JuniperSRX详细配置介绍材料(含注释)

.\JuniperSRX标准配置第一节系统配置.....................................................................................................................31.1、设备初始化..................................................................................................................31.1.1登陆..........................................................................................................................31.1.2设置root用户口令.................................................................................................31.1.3设置远程登陆管理用户..........................................................................................32、系统管理.........................................................................................................................41.2.1选择时区.................................................................................................................41.2.2系统时间.................................................................................................................41.2.3DNS服务器..............................................................................................................51.2.4系统重启..................................................................................................................51.2.5Alarm告警处理.......................................................................................................51.2.6Root密码重置.........................................................................................................6第二节网络设置.....................................................................................................................72.1、Interface.......................................................................................................................72.1.1PPPOE.......................................................................................................................72.1.2Manual......................................................................................................................82.1.3DHCP.........................................................................................................................82.2、Routing.........................................................................................................................9StaticRoute.......................................................................................................................92.3、SNMP............................................................................................................................9第三节高级设置.....................................................................................................................93.1.1修改服务端口.............................................................................................................93.1.2检查硬件序列号.........................................................................................................93.1.3内外网接口启用端口服务.......................................................................................103.1.4创建端口服务...........................................................................................................103.1.5VIP端口映射..............................................................................................................103.1.6MIP映射....................................................................................................................113.1.7禁用console口.........................................................................................................123.1.8JuniperSRX带源ping外网默认不通，需要做源地址NAT....................................12.