Juniper SRX240 장비 VPN 설정 관련 Config 예제입니다.
IP 주소는 제가 임의대로 입력한 거라 큰 의미는 없습니다.
admin@VPN_1> show configuration
version 11.4R9.4;
groups {
node0 {
system {
host-name VPN_1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
}
}
node1 {
system {
host-name VPN_2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Asia/Seoul;
root-authentication {
encrypted-password "$1$uw3DQGsO$0Jutfr2mQVTabddbzfc8YZh10"; ## SECRET-DATA
}
name-server {
168.126.63.1;
168.126.63.2;
}
login {
message "Unauthorized access is strictly prohibited by law";
retry-options {
tries-before-disconnect 5;
}
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$lOoGpfVA$vzrjxyysBYaasEc3q3svPy."; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version v2;
}
telnet;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 203.248.240.140;
}
}
chassis {
cluster {
reth-count 4;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/12 weight 155;
ge-0/0/13 weight 100;
ge-0/0/14 weight 255;
ge-0/0/15 weight 255;
ge-5/0/12 weight 155;
ge-5/0/13 weight 100;
ge-5/0/14 weight 255;
ge-5/0/15 weight 255;
}
}
}
}
interfaces {
ge-0/0/12 {
description "#### untrust ####";
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/13 {
description "#### untrust ####";
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/14 {
description "#### trust ####";
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/15 {
description "#### dmz ####";
gigether-options {
redundant-parent reth3;
}
}
ge-5/0/12 {
description "#### untrust ####";
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/13 {
description "#### untrust ####";
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/14 {
description "#### trust ####";
gigether-options {
redundant-parent reth2;
}
}
ge-5/0/15 {
description "#### dmz ####";
gigether-options {
redundant-parent reth3;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
reth0 {
description "#### untrust ####";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 111.170.182.125/28;
}
}
}
reth1 {
description "#### untrust ####";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 111.170.182.61/26;
}
}
}
reth2 {
description "#### trust ####";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 111.170.182.94/28;
}
}
}
reth3 {
description "#### dmz ####";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 111.170.182.97/29;
}
}
}
st0 {
unit 1 {
family inet;
}
unit 2 {
family inet;
}
unit 3 {
family inet;
}
unit 4 {
family inet;
}
unit 5 {
family inet;
}
}
}
}
routing-options {
static {
route 111.170.182.104/29 next-hop 111.170.182.98;
route 10.10.30.0/24 next-hop st0.4;
route 10.10.40.0/24 next-hop st0.5;
route 10.10.10.0/24 next-hop st0.2;
route 10.0.0.0/24 next-hop st0.1;
route 10.10.20.0/24 next-hop st0.3;
route 0.0.0.0/0 {
next-hop 111.170.182.126;
qualified-next-hop 111.170.182.62 {
metric 100;
}
}
}
}
security {
ike {
traceoptions {
file ike-debug size 1m files 2;
flag policy-manager;
flag ike;
flag routing-socket;
}
proposal pre-g2-3des-md5 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
proposal pre-g2-aes128-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal pre-g2-des-md5 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
proposal pre-g2-des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
proposal pre-g1-des-md5 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
policy A-Site-gw-policy {
mode main;
proposals [ pre-g2-3des-md5 pre-g2-aes128-sha ];
pre-shared-key ascii-text "$9$xoPN-VwAgaGdbwfTz39C8Xxd24"; ## SECRET-DATA
}
policy B-Site-gw-policy {
mode aggressive;
proposals pre-g2-des-md5;
pre-shared-key ascii-text "$9$pUWnaO1ahSlvWIRVwYgJZCtpBcy"; ## SECRET-DATA
}
gateway A-Site-gw {
ike-policy A-Site-gw-policy;
address 200.110.246.100;
external-interface reth0;
}
gateway B-Site-gw {
ike-policy B-Site-gw-policy;
dynamic hostname doobee-dhcp;
external-interface reth0;
}
}
ipsec {
proposal esp-3des-md5 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
proposal esp-aes128-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
proposal esp-des-md5 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
lifetime-seconds 3600;
}
proposal esp-des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm des-cbc;
lifetime-seconds 3600;
}
policy A-Site-vpn-policy {
perfect-forward-secrecy {
keys group2;
}
proposals [ esp-3des-md5 esp-aes128-sha ];
}
policy B-Site-vpn-policy {
perfect-forward-secrecy {
keys group2;
}
proposals [ esp-des-md5 esp-aes128-sha ];
}
vpn A-Site-vpn {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway A-Site-gw;
ipsec-policy A-Site-vpn-policy;
}
}
vpn B-Site-vpn {
bind-interface st0.2;
vpn-monitor {
optimized;
}
ike {
gateway B-Site-gw;
ipsec-policy B-Site-vpn-policy;
}
}
}
alg {
h323 disable;
mgcp disable;
msrpc disable;
sunrpc disable;
real disable;
rsh disable;
rtsp disable;
sccp disable;
sip disable;
sql disable;
talk disable;
tftp disable;
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option dmz-screen {
icmp {
large;
flood;
}
ip {
bad-option;
security-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan;
syn-flood;
land;
}
}
ids-option untrust-screen {
icmp {
fragment;
flood;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan;
syn-ack-ack-proxy;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
tcp-sweep;
}
}
}
policies {
from-zone untrust to-zone dmz {
policy 1 {
match {
source-address 110.110.15.144/32;
destination-address 111.170.182.93/32;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy 2 {
match {
source-address 111.170.182.117/32;
destination-address any;
application [ junos-icmp-all junos-telnet ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone untrust {
policy 1 {
match {
source-address 111.170.182.68/32;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy 1 {
match {
source-address [ 120.40.70.0/28 120.40.70.96/27 200.200.60.225/32 ];
destination-address 111.170.182.68/32;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy 2 {
match {
source-address [ 110.110.15.144/32 111.170.182.117/32 ];
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone dmz to-zone untrust {
policy 1 {
match {
source-address Video_Conferencing_NET;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone trust {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address 111.170.182.64/28 111.170.182.64/28;
address 111.170.182.65/32 111.170.182.65/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.0;
st0.1;
st0.2;
st0.3;
st0.4;
st0.5;
}
}
security-zone untrust {
address-book {
address 110.110.15.144/32 110.110.15.144/32;
address 111.170.182.117/32 111.170.182.117/32;
address 111.170.182.120/32 111.170.182.120/32;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
reth0.0;
reth1.0;
}
}
security-zone dmz {
address-book {
address 111.170.182.106/32 111.170.182.106/32;
address 111.170.182.93/32 111.170.182.93/32;
address Video_Conferencing_NET 111.170.182.104/29;
}
screen dmz-screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
{primary:node0}
admin@VPN_1>
'IT 이야기 > 방화벽(VPN)' 카테고리의 다른 글
| [FORTINET] FortiAnalyzer 를 통한 Traffic 분석 (0) | 2020.02.06 |
|---|---|
| Cisco ASA5506-X Switchport 사용 방법 (0) | 2017.06.01 |
| Cisco Router VPN(L2L) Configuration (0) | 2015.10.30 |
| Cisco ASA ASDM 실행 안될 때.. (0) | 2015.09.03 |
| Cisco ASA 5512 Config 예제 (0) | 2015.03.03 |
| Cisco AnyConnect Login Failed (2) | 2014.09.30 |
| Cisco ASA(9.1) 5500-X ssh 접속 방법 (0) | 2014.08.29 |
| [VPN] Cisco ASA_AnyConnect Login 제한 (0) | 2014.08.04 |
