Juniper SRX标准配置

##############文件来源于互联网##############

第一节 系统配置

1.1、设备初始化

1.1.1登陆

首次登录需要使用Console口连接SRX，root用户登陆，密码为空

login: root        

Password:       

--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC 

root% cli                   /***进入操作模式***/ 

root>       

root> configure       

Entering configuration mode      /***进入配置模式***/       

[edit]        

Root#      

1.1.2设置root用户口令

（必须配置root帐号密码，否则后续所有配置及修改都无法提交）

root# set system root-authentication plain-text-password  

root# new password : root123

root# retype new password: root123

密码将以密文方式显示        

root# show system root-authentication

encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA  

注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。

注：root用户仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必须成功设置root口令后，才能执行commit提交后续配置命令。      

1.1.3设置远程登陆管理用户 

root# set system login user lab class super-user authentication plain-text-password 

root# new password : juniper

root# retype new password: srx123

注：此juniper用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。

2、系统管理

1.2.1 选择时区

srx_admin# set system time-zone Asia/Shanghai   /***亚洲/上海***/

1.2.2 系统时间

1.2.2.1 手动设定

srx_admin> set date 201511201537.00

 

srx_admin> show system uptime

Current time: 2015-11-20 15:37:14 UTC

System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)

Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)

Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin

 3:37PM  up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14

1.2.2.2 NTP同步一次

srx_admin> set date ntp 202.120.2.101

 8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec

1.2.2.3 NTP服务器

srx_admin# set system ntp server 202.100.102.1

srx_admin#set system ntp server ntp.api.bz

/***SRX系统NTP服务器，设备需要联网可以解析ntp地址，不然命令无法输入***/

 

srx_admin> show ntp status

status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1)",

processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,

precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,

refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036 14:28:16.000,

poll=4, clock=d88195bc.562dc2db  Sun, Feb  8 2015  7:58:52.336, state=0,

offset=0.000, frequency=0.000, jitter=0.008, stability=0.000

srx_admin@holy-shit> show ntp associations

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 dns.sjtu.edu.cn 15.179.156.248   3 -   16   64    1    5.473   -0.953   0.008

 202.100.102.1   .INIT.          16 -    -   64    0    0.000    0.000 4000.00

1.2.3 DNS服务器

srx_admin# set system name-server 202.96.209.5   /***SRX系统DNS***/

1.2.4 系统重启

1.2.4.1重启系统

srx_admin >request system reboot

1.2.4.2关闭系统

srx_admin >request system power-off

1.2.5 Alarm告警处理

1.2.5.1告警查看

root# run show system alarms

2 alarms currently active

Alarm time               Class  Description

2015-11-20 14:21:49 UTC  Minor  Autorecovery information needs to be saved

2015-11-20 14:21:49 UTC  Minor  Rescue configuration is not set

1.2.5.2 告警处理

告警一处理

root> request system autorecovery state save

Saving config recovery information

Saving license recovery information

Saving BSD label recovery information

告警二处理

root> request system configuration rescue save

1.2.6 Root密码重置

SRX Root密码丢失，并且没有其他的超级用户权限，那么就需要执行密码恢复，该操作需要中断设备正常运行，但不会丢失配置信息。操作步骤如下：

1.重启防火墙，CRT上出现下面提示时，按空格键中断正常启动，然后再进入单用户状态，并输入：boot –s

Loading /boot/defaults/loader.conf

/kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15]

 

Hit [Enter] to boot immediately, or space bar for command prompt.

loader>                                             

loader> boot -s

2. 执行密码恢复：在以下提示文字后输入recovery，设备将自动进行重启

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

***** FILE SYSTEM WAS MODIFIED *****

System watchdog timer disabled

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

3. 进入配置模式，删除root密码后重新设置root密码，并保存重启

root> configure

Entering configuration mode

 

[edit]

root# delete system root-authentication

 

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

 

[edit]

root# commit

commit complete

 

[edit]

root# exit

Exiting configuration mode

 

root> request system reboot

Reboot the system ? [yes,no] (no) yes

 