\3.1.9设置SRX管理IP 123.2.0配置回退 133.2.1UTM调用 133.2.2网络访问缓慢解决 13第四节VPN设置 144.1、点对点IPSecVPN 144.1.1RouteBasiced 144.1.2PolicyBasiced 174.2、RemoteVPN 194.2.1SRX端配置 194.2.2客户端配置 20.\第一节系统配置1.1、设备初始化1.1.1登陆首次登录需要使用Console口连接SRX，root用户登陆，密码为空login:root感谢阅读Password:---JUNOS9.5R1.8built2009-07-1615:04:30UTCroot%cli/***进入操作模式***/root>root>configureEnteringconfigurationmode进入配置模式***//***[edit]Root#1.1.2设置root用户口令（必须配置root帐号密码，否则后续所有配置及修改都无法提交）感谢阅读root#setsystemroot-authenticationplain-text-password感谢阅读root#newpassword:root123谢谢阅读root#retypenewpassword:root123感谢阅读密码将以密文方式显示root#showsystemroot-authentication感谢阅读encrypted-password"$1$xavDeUe6$fNM6olGU.8.M7B62u05D6.";#SECRET-DATA谢谢阅读注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。谢谢阅读注：root用户仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必须成功设置root口令后，才能执行commit提交后续配置命令。感谢阅读1.1.3设置远程登陆管理用户root#setsystemloginuserlabclasssuper-userauthenticationplain-text-password谢谢阅读root#newpassword:juniper谢谢阅读root#retypenewpassword:srx123感谢阅读注：此juniper用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。谢谢阅读.\2、系统管理1.2.1选择时区srx_admin#setsystemtime-zoneAsia/Shanghai /***亚洲/上海***/谢谢阅读1.2.2系统时间手动设定srx_admin>setdate201511201537.00感谢阅读srx_admin>showsystemuptime感谢阅读Currenttime:2015-11-2015:37:14UTC精品文档放心下载Systembooted:2015-11-2015:21:48UTC(2d00:15ago)精品文档放心下载Protocolsstarted:2015-11-2015:24:45UTC(2d00:12ago)谢谢阅读Lastconfigured:2015-11-2015:30:38UTC(00:06:36ago)bysrx_admin精品文档放心下载3:37PM up2days,15mins,3users,loadaverages:0.07,0.17,0.14感谢阅读NTP同步一次srx_admin>setdatentp01感谢阅读8Feb15:49:50ntpdate[6616]:steptimeserver01offset-28796.357071sec谢谢阅读NTP服务器srx_admin#setsystemntpserver感谢阅读srx_admin#setsystemntpserverntp.api.bz谢谢阅读/***SRX系统NTP服务器，设备需要联网可以解析ntp地址，不然命令无法输入***/谢谢阅读srx_admin>showntpstatus感谢阅读status=c011sync_alarm,sync_unspec,1event,event_restart,感谢阅读version="ntpd4.2.0-aFriNov2015:44:16UTC2014(1)",谢谢阅读processor="octeon",system="JUNOS12.1X44-D35.5",leap=11,stratum=16,谢谢阅读precision=-17,rootdelay=0.000,rootdispersion=0.105,peer=0,精品文档放心下载refid=INIT,reftime=00000000.00000000 Thu,Feb 7203614:28:16.000,感谢阅读poll=4,clock=d88195bc.562dc2db Sun,Feb 82015 7:58:52.336,state=0,谢谢阅读offset=0.000,frequency=0.000,jitter=0.008,stability=0.000精品文档放心下载srx_admin@holy-shit>showntpassociations谢谢阅读.\remote refid sttwhenpollreach delay offset jitter精品文档放心下载==============================================================================精品文档放心下载483-166415.473-0.9530.008.INIT.16--6400.0000.0004000.001.2.3DNS服务器srx_admin#setsystemname-server /***SRX系统DNS***/谢谢阅读1.2.4系统重启重启系统srx_admin>requestsystemreboot精品文档放心下载关闭系统srx_admin>requestsystempower-off感谢阅读1.2.5Alarm告警处理告警查看root#runshowsystemalarms2alarmscurrentlyactiveAlarmtimeClassDescription2015-11-2014:21:49UTCMinorAutorecoveryinformationneedstobesaved2015-11-2014:21:49UTCMinorRescueconfigurationisnotset告警处理告警一处理root>requestsystemautorecoverystatesave感谢阅读Savingconfigrecoveryinformation感谢阅读Savinglicenserecoveryinformation精品文档放心下载SavingBSDlabelrecoveryinformation谢谢阅读告警二处理root>requestsystemconfigurationrescuesave谢谢阅读.\1.2.6Root密码重置SRXRoot密码丢失，并且没有其他的超级用户权限，那么就需要执行密码恢复，该操作需要中断设备正常运行，但不会丢失配置信息。操作步骤如下：精品文档放心下载1.