- Форум
- /
- IT и телекоммуникации
- /
- Конфигурация сетевого оборудования
- /
- Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
Меньше
Больше
- Сообщений: 50
- Спасибо получено: 15
7 года 6 мес. назад #192
от PNV
PNV ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Victorius, всё должно работать, если правильно настроено.
1) Проверьте для Juniper офис1 настройку remote-protected-resources;
2) Проверьте маршрутизацию между офисами. Juniper офис2 должен видеть VPN-подсеть Juniper офиса1. Проверьте пингом и трассировкой с подсети офиса2 на шлюз VPN-сети офиса1; Проверьте трассировкой с удаленного клиента, на чём трейс затыкается;
3) Проверьте настройки межзонных файрволов на обоих джуниперах.
Если ошибку не удастся найти, покажите конфиги обоих устройств, решим.
1) Проверьте для Juniper офис1 настройку remote-protected-resources;
2) Проверьте маршрутизацию между офисами. Juniper офис2 должен видеть VPN-подсеть Juniper офиса1. Проверьте пингом и трассировкой с подсети офиса2 на шлюз VPN-сети офиса1; Проверьте трассировкой с удаленного клиента, на чём трейс затыкается;
3) Проверьте настройки межзонных файрволов на обоих джуниперах.
Если ошибку не удастся найти, покажите конфиги обоих устройств, решим.
Пожалуйста Войти , чтобы присоединиться к беседе.
7 года 6 мес. назад - 7 года 6 мес. назад #193
от Victorius
Victorius ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Здравствуйте.
1. К сожалению не понял. что такое remote-protected-resources и как проверить настройку. show таких параметров вообще не выдает.
2. Маршрутизация работает прекрасно. Между Офис1 и Офис2. статик ВПН. Трэйсы соответственно без проблем.
А вот офис3 который подключается по дин-впн на офис1, нивкакую не видит офис2.
1 * * * Превышен интервал ожидания для запроса.
2 * * * Превышен интервал ожидания для запроса.
3 * * * Превышен интервал ожидания для запроса.
Причем трейс из офис2 на клиентов дин-впн, со шлюза офис1 уходит сразу вовнешку, а не в дин-тунель.
1. К сожалению не понял. что такое remote-protected-resources и как проверить настройку. show таких параметров вообще не выдает.
2. Маршрутизация работает прекрасно. Между Офис1 и Офис2. статик ВПН. Трэйсы соответственно без проблем.
А вот офис3 который подключается по дин-впн на офис1, нивкакую не видит офис2.
1 * * * Превышен интервал ожидания для запроса.
2 * * * Превышен интервал ожидания для запроса.
3 * * * Превышен интервал ожидания для запроса.
Причем трейс из офис2 на клиентов дин-впн, со шлюза офис1 уходит сразу вовнешку, а не в дин-тунель.
Последнее редактирование: 7 года 6 мес. назад пользователем Victorius.
Пожалуйста Войти , чтобы присоединиться к беседе.
Меньше
Больше
- Сообщений: 50
- Спасибо получено: 15
7 года 6 мес. назад #194
от PNV
PNV ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
1. Про remote-protected-resources описано в п.6 данной темы;
2. Конфиги обоих устройств покажите целиком, а также вывод к-ды show route.
2. Конфиги обоих устройств покажите целиком, а также вывод к-ды show route.
Пожалуйста Войти , чтобы присоединиться к беседе.
7 года 6 мес. назад #195
от Victorius
Victorius ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Прошу прощения, дин-випн был настроен год назад.
У меня в 6. пункте указаны все три мои подсети.
show security dynamic-vpn clients VPN-test-users
remote-protected-resources {
192.168.67.0/24;
192.168.3.0/24;
192.168.69.0/24;
}
remote-exceptions {
0.0.0.0/0;
У меня в 6. пункте указаны все три мои подсети.
show security dynamic-vpn clients VPN-test-users
remote-protected-resources {
192.168.67.0/24;
192.168.3.0/24;
192.168.69.0/24;
}
remote-exceptions {
0.0.0.0/0;
Пожалуйста Войти , чтобы присоединиться к беседе.
Меньше
Больше
- Сообщений: 50
- Спасибо получено: 15
7 года 6 мес. назад #196
от PNV
PNV ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
Конфиг так и не увидел.
