Настройка Juniper Dynamic VPN (Remote Access VPN) на оборудовании Juniper SRX (JunOS version 10.4R4.5)


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
Больше
7 года 6 мес. назад #192 от PNV
Victorius, всё должно работать, если правильно настроено.
1) Проверьте для Juniper офис1 настройку remote-protected-resources;
2) Проверьте маршрутизацию между офисами. Juniper офис2 должен видеть VPN-подсеть Juniper офиса1. Проверьте пингом и трассировкой с подсети офиса2 на шлюз VPN-сети офиса1; Проверьте трассировкой с удаленного клиента, на чём трейс затыкается;
3) Проверьте настройки межзонных файрволов на обоих джуниперах.


Если ошибку не удастся найти, покажите конфиги обоих устройств, решим.

Пожалуйста Войти , чтобы присоединиться к беседе.

Больше
7 года 6 мес. назад - 7 года 6 мес. назад #193 от Victorius
Здравствуйте.
1. К сожалению не понял. что такое remote-protected-resources и как проверить настройку. show таких параметров вообще не выдает.
2. Маршрутизация работает прекрасно. Между Офис1 и Офис2. статик ВПН. Трэйсы соответственно без проблем.
А вот офис3 который подключается по дин-впн на офис1, нивкакую не видит офис2.
1 * * * Превышен интервал ожидания для запроса.
2 * * * Превышен интервал ожидания для запроса.
3 * * * Превышен интервал ожидания для запроса.
Причем трейс из офис2 на клиентов дин-впн, со шлюза офис1 уходит сразу вовнешку, а не в дин-тунель.
Последнее редактирование: 7 года 6 мес. назад пользователем Victorius.

Пожалуйста Войти , чтобы присоединиться к беседе.

Больше
7 года 6 мес. назад #194 от PNV
1. Про remote-protected-resources описано в п.6 данной темы;
2. Конфиги обоих устройств покажите целиком, а также вывод к-ды show route.

Пожалуйста Войти , чтобы присоединиться к беседе.

Больше
7 года 6 мес. назад #195 от Victorius
Прошу прощения, дин-випн был настроен год назад.
У меня в 6. пункте указаны все три мои подсети.
show security dynamic-vpn clients VPN-test-users
remote-protected-resources {
192.168.67.0/24;
192.168.3.0/24;
192.168.69.0/24;
}
remote-exceptions {
0.0.0.0/0;

Пожалуйста Войти , чтобы присоединиться к беседе.

Больше
7 года 6 мес. назад #196 от PNV

Пожалуйста Войти , чтобы присоединиться к беседе.

Больше
7 года 6 мес. назад #197 от Victorius
show configuration routing-options | display set


set routing-options interface-routes rib-group inet inside
set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0
set routing-options static route 192.168.65.0/24 next-hop gr-0/0/0.0
set routing-options static route 192.168.3.22/32 next-hop 192.168.3.3
set routing-options rib-groups inside import-rib inet.0
set routing-options rib-groups inside import-rib TRUST-VRF.inet.0
set routing-options rib-groups inside import-rib ISP1.inet.0
set routing-options rib-groups inside import-rib ISP2.inet.0
set routing-options router-id 192.168.67.7



___________________________

show configuration security policies | display set
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping match application junos-icmp-all
set security policies from-zone trust to-zone untrust policy trust-to-untrast-ping then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match source-address LAN_network_67
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone trust policy VPN-Access match source-address any
set security policies from-zone untrust to-zone trust policy VPN-Access match destination-address LAN_network_67
set security policies from-zone untrust to-zone trust policy VPN-Access match application any
set security policies from-zone untrust to-zone trust policy VPN-Access then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match source-address vpn_net_10
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match destination-address LAN_network_67
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust match application any
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then permit
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-init
set security policies from-zone vpn-DATACENTER to-zone trust policy vpn-DATACENTER-to-trust then log session-close
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match source-address LAN_network_67
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match destination-address vpn_net_10
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER match application any
set security policies from-zone trust to-zone vpn-DATACENTER policy trust-to-vpn-DATACENTER then permit
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match destination-address DMZ_network_65
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ match application any
set security policies from-zone vpn-DATACENTER to-zone DMZ policy vpn-DATACENTER-to-DMZ then permit
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match source-address DMZ_network_65
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER match application any
set security policies from-zone DMZ to-zone vpn-DATACENTER policy DMZ-to-vpn-DATACENTER then permit
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match source-address DMZ_network_65
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN match application any
set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust-for-DYN-VPN then permit
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match source-address any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match destination-address DMZ_network_65
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ match application any
set security policies from-zone untrust to-zone DMZ policy untrust-DYN-VPN-to-DMZ then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match source-address DYN-VPN-CLients
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match destination-address DATACENTER_network_69
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER match application any
set security policies from-zone untrust to-zone vpn-DATACENTER policy untrust-DYN-VPN-to-vpn-DATACENTER then permit tunnel ipsec-vpn VPN-Users
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match source-address DATACENTER_network_69
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match destination-address DYN-VPN-CLients
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN match application any
set security policies from-zone vpn-DATACENTER to-zone untrust policy vpn-DATACENTER-to-untrust-DYN-VPN then permit

______________________________________________________________________________________________________________________________________________________________




show configuration security zones | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone DMZ host-inbound-traffic system-services all
set security zones security-zone DMZ host-inbound-traffic protocols all
set security zones security-zone DMZ interfaces ge-0/0/15.0
set security zones security-zone vpn-DATACENTER host-inbound-traffic system-services all
set security zones security-zone vpn-DATACENTER host-inbound-traffic protocols all
set security zones security-zone vpn-DATACENTER interfaces st0.0

Пожалуйста Войти , чтобы присоединиться к беседе.

Работает на Kunena форум