重启防火墙，CRT上出现下面提示时，按空格键中断正常启动，然后再进入单用户状态，并输入：boot–s感谢阅读Loading/boot/defaults/loader.conf感谢阅读/kerneldata=0xb15b3c+0x13464csyms=[0x4+0x8bb00+0x4+0xcac15]谢谢阅读Hit[Enter]tobootimmediately,orspacebarforcommandprompt.精品文档放心下载loader>loader>boot-s执行密码恢复：在以下提示文字后输入recovery，设备将自动进行重启感谢阅读Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:感谢阅读recovery*****FILESYSTEMWASMODIFIED*****谢谢阅读Systemwatchdogtimerdisabled感谢阅读Enterfullpathnameofshellor'recovery'forrootpasswordrecoveryorRETURNfor/bin/sh:谢谢阅读recovery进入配置模式，删除root密码后重新设置root密码，并保存重启精品文档放心下载root>configureEnteringconfigurationmode感谢阅读[edit]root#deletesystemroot-authentication精品文档放心下载[edit]root#setsystemroot-authenticationplain-text-password谢谢阅读Newpassword:Retypenewpassword:[edit]root#commitcommitcomplete[edit]root#exitExitingconfigurationmode精品文档放心下载root>requestsystemreboot感谢阅读Rebootthesystem?[yes,no](no)yes谢谢阅读.\第二节网络设置2.1、Interface2.1.1PPPOE※在外网接口（fe-0/0/0）下封装PPPsrx_admin#setinterfacesfe-0/0/0unit0encapsulationppp-over-ether谢谢阅读※CHAP认证配置srx_admin#setinterfacespp0unit0ppp-optionschapdefault-chap-secret1234567890谢谢阅读/***PPPOE的密码***/srx_admin#setinterfacespp0unit0ppp-optionschaplocal-namerxgjhygs@163精品文档放心下载/***PPPOE的帐号***/srx_admin#setinterfacespp0unit0ppp-optionschappassive谢谢阅读/***采用被动模式***/※PAP认证配置srx_admin#setinterfacespp0unit0ppp-optionspapdefault-password1234567890感谢阅读/***PPPOE的密码***/srx_admin#setinterfacespp0unit0ppp-optionspaplocal-namerxgjhygs@163感谢阅读/***PPPOE的帐号***/srx_admin#setinterfacespp0unit0ppp-optionspaplocal-password1234567890精品文档放心下载/***PPPOE的密码***/srx_admin#setinterfacespp0unit0ppp-optionspappassive谢谢阅读/***采用被动模式***/※PPP接口调用srx_admin#setinterfacespp0unit0pppoe-optionsunderlying-interfacefe-0/0/0.0谢谢阅读/***在外网接口（fe-0/0/0）下启用PPPOE拨号***/感谢阅读※PPPOE拨号属性配置srx_admin#setinterfacespp0unit0pppoe-optionsidle-timeout0感谢阅读/***空闲超时值***/srx_admin#setinterfacespp0unit0pppoe-optionsauto-reconnect3谢谢阅读/***3秒自动重拨***/srx_admin#setinterfacespp0unit0pppoe-optionsclient谢谢阅读/***表示为PPPOE客户端***/srx_admin#setinterfacespp0unit0familyinetmtu1492谢谢阅读/***修改此接口的MTU值，改成1492。因为PPPOE的报头会有一点的开销***/精品文档放心下载srx_admin#setinterfacespp0unit0familyinetnegotiate-address精品文档放心下载/***自动协商地址，即由服务端分配动态地址***/感谢阅读※默认路由srx_admin#setrouting-optionsstaticroute/0next-hoppp0.0感谢阅读※PPPOE接口划入untrust接口/***DHCP分发端口***/.\srx_admin#setsecurityzonessecurity-zoneuntrustinterfacespp0.0※验证PPPoE是否已经拔通，是否获得IP地址感谢阅读srx_admin#runshowinterfacesterse|matchpp感谢阅读pp0upuppp0.0upupinet-->ppd0upupppe0upup注：PPPOE拨号成功后需要调整MTU值，使上网体验达到最佳（MTU值不合适的话上网会卡）谢谢阅读srx_admin#setinterfacespp0unit0familyinetmtu1304谢谢阅读

/***调整MTU大小***/srx_admin#setsecurityflowtcp-mssall-tcpmss1304谢谢阅读

/***调整TCP分片大小***/2.1.2Manualsrx_admin#setinterfacesfe-0/0/0unit0familyinetaddress38/29谢谢阅读2.1.3DHCP※启用DHCP地址池srx_admin#setsystemservicesdhcppool/24router感谢阅读/***DHCP网关***/srx_admin#setsystemservicesdhcppool/24address-rangelow感谢阅读/***DHCP地址池第一个地址***/srx_admin#setsystemservicesdhcppool/24address-rangehigh54谢谢阅读/***DHCP地址池最后一个地址***/srx_admin#setsystemservicesdhcppool/24default-lease-time36000感谢阅读/***DHCP地址租期***/srx_admin#setsystemservicesdhcppool/24domain-name谢谢阅读/***DHCP域名***/srx_admin#setsystemservicesdhcppool/24name-server33感谢阅读/***DHCP分配DNS***/srx_admin#setsystemservicesdhcppool/24name-server感谢阅读srx_admin#setsystemservicesdhcppropagate-settingsvlan.0谢谢阅读※配置内网接口地址srx_admin#setinterfacesvlanunit0familyinetaddress/24感谢阅读※内网接口调用DHCP地址池srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesdhcp精品文档放心下载.