Juniper Secure Connect 配置脚本
若要使用Juniper Secure Connect ,SRX的版本必须为20.3以上,20.3以下只能使用dynamic vpn.
首先生成证书并引用
request security pki generate-key-pair size 4096 type rsa certificate-id Juniper request security pki local-certificate generate-self-signed certificate-id Juniper subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1 set system services web-management https pki-local-certificate Juniper set services ssl termination profile SSL-JSC-term server-certificate Juniper
注意1.1.1.1为设备的公网IP,根据实际更改
设置IKE
set security ike proposal JSC-proposal authentication-method pre-shared-keys set security ike proposal JSC-proposal dh-group group20 set security ike proposal JSC-proposal authentication-algorithm sha-256 set security ike proposal JSC-proposal encryption-algorithm aes-256-cbc set security ike proposal JSC-proposal lifetime-seconds 28800 set security ike policy Juniper_secure_connect_policy mode aggressive set security ike policy Juniper_secure_connect_policy proposals JSC-proposal set security ike policy Juniper_secure_connect_policy pre-shared-key ascii-text 123456 set security ike gateway Juniper_secure_connect_ike_gw ike-policy Juniper_secure_connect_policy set security ike gateway Juniper_secure_connect_ike_gw dynamic user-at-hostname "srx@juniper.com" set security ike gateway Juniper_secure_connect_ike_gw dynamic ike-user-type shared-ike-id set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection optimized set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection interval 10 set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection threshold 5 set security ike gateway Juniper_secure_connect_ike_gw external-interface ge-0/0/1.0 set security ike gateway Juniper_secure_connect_ike_gw local-address 1.1.1.1 set security ike gateway Juniper_secure_connect_ike_gw aaa access-profile remote-access-vpn-access-profile set security ike gateway Juniper_secure_connect_ike_gw version v1-only set security ike gateway Juniper_secure_connect_ike_gw tcp-encap-profile SSL-JSC-profile
设置IPSec
set security ipsec policy Remote-access-vpn-policy perfect-forward-secrecy keys group19 set security ipsec policy Remote-access-vpn-policy proposal-set standard set security ipsec vpn Remote-access-vpn bind-interface st0.0 set security ipsec vpn Remote-access-vpn df-bit clear set security ipsec vpn Remote-access-vpn copy-outer-dscp set security ipsec vpn Remote-access-vpn ike gateway Juniper_secure_connect_ike_gw set security ipsec vpn Remote-access-vpn ike ipsec-policy Remote-access-vpn-policy set security ipsec vpn Remote-access-vpn traffic-selector ts-1 local-ip 10.0.0.0/8 set security ipsec vpn Remote-access-vpn traffic-selector ts-1 remote-ip 0.0.0.0/0 set security ipsec vpn Remote-access-vpn traffic-selector ts-2 local-ip 192.168.0.0/16 set security ipsec vpn Remote-access-vpn traffic-selector ts-2 remote-ip 0.0.0.0/0
设置Remote-access
set security remote-access profile RA-JSC-1 ipsec-vpn Remote-access-vpn set security remote-access profile RA-JSC-1 access-profile remote-access-vpn-access-profile set security remote-access profile RA-JSC-1 client-config RA-JSC-Client set security remote-access client-config RA-JSC-Client connection-mode manual set security remote-access client-config RA-JSC-Client dead-peer-detection interval 60 set security remote-access client-config RA-JSC-Client dead-peer-detection threshold 5 set security remote-access default-profile RA-JSC-1
设置安全区域和策略
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security tcp-encap profile SSL-JSC-profile ssl-profile SSL-JSC-term set security zones security-zone vpn interfaces st0.0 set security zones security-zone vpn interfaces st0.0
其它
set interfaces st0 unit 0 family inet set access profile remote-access-vpn-access-profile client user_username firewall-user password "$98xNrloJUjq.Apu1Ic-dsaZj" set access profile remote-access-vpn-access-profile address-assignment pool remote-access-vpn-pool set access address-assignment pool remote-access-vpn-pool family inet network 192.168.254.0/24 set access address-assignment pool remote-access-vpn-pool family inet xauth-attributes primary-dns 114.114.114.114/32 set access firewall-authentication web-authentication default-profile remote-access-vpn-access-profile
客户端下载地址:
https://support.juniper.net/support/downloads/
输入设备的公网IP进行链接即可
若设备的443端口被封,可通过命令更改为其它端口:
set system services web-management https port 8443
若需要对接ldap, 需要将remote-access-vpn-access-profile改为如下:
set access profile remote-access-vpn-access-profile authentication-order ldap set access profile remote-access-vpn-access-profile address-assignment pool remote-access-vpn-pool set access profile remote-access-vpn-access-profile ldap-options base-distinguished-name CN=Users,DC=id404,DC=local set access profile remote-access-vpn-access-profile ldap-options search search-filter sAMAccountName= set access profile remote-access-vpn-access-profile ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=id404,DC=local set access profile remote-access-vpn-access-profile ldap-options search admin-search password "$2$M8ZUiHmSylLx" set access profile remote-access-vpn-access-profile ldap-server 10.12.130.6 tls-type start-tls set access profile remote-access-vpn-access-profile ldap-server 10.12.130.6 tls-timeout 3 set access profile remote-access-vpn-access-profile ldap-server 10.12.130.6 tls-min-version v1.2 set access profile remote-access-vpn-access-profile ldap-server 10.12.130.6 no-tls-certificate-check set access profile remote-access-vpn-access-profile ldap-server 10.12.130.6 tls-peer-name peername