第二节 网络设置

2.1、Interface

2.1.1 PPPOE

※在外网接口（fe-0/0/0）下封装PPP

srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether

※CHAP认证配置

srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163

/***PPPOE的帐号***/

srx_admin# set interfaces pp0 unit 0 ppp-options chap passive

/***采用被动模式***/

※PAP认证配置

srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163

/***PPPOE的帐号***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890

/***PPPOE的密码***/

srx_admin# set interfaces pp0 unit 0 ppp-options pap passive

/***采用被动模式***/

※PPP接口调用

srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0

/***在外网接口（fe-0/0/0）下启用PPPOE拨号***/

※PPPOE拨号属性配置

srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0

/***空闲超时值***/

srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3  

/***3秒自动重拨***/

srx_admin# set interfaces pp0 unit 0 pppoe-options client

/***表示为PPPOE客户端***/

srx_admin# set interfaces pp0 unit 0 family inet mtu 1492

/***修改此接口的MTU值，改成1492。因为PPPOE的报头会有一点的开销***/

srx_admin# set interfaces pp0 unit 0 family inet negotiate-address

/***自动协商地址，即由服务端分配动态地址***/

※默认路由

srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0

※PPPOE接口划入untrust接口

srx_admin# set security zones security-zone untrust interfaces pp0.0

※验证PPPoE是否已经拔通，是否获得IP地址

srx_admin#run show interfaces terse | match pp

pp0                     up    up 

pp0.0                   up    up   inet     192.168.163.1       --> 1.1.1.1

ppd0                    up    up 

ppe0                    up    up 

 

注：

PPPOE拨号成功后需要调整MTU值，使上网体验达到最佳（MTU值不合适的话上网会卡）

srx_admin# set interfaces pp0 unit 0 family inet mtu 1304    /***调整MTU大小***/

srx_admin# set security flow tcp-mss all-tcp mss 1304       /***调整TCP分片大小***/

2.1.2 Manual

srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29

2.1.3 DHCP

※启用DHCP地址池

srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

/***DHCP网关***/

srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 

/***DHCP地址池第一个地址***/

srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254

/***DHCP地址池最后一个地址***/

srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000

/***DHCP地址租期***/

srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name leadsystems.com.cn

/***DHCP域名***/

srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133 

/***DHCP 分配DNS***/

srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5

srx_admin# set system services dhcp propagate-settings vlan.0    /***DHCP分发端口***/

※配置内网接口地址

srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24

※内网接口调用DHCP地址池

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-servicesdhcp

2.2、Routing

Static Route

srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153    

/***默认路由***/

srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0    

/***Route Basiced VPN路由***/

2.3、SNMP

srx_admin# set snmp community Ajitec authorization read-only/read-write  

/***SNMP监控权限***/

srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32

/***SNMP监控主机***/

第三节 高级设置

3.1.1 修改服务端口

srx_admin# set system services web-management http port 8000   

/***更改web的http管理端口号***/

srx_admin# set system services web-management https port 1443  

/***更改web的https管理端口号***/

3.1.2 检查硬件序列号

srx# run show chassis hardware

Hardware inventory:

Item            Version  Part number  Serial number      Description

Chassis                               BZ2615AF0491     SRX100H2

Routing Engine   REV 05   650-048781   BZ2615AF0491      RE-SRX100H2

FPC 0                                FPC

PIC 0                                 8x FE Base PIC

Power Supply 0

3.1.3 内外网接口启用端口服务

※定义系统服务

srx_admin# set system services ssh

srx_admin# set system services telnet

srx_admin# set system services web-management http interface vlan.0

srx_admin# set system services web-management http interface fe-0/0/0.0

srx_admin# set system services web-management https interface vlan.0

srx_admin# set system services web-management management-url admin

/***后期用https://ip/admin就可以登录管理页面，不加就直接跳转***/

※内网接口启用端口服务

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping          /***开启ping ***/

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http          /***开启http ***/

srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet         /***开启telnet ***/

※外网接口启用端口服务

srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping          /***开启ping ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet        /***开启telnet ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http          /***开启http ***/

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all           /***开启所有服务***/

3.1.4 创建系统服务

srx_admin#set applications application RDP protocol tcp           /***协议选择tcp***/