\2.2、RoutingStaticRoutesrx_admin#setroute-optionstaticroute/0next-hop53精品文档放心下载/***默认路由***/srx_admin#setroute-optionstaticroute/24next-hopst0.0谢谢阅读/***RouteBasicedVPN路由***/感谢阅读2.3、SNMPsrx_admin#setsnmpcommunityAjitecauthorizationread-only/read-write谢谢阅读/***SNMP监控权限***/srx_admin#setsnmpclient-listsnmp_srx2409/32谢谢阅读/***SNMP监控主机***/第三节高级设置3.1.1修改服务端口srx_admin#setsystemservicesweb-managementhttpport8000谢谢阅读/***更改web的http管理端口号***/谢谢阅读srx_admin#setsystemservicesweb-managementhttpsport1443精品文档放心下载/***更改web的https管理端口号***/精品文档放心下载3.1.2检查硬件序列号srx#runshowchassishardwareHardwareinventory:ItemVersionPartnumberSerialnumberDescriptionChassisBZ2615AF0491SRX100H2RoutingEngineREV05650-048781BZ2615AF0491RE-SRX100H2FPC0FPCPIC08xFEBasePICPowerSupply0.\3.1.3内外网接口启用端口服务※定义系统服务srx_admin#setsystemservicesssh谢谢阅读srx_admin#setsystemservicestelnet精品文档放心下载srx_admin#setsystemservicesweb-managementhttpinterfacevlan.0srx_admin#setsystemservicesweb-managementhttpinterfacefe-0/0/0.0srx_admin#setsystemservicesweb-managementhttpsinterfacevlan.0srx_admin#setsystemservicesweb-managementmanagement-urladmin/***后期用https://ip/admin就可以登录管理页面，不加就直接跳转***/感谢阅读※内网接口启用端口服务srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesping开启ping***//***srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-serviceshttp开启http***//***srx_admin#setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicestelnet开启telnet***//***※外网接口启用端口服务srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-traffic感谢阅读system-servicesping开启ping***//***srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-traffic感谢阅读system-servicestelnet开启telnet***//***srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-traffic精品文档放心下载system-serviceshttp开启http***//***srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-traffic谢谢阅读system-servicesall开启所有服务***//***3.1.4创建系统服务srx_admin#setapplicationsapplicationRDPprotocoltcp感谢阅读srx_admin#setapplicationsapplicationRDPsource-port0-65535精品文档放心下载srx_admin#setapplicationsapplicationRDPdestination-port3389谢谢阅读srx_admin#setapplicationsapplicationRDPprotocoludp精品文档放心下载srx_admin#setapplicationsapplicationRDPsource-port0-65535精品文档放心下载srx_admin#setapplicationsapplicationRDPdestination-port3389精品文档放心下载

/***协议选择tcp***//***源端口***//***目的端口***//***协议选择udp***//***源端口***//***目的端口***/3.1.5VIP端口映射※DestinationNAT配置srx_admin#setsecuritynatdestinationpool22address0/32谢谢阅读/***DestinationNATpool设置，为真实内网地址***/感谢阅读srx_admin#setsecuritynatdestinationpool22addressport3389谢谢阅读.\/***DestinationNATpool设置，为内网地址的端口号***/感谢阅读srx_admin#setsecuritynatdestinationrule-set2fromzoneuntrust精品文档放心下载/***DestinationNATRule设置，访问流量从untrust区域过来***/谢谢阅读srx_admin#setsecuritynatdestinationrule-set2rule111matchsource-address/0谢谢阅读/***DestinationNATRule设置，访问流量可以任意地址***/谢谢阅读srx_admin#setsecuritynatdestinationrule-set2rule111matchdestination-address54/32感谢阅读/***DestinationNATRule设置，访问的目的地址是57***/感谢阅读srx_admin#setsecuritynatdestinationrule-set2rule111matchdestination-port3389感谢阅读/***DestinationNATRule设置，访问的目的地址的端口号***/感谢阅读srx_admin#setsecuritynatdestinationrule-set2rule111thendestination-natpool22精品文档放心下载/***DestinationNATRule设置，调用pool地址***/谢谢阅读※策略配置srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvipmatchsource-addressany感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvipmatchdestination-addressH0/32感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvipmatchapplicationany感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvipthenpermit精品文档放心下载srx_admin#setsecurityzonessecurity-