Пожалуйста Войти , чтобы присоединиться к беседе.
7 года 6 мес. назад #197
от Victorius
Victorius ответил в теме Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)
show configuration routing-options | display set
set routing-options interface-routes rib-group inet inside
set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0
set routing-options static route 192.168.65.0/24 next-hop gr-0/0/0.0
set routing-options static route 192.168.3.22/32 next-hop 192.168.3.3
set routing-options rib-groups inside import-rib inet.0
set routing-options rib-groups inside import-rib TRUST-VRF.inet.0
set routing-options rib-groups inside import-rib ISP1.inet.0
set routing-options rib-groups inside import-rib ISP2.inet.0
set routing-options router-id 192.168.67.7
___________________________
show configuration security policies | display set
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match application junos-icmp-all
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match source-address LAN_network_67
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone trust policy VPN-Access match source-address any
set security policies from-zone untrust to-zone trust policy VPN-Access match destination-address LAN_network_67
set security policies from-zone untrust to-zone trust policy VPN-Access match application any
set security policies from-zone untrust to-zone trust policy VPN-Access then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address vpn_net_10
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match destination-address LAN_network_67
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match application any
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-init
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-close
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match source-address LAN_network_67
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address vpn_net_10
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match application any
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER then permit
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match destination-address DMZ_network_65
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match application any
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ then permit
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match source-address DMZ_network_65
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match application any
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER then permit
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match source-address DMZ_network_65
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match application any
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match source-address any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match destination-address DMZ_network_65
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match application any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match source-address DYN-VPN-CLients
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match application any
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match application any
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN then permit
______________________________________________________________________________________________________________________________________________________________
show configuration security zones | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone DMZ host-inbound-traffic system-services all
set security zones security-zone DMZ host-inbound-traffic protocols all
set security zones security-zone DMZ interfaces ge-0/0/15.0
set security zones security-zone vpn-DATACENTER host-inbound-traffic system-services all
set security zones security-zone vpn-DATACENTER host-inbound-traffic protocols all
set security zones security-zone vpn-DATACENTER interfaces st0.0
set routing-options interface-routes rib-group inet inside
set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0
set routing-options static route 192.168.65.0/24 next-hop gr-0/0/0.0
set routing-options static route 192.168.3.22/32 next-hop 192.168.3.3
set routing-options rib-groups inside import-rib inet.0
set routing-options rib-groups inside import-rib TRUST-VRF.inet.0
set routing-options rib-groups inside import-rib ISP1.inet.0
set routing-options rib-groups inside import-rib ISP2.inet.0
set routing-options router-id 192.168.67.7
___________________________
show configuration security policies | display set
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match application junos-icmp-all
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match source-address LAN_network_67
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone trust policy VPN-Access match source-address any
set security policies from-zone untrust to-zone trust policy VPN-Access match destination-address LAN_network_67
set security policies from-zone untrust to-zone trust policy VPN-Access match application any
set security policies from-zone untrust to-zone trust policy VPN-Access then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address vpn_net_10
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match destination-address LAN_network_67
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match application any
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-init
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-close
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match source-address LAN_network_67
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address vpn_net_10
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match application any
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER then permit
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match destination-address DMZ_network_65
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match application any
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ then permit
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match source-address DMZ_network_65
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match application any
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER then permit
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match source-address DMZ_network_65
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match application any
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match source-address any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match destination-address DMZ_network_65
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match application any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match source-address DYN-VPN-CLients
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match application any
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match application any
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN then permit
______________________________________________________________________________________________________________________________________________________________
show configuration security zones | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone DMZ host-inbound-traffic system-services all
set security zones security-zone DMZ host-inbound-traffic protocols all
set security zones security-zone DMZ interfaces ge-0/0/15.0
set security zones security-zone vpn-DATACENTER host-inbound-traffic system-services all
set security zones security-zone vpn-DATACENTER host-inbound-traffic protocols all
set security zones security-zone vpn-DATACENTER interfaces st0.0
Пожалуйста Войти , чтобы присоединиться к беседе.
- Вы здесь:
-
Главная
-
Форум
-
IT и телекоммуникации
-
Конфигурация сетевого оборудования
- Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)