srx_admin#set applications application RDP source-port 0-65535    /***源端口***/

srx_admin#set applications application RDP destination-port 3389   /***目的端口***/

srx_admin#set applications application RDP protocol udp          /***协议选择udp***/

srx_admin#set applications application RDP source-port 0-65535    /***源端口***/

srx_admin#set applications application RDP destination-port 3389   /***目的端口***/

3.1.5 VIP端口映射

※Destination NAT配置

srx_admin#set security nat destination pool 22 address 192.168.1.20/32

/***Destination NAT pool设置，为真实内网地址***/

srx_admin#set security nat destination pool 22 address port 3389

/***Destination NAT pool设置，为内网地址的端口号***/

srx_admin#set security nat destination rule-set 2 from zone untrust

/*** Destination NAT Rule设置，访问流量从untrust区域过来***/

srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0

/*** Destination NAT Rule设置，访问流量可以任意地址***/

srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32

/*** Destination NAT Rule设置，访问的目的地址是116.228.60.157***/

srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389

/*** Destination NAT Rule设置，访问的目的地址的端口号***/

srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22

/***Destination NAT Rule设置，调用pool地址***/

※策略配置

srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32

srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any

srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit

srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32

3.1.6 MIP映射

※Destination NAT设置

srx_admin#set security nat destination pool 111 address 192.168.1.3/32  

/***Destination NAT pool设置，为真实内网地址***/

srx_admin#set security nat destination rule-set 1 from zone untrust   

/***Destination NAT Rule设置，访问流量从untrust区域过来***/

srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0

/***Destination NAT Rule设置，访问流量可以任意地址***/

srx_admin#set security nat destination rule-set 1 rule 11 match destination-address 116.228.60.157/32

/***Destination NAT Rule设置，访问的目的地址是116.228.60.157***/

srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11

/***Destination NAT Rule设置，调用pool地址***/

※配置ARP代理

srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32

※策略配置

srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32

srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any

srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit

3.1.7禁用console口

juniper-srx@SRX100H2# edit system ports console    /***进入console接口***/

juniper-srx@SRX100H2# set disable                /***关闭端口***/

juniper-srx@SRX100H2# commit confirmed 3        /***提交3分钟，3分钟后回退***/

3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT

set security nat source rule-set LOCAL from zone junos-host

set security nat source rule-set LOCAL to zone untrust

set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32

set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0

set security nat source rule-set LOCAL rule LOCAL then source-nat interface

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

3.1.9 设置SRX管理IP

※参照防火墙外网接口的端口服务

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh

※定义防火墙filter，设定允许访问的地址和端口

set firewall filter Outside_access_in term Permit_IP from source-address 116.228.60.158/32

set firewall filter Outside_access_in term Permit_IP from destination-address 59.46.184.114/32

set firewall filter Outside_access_in term Permit_IP from protocol tcp

set firewall filter Outside_access_in term Permit_IP from destination-port ssh

set firewall filter Outside_access_in term Permit_IP then accept

/***设置允许访问的地址和地址***/

set firewall filter Outside_access_in term Deny_ANY from destination-address 59.46.184.114/32

set firewall filter Outside_access_in term Deny_ANY from protocol tcp

set firewall filter Outside_access_in term Deny_ANY from destination-port ssh

set firewall filter Outside_access_in term Deny_ANY then discard

set firewall filter Outside_access_in term Permit_ANY then accept

/***其他流量全部拒绝***/

※防火墙外网接口调用filter，在接口上启用限制

set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in

注：①在配置拒绝流量时注意在拒绝的端口后面放行其他流量，因为这个拒绝会把所有流量都拒绝掉。

②在配置拒绝流量时不能配置all，不然会把所有流量都拒绝掉。

3.2.0 配置回退

※查看提交过的配置

srx_admin # run show system commit

0   2016-05-04 11:47:46 UTC by root via junoscript

1   2016-05-04 11:40:11 UTC by root via cli

2   2016-05-04 11:38:36 UTC by root via cli

3   2016-04-27 11:41:07 UTC by root via cli

4   2016-04-01 17:37:22 UTC by root via button

※回退配置（“ROLLBACK 0”）

srx_admin # rollback ?

Possible completions:

  <[Enter]>            Execute this command

  0                    2016-05-04 11:47:46 UTC by root via junoscript

  1                    2016-05-04 11:40:11 UTC by root via cli

  2                    2016-05-04 11:38:36 UTC by root via cli

  3                    2016-04-27 11:41:07 UTC by root via cli

  4                    2016-04-01 17:37:22 UTC by root via button

  |                    Pipe through a command

3.2.1 UTM调用

※在策略中调用UTM

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

srx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy

3.2.2 网络访问缓慢解决

srx_admin #set security flow syn-flood-protection-mode syn-cookie

srx_admin #set security flow tcp-mss all-tcp mss 1300

srx_admin #set security flow tcp-session rst-sequence-check

srx_admin #set security flow tcp-session strict-syn-check

srx_admin #set security flow tcp-session no-sequence-check

第四节 VPN设置

4.1、点对点IPSec VPN

4.1.1 Route Basiced

/***standard or compatible模式***/

※创建tunnel接口

srx_admin#set interfaces st0 unit 0 family inet

/***新建st0.0接口***/

srx_admin#set security zones security-zone untrust interfaces st0.0 

/***定义tunnel接口st0.0为untrust接口***/

※创建去往VPN对端内网的路由

srx_admin#srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0

※VPN第一阶段IKE配置

srx_admin#set security ike policy lead mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy lead proposal-set standard/compatible