zonetrustaddress-bookaddressH0/32谢谢阅读0/323.1.6MIP映射※DestinationNAT设置srx_admin#setsecuritynatdestinationpool111address/32精品文档放心下载/***DestinationNATpool设置，为真实内网地址***/谢谢阅读srx_admin#setsecuritynatdestinationrule-set1fromzoneuntrust谢谢阅读/***DestinationNATRule设置，访问流量从untrust区域过来***/谢谢阅读srx_admin#setsecuritynatdestinationrule-set1rule111matchsource-address/0谢谢阅读/***DestinationNATRule设置，访问流量可以任意地址***/谢谢阅读srx_admin#setsecuritynatdestinationrule-set1rule11matchdestination-address57/32感谢阅读/***DestinationNATRule设置，访问的目的地址是57***/感谢阅读srx_admin#setsecuritynatdestinationrule-set1rule11thendestination-natpool11感谢阅读/***DestinationNATRule设置，调用pool地址***/感谢阅读※配置ARP代理srx_admin#setsecuritynatproxy-arpinterfacefe-0/0/0.0address57/32感谢阅读※策略配置srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymipmatchsource-addressany感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymipmatchdestination-addressH0/32感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymipmatchapplicationany精品文档放心下载.\srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymipthenpermit谢谢阅读3.1.7禁用console口juniper-srx@SRX100H2#editsystemportsconsole /***进入console接口***/精品文档放心下载juniper-srx@SRX100H2#setdisable /***关闭端口***/精品文档放心下载juniper-srx@SRX100H2#commitconfirmed3 /***提交3分钟，3分钟后回退***/谢谢阅读3.1.8JuniperSRX 带源ping外网默认不通，需要做源地址感谢阅读NATsetsecuritynatsourcerule-setLOCALfromzonejunos-hostsetsecuritynatsourcerule-setLOCALtozoneuntrust感谢阅读setsecuritynatsourcerule-setLOCALruleLOCALmatchsource-address/32setsecuritynatsourcerule-setLOCALruleLOCALmatchdestination-address/0setsecuritynatsourcerule-setLOCALruleLOCALthensource-natinterface精品文档放心下载setsecuritynatsourcerule-settrust-to-untrustfromzonetrustsetsecuritynatsourcerule-settrust-to-untrusttozoneuntrust精品文档放心下载setsecuritynatsourcerule-settrust-to-untrustrulesource-nat-rulematchsource-address/0谢谢阅读setsecuritynatsourcerule-settrust-to-untrustrulesource-nat-rulethensource-natinterface精品文档放心下载3.1.9设置SRX管理IP※参照防火墙外网接口的端口服务setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesikesetsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesssh精品文档放心下载※定义防火墙filter，设定允许访问的地址和端口精品文档放心下载setfirewallfilterOutside_access_intermPermit_IPfromsource-address58/32setfirewallfilterOutside_access_intermPermit_IPfromdestination-address14/32setfirewallfilterOutside_access_intermPermit_IPfromprotocoltcp精品文档放心下载setfirewallfilterOutside_access_intermPermit_IPfromdestination-portsshsetfirewallfilterOutside_access_intermPermit_IPthenaccept谢谢阅读/***设置允许访问的地址和地址***/setfirewallfilterOutside_access_intermDeny_ANYfromdestination-address14/32setfirewallfilterOutside_access_intermDeny_ANYfromprotocoltcp精品文档放心下载setfirewallfilterOutside_access_intermDeny_ANYfromdestination-portsshsetfirewallfilterOutside_access_intermDeny_ANYthendiscard感谢阅读setfirewallfilterOutside_access_intermPermit_ANYthenaccept谢谢阅读/***其他流量全部拒绝***/.\※防火墙外网接口调用filter，在接口上启用限制感谢阅读setinterfacesfe-0/0/0unit0familyinetfilterinputOutside_access_in感谢阅读注：①在配置拒绝流量时注意在拒绝的端口后面放行其他流量，因为这个拒绝会把所有流量都拒绝掉。感谢阅读②在配置拒绝流量时不能配置all，不然会把所有流量都拒绝掉。感谢阅读3.2.0配置回退※查看提交过的配置srx_admin#runshowsystemcommit感谢阅读2016-05-0411:47:46UTCbyrootviajunoscript谢谢阅读2016-05-0411:40:11UTCbyrootviacli精品文档放心下载2016-05-0411:38:36UTCbyrootviacli感谢阅读2016-04-2711:41:07UTCbyrootviacli谢谢阅读2016-04-0117:37:22UTCbyrootviabutton谢谢阅读※回退配置（“ROLLBACK0”）srx_admin#rollback?