特性让我很惊讶。
答案1
您正在寻找的功能称为动态VPN在Juniper World中,您所指的型号(SRX1400)是数据中心级别的第一款高端型号,它们不支持动态VPN。
尽管如此,你仍然可以使用泼妇一个免费的VPN客户端。
以下是在 Junos 10.4 上使用 Shrew 的示例配置
## Last changed: 2011-01-17 21:14:39 MST
version 10.4R1.9;
system {
login {
user admin {
uid 2002;
class super-user;
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file traffic-log {
any any;
match RT_FLOW;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.4.4.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 4.4.4.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.180.39/24;
}
}
}
}
security {
ike {
proposal RemoteVPNPolicy1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy RemoteVPNIKE {
mode aggressive;
proposals RemoteVPNPolicy1;
pre-shared-key ascii-text "$9$ywMeMXVwgUjq7-jqmfn6revW7-"; # SECRET-DATA
}
policy t400-ike-policy {
mode aggressive;
proposals RemoteVPNPolicy1;
pre-shared-key ascii-text "$9$IcPhyKX7V4aUM8aUjH5TRhSrM8"; # SECRET-DATA
}
inactive: gateway RemoteVPN {
ike-policy RemoteVPNIKE;
dynamic user-at-hostname "[email protected]";
external-interface ge-0/0/1.0;
}
gateway t400-ike-gw {
ike-policy t400-ike-policy;
dynamic {
user-at-hostname "[email protected]";
connections-limit 50;
ike-user-type shared-ike-id;
}
external-interface ge-0/0/1.0;
xauth access-profile t400-access;
}
}
ipsec {
proposal RemoteVPNIPSec {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
policy RemoteVPNIPSec {
proposals RemoteVPNIPSec;
}
policy t400-ipsec-policy {
proposals RemoteVPNIPSec;
}
inactive: vpn RemoteVPN {
ike {
gateway RemoteVPN;
ipsec-policy RemoteVPNIPSec;
}
establish-tunnels on-traffic;
}
vpn t400-vpn {
ike {
gateway t400-ike-gw;
ipsec-policy t400-ipsec-policy;
}
}
}
zones {
security-zone corp {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust {
address-book {
address hq-net-10-4-4 10.4.4.0/24;
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
policies {
from-zone untrust to-zone trust {
policy RemoteVPN {
match {
source-address any;
destination-address hq-net-10-4-4;
application any;
}
then {
permit {
tunnel {
ipsec-vpn t400-vpn;
}
}
log {
session-init;
session-close;
}
count;
}
}
}
}
}
access {
address-pool t400-pool {
address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
primary-dns 10.4.4.75;
}
profile t400-access {
authentication-order password;
client joe {
firewall-user {
password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
}
}
address-assignment {
pool t400-assign-pool;
}
}
address-assignment {
pool t400-assign-pool {
family inet {
network 192.168.40.0/24;
range t400-range {
low 192.168.40.101;
high 192.168.40.149;
}
xauth-attributes {
primary-dns 10.4.4.85/32;
}
}
}
}
}