/***协商加密算法***/

srx_admin#set security ike policy lead pre-shared-key ascii-text juniper123

/***预共享密钥***/

※VPN第一阶段IKE配置

srx_admin#set security ike gateway gw1 ike-policy lead

/***调用第一阶段IKE配置***/

srx_admin#set security ike gateway gw1 address 116.228.60.158

/***对端网关地址***/

srx_admin#set security ike gateway gw1 external-interface fe-0/0/0.0

/***VPN出接口***/

注：如果使用PPPOE拨号上网，出接口必须使用ppp接口

srx_admin#set security ike gateway gw1 external-interface pp0.0

※VPN第二阶段IPSEC配置

srx_admin#set security ipsec policy abc proposal-set standard/compatible

/***协商加密算法***/

srx_admin#set security ipsec vpn test bind-interface st0.0

/***绑定VPN接口***/

srx_admin#set security ipsec vpn test ike gateway gw1

/***调用网关***/

srx_admin#set security ipsec vpn test ike ipsec-policy abc

/***调用加密算法的策略***/

srx_admin#set security ipsec vpn test establish-tunnels immediately

/***立即开始协商***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

※双向流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match srx_admin#source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit

 

 

/***custom模式***/

※创建tunnel接口

srx_admin#set interfaces st0 unit 0 family inet

/***新建st0.0接口***/

srx_admin#set security zones security-zone untrust interfaces st0.0  

/***定义tunnel接口st0.0为untrust接口***/

※创建去往VPN对端内网的路由

srx_admin#set routing-options static route 172.16.1.0/24 next-hop st0.0

※VPN第一阶段IKE配置

※※proposal设置

srx_admin#set security ike proposal vpn1-proposal authentication-method pre-shared-keys

/***使用pre-shared-keys认证***/

srx_admin#set security ike proposal vpn1-proposal dh-group group2   

/***DH组使用group2***/

srx_admin#set security ike proposal vpn1-proposal authentication-algorithm md5 

/***MD5认证***/

srx_admin#set security ike proposal vpn1-proposal encryption-algorithm 3des-cbc 

/***3des加密***/

※※policy设置

srx_admin#set security ike policy vpn1-ike-policy mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy vpn1-ike-policy proposals vpn1-proposal

/***调用ike proposal配置***/

srx_admin#set security ike policy vpn1-ike-policy pre-shared-key ascii-text juniper123

/***预共享密钥***/

※※gateway设置

srx_admin#set security ike gateway vpn1-gateway ike-policy vpn1-ike-policy

/***调用ike policy设置***/

srx_admin#set security ike gateway vpn1-gateway address 116.228.60.158

/***对端网关地址***/

srx_admin#set security ike gateway vpn1-gateway external-interface fe-0/0/0.0

/***本地出接口***/

※VPN第二阶段IPSEC设置

※※proposal设置

srx_admin#set security ipsec proposal vpn2-ipsec-proposal protocol esp

/***ipsec proposal协议esp***/

srx_admin#set security ipsec proposal vpn2-ipsec-proposal authentication-algorithm hmac-md5-96

/***使用MD5认证***/

srx_admin#set security ipsec proposal vpn2-ipsec-proposal encryption-algorithm 3des-cbc

/***使用3des加密***/

※※policy设置

set security ipsec policy vpn2-ipsec-policy perfect-forward-secrecy keys group2

/***开启PFS，使用group2***/

srx_admin#set security ipsec policy vpn2-ipsec-policy proposals vpn2-ipsec-proposal   /***ipsec policy设置，调用ipsec proposal***/

※※VPN设置

srx_admin#set security ipsec vpn vpn2-ipsec-vpn bind-interface st0.0 

/***ipsec vpn设置，绑定tunnel接口***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike gateway vpn1-gateway

/***ipsec vpn设置，调用第一阶段VPN网关***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn ike ipsec-policy vpn2-ipsec-policy

/***ipsec vpn设置，调用第二阶段ipsec policy***/

srx_admin#set security ipsec vpn vpn2-ipsec-vpn establish-tunnels immediately

/***立即开始建立VPN隧道***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

※双向流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit

4.1.2 Policy Basiced

※新建本地、对端内网网段，并将入其划入相应的zone

srx_admin#set security zones security-zone trust address-book address address1 192.168.1.0/24

/***本地内网网段***/

srx_admin#set security zones security-zone untrust address-book address address2 192.168.100.0/24

/***对端内网网段***/

※VPN第一阶段IKE设置

※※Proposal设置

srx_admin#set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys  /***采用预共享密钥***/

srx_admin#set security ike proposal ike-phase1-proposal dh-group group2

/***DH Group使用Group2***/

srx_admin#set security ike proposal ike-phase1-proposal authentication-algorithm md5