感谢阅读Possiblecompletions:<[Enter]>Executethiscommand02016-05-0411:47:46UTCbyrootviajunoscript12016-05-0411:40:11UTCbyrootviacli22016-05-0411:38:36UTCbyrootviacli32016-04-2711:41:07UTCbyrootviacli42016-04-0117:37:22UTCbyrootviabutton|Pipethroughacommand3.2.1UTM调用※在策略中调用UTMsrx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchsource-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchdestination-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchapplicationany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustthenpermitapplication-servicesutm-policyjunos-av-policy谢谢阅读3.2.2网络访问缓慢解决srx_admin#setsecurityflowsyn-flood-protection-modesyn-cookiesrx_admin#setsecurityflowtcp-mssall-tcpmss1300精品文档放心下载.\srx_admin#setsecurityflowtcp-sessionrst-sequence-checksrx_admin#setsecurityflowtcp-sessionstrict-syn-checksrx_admin#setsecurityflowtcp-sessionno-sequence-check感谢阅读第四节VPN设置4.1、点对点IPSecVPN4.1.1RouteBasiced/***standardorcompatible模式***/感谢阅读※创建tunnel接口srx_admin#setinterfacesst0unit0familyinet精品文档放心下载/***新建st0.0接口***/srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesst0.0精品文档放心下载/***定义tunnel接口st0.0为untrust接口***/谢谢阅读※创建去往VPN对端内网的路由srx_admin#srx_admin#setrouting-optionsstaticroute/24next-hopst0.0谢谢阅读※VPN第一阶段IKE配置srx_admin#setsecurityikepolicyleadmodemain谢谢阅读/***协商模式mainoraggressive***/谢谢阅读srx_admin#setsecurityikepolicyleadproposal-setstandard/compatible精品文档放心下载/***协商加密算法***/srx_admin#setsecurityikepolicyleadpre-shared-keyascii-textjuniper123精品文档放心下载/***预共享密钥***/※VPN第一阶段IKE配置srx_admin#setsecurityikegatewaygw1ike-policylead感谢阅读/***调用第一阶段IKE配置***/srx_admin#setsecurityikegatewaygw1address58精品文档放心下载/***对端网关地址***/srx_admin#setsecurityikegatewaygw1external-interfacefe-0/0/0.0谢谢阅读/***VPN出接口***/注：如果使用PPPOE拨号上网，出接口必须使用ppp接口谢谢阅读srx_admin#setsecurityikegatewaygw1external-interfacepp0.0谢谢阅读※VPN第二阶段IPSEC配置srx_admin#setsecurityipsecpolicyabcproposal-setstandard/compatible感谢阅读/***协商加密算法***/srx_admin#setsecurityipsecvpntestbind-interfacest0.0谢谢阅读/***绑定VPN接口***/srx_admin#setsecurityipsecvpntestikegatewaygw1感谢阅读/***调用网关***/.\srx_admin#setsecurityipsecvpntestikeipsec-policyabc精品文档放心下载/***调用加密算法的策略***/srx_admin#setsecurityipsecvpntestestablish-tunnelsimmediately谢谢阅读/***立即开始协商***/※外网接口开启IKE服务srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesike谢谢阅读※双向流量策略trust->untrustsrx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchsrx_admin#source-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchdestination-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchapplicationany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policythenpermituntrust->trust感谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchsource-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchdestination-addressany谢谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchapplicationany谢谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policythenpermit谢谢阅读/***custom模式***/※创建tunnel接口srx_admin#setinterfacesst0unit0familyinet感谢阅读/***新建st0.0接口***/srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesst0.0精品文档放心下载/***定义tunnel接口st0.0为untrust接口***/精品文档放心下载※创建去往VPN对端内网的路由srx_admin#setrouting-optionsstaticroute/24next-hopst0.0谢谢阅读※VPN第一阶段IKE配置※※proposal设置srx_admin#setsecurityikeproposalvpn1-proposalauthentication-methodpre-shared-keys感谢阅读/***使用pre-shared-keys认证***/感谢阅读srx_admin#setsecurityikeproposalvpn1-proposaldh-groupgroup2谢谢阅读/***DH组使用group2***/srx_admin#setsecurityikeproposalvpn1-proposalauthentication-algorithmmd5谢谢阅读/***MD5认证***/srx_admin#setsecurityikeproposalvpn1-proposalencryption-algorithm3des-cbc感谢阅读/***3des加密***/.