- 設定参考を参照にしたhttpsログインしてのIPSEC接続
- SRXを1to1NATでIPSECする際は以下コマンドが必要
## Last changed: 2012-05-20 19:23:12 JST
version 10.4R6.5;
system {
host-name srx100h;
time-zone Asia/Tokyo;
root-authentication {
encrypted-password "a"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
8.8.8.8;
8.8.4.4;
}
login {
user admin {
uid 2002;
class super-user;
authentication {
encrypted-password "a"; ## SECRET-DATA
}
}
user test {
uid 2001;
class super-user;
authentication {
encrypted-password "a"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface [ vlan.0 fe-0/0/0.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.[[juniper]].net/junos/key_retrieval;
}
}
ntp {
server 133.243.238.243 prefer;
server 133.243.238.163;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.2.220/24;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
snmp {
v3 {
target-address NNM {
address 192.168.1.10;
target-parameters NNM-PARAM;
}
target-parameters NNM-PARAM {
parameters {
message-processing-model v2c;
security-model v2c;
security-level none;
security-name SNMPCOMMUNITY;
}
}
notify NOTIFY {
type inform;
}
}
community SNMPCOMMUNITY;
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.2.1;
}
}
protocols {
stp;
}
security {
ike {
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "a"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 10;
ike-user-type shared-ike-id;
}
external-interface fe-0/0/0.0;
xauth access-profile dyn-vpn-access-profile;
}
}
ipsec {
policy ipsec-dyn-vpn-policy {
proposal-set standard;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
https;
ike;
}
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
ping;
https;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
}
dynamic-vpn {
access-profile dyn-vpn-access-profile;
clients {
all {
remote-protected-resources {
10.0.0.0/8;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dyn-vpn;
user {
client1;
client2;
}
}
}
}
}
access {
profile dyn-vpn-access-profile {
client client1 {
firewall-user {
password "a"; ## SECRET-DATA
}
}
client client2 {
firewall-user {
password "a"; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.10.10.0/24;
xauth-attributes {
primary-dns 4.2.2.2/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
最終更新:2012年06月24日 12:15
