juniperGUI配置的学习.doc

IPsec配置步骤：1. 建立用户Objects-Users-Local-N2、 建立VPN网关 依次选择VPNs-AutoKey Advanced-Gateway-New，Remote gateway 类型是 dialup user。IKEv2 Auth Method 是 preshare. 设置 第一阶段安全参数。3、 建立AutoKey IKE 依次选择VPNs-AutoKey IKE-NEW定义 阶段 二的安全参数。4、 建立内部地址池 依次选择-Policy-Policy Elements-Addresses-List5、 建立VPN策略 依次选择Policy-Policies，8、 建立认证用户依次选择Objects-Users-Local-New设置 认证密码。Network interfaces Interface Name: (Read-only) A physical interface name includes the media type, slot number (for some devices), and port number (for example, ethernet3/2 or ethernet2).Static IP: (Some devices only) Select this option to assign a unique and fixed Internet Protocol (IP) address to the interface.IP Address/Netmask: Enter the IP address and netmask of the interface.Manageable: Select this option to enable management of the device using the interface IP address.Manage IP: The logical IP address through which you can manage the device. You can set a different manage IP address on each available interface. The manage IP address must be on the same subnet as the physical IP address. Interface Mode: (Appears only when you enter and save a static IP address and netmask) Select NAT so that the IP addresses of the devices on this interface have private, nonroutable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default.Note: Interface-based NAT applies only to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.For more information about operational modes such as NAT, Route, or Transparent, see Operational Modes.Block Intra-Subnet Traffic: (available only for tunnel interfaces with an IP address/netmask) Select this check box to block traffic that exits the same interface that it entered.G-ARP: Select this option to allow incoming gratuitous ARP requests and replies on this interface.Note: G-ARP selection is not supported on loopback interface, tunnel interface, all serial interfaces (including serial interface, dialer interface and multilink interface on wan interface), dsl interface, wan interface (including t1 e1 isdn interface) and wlan interface.VRRP: Select this option to set Virtual Router Redundancy Protocol as the high availability (HA) protocol.Routing Enter the necessary information:Virtual Router Name: (Read-only) Indicates the current virtual router.Network Address / Netmask: Indicates the IP address and network mask values associated with the route you want to add to the route table of the current virtual router.Next Hop Virtual Router Name:Specifies a virtual router as the next hop.Gateway: Specifies the gateway for the next hop.Interface: From the drop-down list, select the interface through which the gateway or next-hop router is accessed. Gateway IP Address: The IP address of the default gateway.Preference: A weight that determines the best path for traffic to reach its destination. Enter a value between 0 and 255.Metric: Indicates the priority associated with the route being added to the route table. Enter a value between 1 and 65535.Permanent: Specifies that the route is kept alive when the interface is down or the IP address is removed from the interface.Tag: Indicates the tag value used to identify the router.Click OK to save your changes.1. Defining a FW(Firewall) Policy A policy permits, denies, or tunnels specified types of traffic unidirectionally between two endpoints. The type of traffic (or service), the location of the two endpoints, and the invoked action compose the basic elements of a policy. Although there can be other components, the required elements, which together constitute the core section of a policy, are as follows: Direction - The direction of traffic between two security zones (from a source zone to a destination zone) Source Address - The address from which traffic initiates Destination Address - The address to which traffic is sent Service - The type of traffic transmitted Action - The action that the security device performs when it receives traffic meeting the first four criteria: deny, permit, reject, or tunnelBefore you create a policy, you might need to configure or check some of the following elements that make up a policy.Addresses(Source and Destination)at: Zone When you configure policies to permit or deny traffic from or to individual hosts and subnets, you must create address entries for them. This page displays a table that lists all the IP addresses or groups in the selected zone. You can create new entries or modify existing entries on the page: Services When you create a policy, you must specify a service or service group for it. You can select one of the Predefined Services or create a Custom Service. Each policy can reference either a single service or a service group Schedules The Schedules page enables you to define the period of time during which a policy is in effect. You can set a start and end time and day of the week for recurring schedules, or you can configure the start and end time and date for a policy that is used just once. Authentication Users, User Group, or Group Expressions When you specify authentication in a policy, and