\※※policy设置srx_admin#setsecurityikepolicyvpn1-ike-policymodemain精品文档放心下载/***协商模式mainoraggressive***/谢谢阅读srx_admin#setsecurityikepolicyvpn1-ike-policyproposalsvpn1-proposal精品文档放心下载/***调用ikeproposal配置***/精品文档放心下载srx_admin#setsecurityikepolicyvpn1-ike-policypre-shared-keyascii-textjuniper123感谢阅读/***预共享密钥***/※※gateway设置srx_admin#setsecurityikegatewayvpn1-gatewayike-policyvpn1-ike-policy精品文档放心下载/***调用ikepolicy设置***/srx_admin#setsecurityikegatewayvpn1-gatewayaddress58感谢阅读/***对端网关地址***/srx_admin#setsecurityikegatewayvpn1-gatewayexternal-interfacefe-0/0/0.0精品文档放心下载/***本地出接口***/※VPN第二阶段IPSEC设置※※proposal设置srx_admin#setsecurityipsecproposalvpn2-ipsec-proposalprotocolesp谢谢阅读/***ipsecproposal协议esp***/谢谢阅读srx_admin#setsecurityipsecproposalvpn2-ipsec-proposalauthentication-algorithmhmac-md5-96谢谢阅读/***使用MD5认证***/srx_admin#setsecurityipsecproposalvpn2-ipsec-proposalencryption-algorithm3des-cbc感谢阅读/***使用3des加密***/※※policy设置setsecurityipsecpolicyvpn2-ipsec-policyperfect-forward-secrecykeysgroup2感谢阅读/***开启PFS，使用group2***/srx_admin#setsecurityipsecpolicyvpn2-ipsec-policyproposalsvpn2-ipsec-proposal/***ipsecpolicy设置，调用ipsecproposal***/感谢阅读※※VPN设置srx_admin#setsecurityipsecvpnvpn2-ipsec-vpnbind-interfacest0.0精品文档放心下载/***ipsecvpn设置，绑定tunnel接口***/谢谢阅读srx_admin#setsecurityipsecvpnvpn2-ipsec-vpnikegatewayvpn1-gateway精品文档放心下载/***ipsecvpn设置，调用第一阶段VPN网关***/谢谢阅读srx_admin#setsecurityipsecvpnvpn2-ipsec-vpnikeipsec-policyvpn2-ipsec-policy精品文档放心下载/***ipsecvpn设置，调用第二阶段ipsecpolicy***/感谢阅读srx_admin#setsecurityipsecvpnvpn2-ipsec-vpnestablish-tunnelsimmediately感谢阅读/***立即开始建立VPN隧道***/※外网接口开启IKE服务srx_admin#setsecurityzonessecurity-zoneuntrustinterfacesfe-0/0/0.0host-inbound-trafficsystem-servicesike谢谢阅读※双向流量策略trust->untrustsrx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchsource-addressany谢谢阅读.\srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchdestination-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policymatchapplicationany感谢阅读srx_admin#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyvpn-policythenpermituntrust->trust精品文档放心下载srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchsource-addressany精品文档放心下载srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchdestination-addressany谢谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policymatchapplicationany谢谢阅读srx_admin#setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyvpn-policythenpermit感谢阅读4.1.2PolicyBasiced※新建本地、对端内网网段，并将入其划入相应的zone谢谢阅读srx_admin#setsecurityzonessecurity-zonetrustaddress-bookaddressaddress1/24谢谢阅读/***本地内网网段***/srx_admin#setsecurityzonessecurity-zoneuntrustaddress-bookaddressaddress2/24精品文档放心下载/***对端内网网段***/※VPN第一阶段IKE设置※※Proposal设置srx_admin#setsecurityikeproposalike-phase1-proposalauthentication-methodpre-shared-keys感谢阅读/***采用预共享密钥***/srx_admin#setsecurityikeproposalike-phase1-proposaldh-groupgroup2谢谢阅读/***DHGroup使用Group2***/感谢阅读srx_admin#setsecurityikeproposalike-phase1-proposalauthentication-algorithmmd5感谢阅读/***使用md5认证***/srx_admin#setsecurityikeproposalike-phase1-proposalencryption-algorithm3des-cbc精品文档放心下载/***使用3des加密***/※※Policy设置srx_admin#setsecurityikepolicyike-phase1-policymodemain谢谢阅读/***协商模式mainoraggressive***/谢谢阅读srx_admin#setsecurityikepolicyike-phase1-policyproposalsike-phase1-proposal谢谢阅读/***调用ikeproposal配置***/感谢阅读srx_admin#setsecurityikepolicyike-phase1-policypre-shared-keyascii-textjun