/***使用md5认证***/

srx_admin#set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

/***使用3des加密***/

※※Policy设置

srx_admin#set security ike policy ike-phase1-policy mode main

/***协商模式main or aggressive ***/

srx_admin#set security ike policy ike-phase1-policy proposals ike-phase1-proposal

/***调用ike proposal配置***/

srx_admin#set security ike policy ike-phase1-policy pre-shared-key ascii-text juniper123

/***预共享密钥设置***/

※※gateway设置

srx_admin#set security ike gateway gw-chica ike-policy ike-phase1-policy

/***调用IKE policy***/

srx_admin#set security ike gateway gw-chica address 116.228.60.157

/***指定对端网关地址***/

srx_admin#set security ike gateway gw-chica external-interface fe-0/0/0.0

/***指定本地出街口***/

※VPN第二阶段IPSEC设置

※※Proposal设置

srx_admin#set security ipsec proposal ipsec-phase2-proposal protocol esp

/***ipsec proposal协议esp***/

srx_admin#set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96

/***使用md5认证***/

srx_admin#set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc    /***使用3des加密***/

※※policy设置

srx_admin#set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal   /***ipsec policy设置，调用ipsec proposal***/

※※VPN设置

srx_admin#set security ipsec vpn ike-vpn-chica ike gateway gw-chica

/***ipsec vpn设置，调用第一阶段VPN网关***/

srx_admin#set security ipsec vpn ike-vpn-chica ike ipsec-policy ipsec-phase2-policy

/***ipse  policy设置***/

srx_admin#set security ipsec vpn ike-vpn-chica establish-tunnels on-traffic

/***产生流量后VPN开始建立连接***/

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

※VPN流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address address1

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address address2

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chica

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-init

srx_admin#set security policies from-zone trust to-zone untrust policy vpn-tr-untr then log session-close

※上网流量策略

trust->untrust

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match source-address any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match destination-address any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any match application any

srx_admin#set security policies from-zone trust to-zone untrust policy permit-any then permit

untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address address2

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address address1

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any

srx_admin#set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chica

注：开启策略下log记录功能

set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-init

set security policies from-zone untrust to-zone trust policy vpn-untr-tr then log session-close

4.2、Remote VPN

4.2.1 SRX端配置

※VPN第一阶段IKE Policy设置

srx_admin#set security ike policy remote-vpn-policy mode aggressive

srx_admin#set security ike policy remote-vpn-policy proposal-set compatible

srx_admin#set security ike policy remote-vpn-policy pre-shared-key ascii-text juniper123

※VPN第一阶段IKE Gateway设置

srx_admin#set security ike gateway remote-vpn-gateway ike-policy remote-vpn-policy

srx_admin#set security ike gateway remote-vpn-gateway dynamic hostname juniper

srx_admin#set security ike gateway remote-vpn-gateway dynamic connections-limit 10

srx_admin#set security ike gateway remote-vpn-gateway dynamic ike-user-type shared-ike-id

srx_admin#set security ike gateway remote-vpn-gateway external-interface fe-0/0/0.0

srx_admin#set security ike gateway remote-vpn-gateway xauth access-profile xauthsrx

※VPN第二阶段IPSec Policy设置

srx_admin#set security ipsec policy remote-vpn-ipsec-policy proposal-set compatible

※VPN第二阶段IPSec VPN设置

srx_admin#set security ipsec vpn remotevpn ike gateway remote-vpn-gateway

srx_admin#set security ipsec vpn remotevpn ike ipsec-policy remote-vpn-ipsec-policy

srx_admin#set security ipsec vpn remotevpn establish-tunnels immediately

※Remote用户DHCP设置

srx_admin#set access address-pool DHCP-POOL address-range low 172.16.1.1

srx_admin#set access address-pool DHCP-POOL address-range high 172.16.1.10

srx_admin#set access address-pool DHCP-POOL primary-dns 8.8.8.8

注：DHCP地址段最好与内网网段区别开来，不然会产生很多问题

※创建Remote认证用户

srx_admin#set access profile xauthsrx authentication-order password

srx_admin#set access profile xauthsrx client L2TP_USER_MA firewall-user password 123456

※外网接口开启IKE服务

srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

※策略设置 untrust->trust

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match source-address any

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match destination-address network

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn match application any

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then permit tunnel ipsec-vpn remotevpn

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log session-init

srx_admin#set security policies from-zone untrust to-zone trust policy dail-vpn then log session-close

4.2.2 客户端配置