set the action to permit or tunnel, you must provide a login name and password before crossing the firewall.You might need to create authentication users , a user group , or Group Expressions before configuring a policy for authentication. You might also need to configure external Authentication Servers to authenticate users and user groups. Mapped IP (MIP) Addressesat: Interface For policies that use Network Address Translation (NAT), you might want to create mapped IP (MIP) address entries. A MIP is a mapping of public-to-private addresses. MIPs allow inbound traffic to reach private addresses in a zone whose interface is in NAT mode. Dynamic IP (DIP) Addressesat: Interface For policies that use NAT, you might also want to create a dynamic IP (DIP) address pool. A DIP pool is a range of IP addresses from which the security device can dynamically take addresses for use when performing NAT on the source IP address of outgoing or incoming IP packets. 2. Defining a VPN(IPsec Tunnel) Juniper Networks supports the following key creation mechanisms for IPSec tunnels: AutoKey IKE VPN (with a preshared key and/or a certificate) Manual Key VPN When you create an AutoKey IKE VPN tunnel, you might need to configure or check the following AutoKey IKE advanced configuration features. AutoKey IKE Gateway If you configure a remote gateway before you create an AutoKey IKE VPN tunnel based on it, the configured gateway appears in the list of predefined remote gateways when you configure the AutoKey IKE VPN tunnel. Alternatively, you can create a simple gateway when you enter the AutoKey IKE Editpage. To configure a gateway, you might need to configure the following objects as well: Phase 1 (P1) proposal IKE User (When the Gateway Type is Dialup User) IKE User Group (When the Gateway Type is Dialup User group) Preferred Certificate Xauth (For Authentication) Additional AutoKey IKE VPN advanced configuration features you might consider are the following: Phase 2 (P2) proposalP2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other. The encryption method you choose needs to account for both P1 and P2 phases. Tunnel Interfaces or Tunnel ZoneFrom these configuration pages, you can create a one-to-one relationship between a VPN tunnel and a tunnel interface in a security zone or a tunnel Zone. Tunnel interface and tunnel zone configuration options also apply to Manual Key VPNs. To display or configure an AutoKey IKE VPN, go to: VPNs AutoKey IKE page. To display or configure a Manual Key VPN, go to: VPNs Manual Key page. To monitor VPNs for current status information, go to: VPNs Monitor Status page.Phase 1 (P1) proposalNameMethodDH groupEncrypt/AuthLife TimeConfigurepre-g1-des-md5Preshare1DES/MD528800 pre-g1-des-shaPreshare1DES/SHA28800 pre-g2-des-md5Preshare2DES/MD528800 pre-g2-des-shaPreshare2DES/SHA28800 pre-g2-3des-md5Preshare23DES/MD528800 pre-g2-3des-shaPreshare23DES/SHA28800 pre-g2-aes128-md5Preshare2AES128/MD528800 pre-g2-aes128-shaPreshare2AES128/SHA28800 rsa-g2-des-md5RSA-sig2DES/MD528800 rsa-g2-des-shaRSA-sig2DES/SHA28800 rsa-g2-3des-md5RSA-sig23DES/MD528800 rsa-g2-3des-shaRSA-sig23DES/SHA28800 rsa-g2-aes128-md5RSA-sig2AES128/MD528800 rsa-g2-aes128-shaRSA-sig2AES128/SHA28800 dsa-g2-des-md5DSA-sig2DES/MD528800 dsa-g2-des-shaDSA-sig2DES/SHA28800 dsa-g2-3des-md5DSA-sig23DES/MD528800 dsa-g2-3des-shaDSA-sig23DES/SHA28800 dsa-g2-aes128-md5DSA-sig2AES128/MD528800 dsa-g2-aes128-shaDSA-sig2AES128/SHA288003. Defining a VPN(IPsec Tunneling) Policy A VPN policy tunnels specified types of traffic unidirectionally between two endpoints. The type of traffic (or service), the location of the two endpoints, and the invoked action compose the basic elements of a policy. Although there can be other components, the required elements, which together constitute the core section of a policy, include the following: Direction - The direction of traffic between two security zones (from a source zone to a destination zone) Source Address - The address from which traffic initiates Destination Address - The address to which traffic is sent Service - The type of traffic transmitted Action - The action that the security device performs when it receives traffic meeting the first four criteria. For VPN policies, the action is always: tunnel Before you create a VPN or an L2TP-over-IPSec policy, you might need to configure or check some of the following items that make up a policy.Addresses(Source and Destination)at: Zone When you configure policies to permit or deny traffic from or to individual hosts and subnets, you must create address entries for them. This page displays a table that lists all the IP addresses or groups in the selected zone. You can create new entries or modify existing entries on the page: Services When you create a policy, you must specify a service or service group for it. You can select one of the Predefined Services or create a Custom Service. Each policy can reference either a single service or a service group Schedules The Schedules page enables you to define the period of t