基于 IPSEC 动态×××


外网(untrust)用户拨入SRX防火墙,实现Untrust---->trust内网192.168.2.0/24网段的安全远程访问***,此案例与dmz无关。


 



第一步:配置用户认证配置文件

set access profilera-users authentication-order password

setaccess profile ra-users client user1 firewall-user password user1

setaccess profile ra-users client user2 firewall-user password user2

set accessfirewall-authentication web-authentication default-profile ra-users


第二步:配置IKE Proposal

set security ikeproposal ra-pro authentication-method pre-shared-keys

set security ikeproposal ra-pro dh-group group2

set security ikeproposal ra-pro authentication-algorithm md5

set security ikeproposal ra-pro encryption-algorithm 3des-cbc


第三步::配置IKE policy

set security ikepolicy ra-policy mode aggressive

set security ikepolicy ra-policy proposals ra-pro

setsecurity ike policy ra-policy pre-shared-key ascii-text freeit123


第四步:配置IKEGateway

set security ikegateway ra-gw ike-policy ra-policy

set security ikegateway ra-gw dynamic hostname freeit.com.cn

set security ikegateway ra-gw dynamic connections-limit 40

set security ikegateway ra-gw external-interface ge-0/0/1.0

set security ikegateway ra-gw xauth access-profile ra-users



第五步:配置IpsecProposal

set security ipsecproposal ra-ipsec-pro protocol esp

set security ipsecproposal ra-ipsec-pro authentication-algorithm hmac-md5-96

set security ipsecproposal ra-ipsec-pro encryption-algorithm 3des-cbc


第六步:配置Ipsec policy

set security ipsecpolicy ra-ipsec-policy perfect-forward-secrecy keys group2

set security ipsecpolicy ra-ipsec-policy proposals ra-ipsec-pro


第七步:配置Ipsec ×××

set security ipsec*** ra-*** ike gateway ra-gw

set security ipsec*** ra-*** ike ipsec-policy ra-ipsec-policy


第八步:配置动态×××

set securitydynamic-*** access-profile ra-users

set securitydynamic-*** clients client1 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client1 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client1 ipsec-*** ra-***

set securitydynamic-*** clients client1 user user1

set securitydynamic-*** clients client2 remote-protected-resources 172.16.1.0/24

set securitydynamic-*** clients client2 remote-exceptions 0.0.0.0/0

set securitydynamic-*** clients client2 ipsec-*** ra-***

set securitydynamic-*** clients client2 user user2


第八步:配置××× 策略对应动态×××用户

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchsource-address any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchdestination-address trust_172.16.1.0

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** matchapplication any

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then permittunnel ipsec-*** ra-***

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-init

set securitypolicies from-zone untrust to-zone trust policy untrust-trust-*** then logsession-close


第九步:客户端通过WEB-IE 访问地址:

https://192.168.114.190/dynamic-*** (仅第一次需要web访问,有续通过下载的客户端连接***)


 








输入正确的用户账户后会提示下载安装


 


安装完成后可以拨入***了,后期直接通过下载的插件连接


 



查看实验效果:


root@freeit_SRX# run show security dynamic-*** users detail

User: NULL , Usergroup: NULL , Number of connections: 0

    Remote IP: 20.114.168.192

    IKE ID  : NULL

    IKE Lifetime: 0

    IPSEC Lifetime: 0

    Status: CONNECTED



root@freeit_SRX# run show security dynamic-*** client version   

Junos Pulse2.0.3.11013


root@freeit_SRX# run show security ike active-peer

Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP

192.168.114.20                      54820    freeit.com.cn                       user1           


root@freeit_SRX# run show security ike security-associations

Index   State Initiator cookie  Respondercookie                   Mode           Remote Address   

5293799 UP     bff633e93801d22a  6821a6391ef46a44     Aggressive    192.168.114.20  


root@freeit_SRX# run show security ipsec security-associations

  Total active tunnels: 1

  ID               Algorithm       SPI      Life:sec/kb  Mon         lsys       Port  Gateway  

  <268173315 ESP:3des/md5 39226897       3150/             500000 -root      500   192.168.114.20  

  >268173315 ESP:3des/md5 9a7ad7bb       3150/             500000 -root      500   192.168.114.20  



root@freeit_SRX# run show security ipsec statistics         

ESP Statistics:

  Encrypted bytes:             1792

  Decrypted bytes:              960

Encrypted packets:             16

  Decrypted packets:             16

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors:0

  ESP authentication failures: 0, ESPdecryption failures: 0

  Bad headers: 0, Bad trailers: 0