Juniper Secure Connect 配置脚本

若要使用Juniper Secure Connect ,SRX的版本必须为20.3以上，20.3以下只能使用dynamic vpn. 

首先生成证书并引用

request security pki generate-key-pair size 4096 type rsa certificate-id Juniper
request security pki local-certificate generate-self-signed certificate-id Juniper subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1 
set system services web-management https pki-local-certificate Juniper

set services ssl termination profile SSL-JSC-term server-certificate Juniper

注意1.1.1.1为设备的公网IP，根据实际更改

设置IKE

set security ike proposal JSC-proposal authentication-method pre-shared-keys
set security ike proposal JSC-proposal dh-group group20
set security ike proposal JSC-proposal authentication-algorithm sha-256
set security ike proposal JSC-proposal encryption-algorithm aes-256-cbc
set security ike proposal JSC-proposal lifetime-seconds 28800

set security ike policy Juniper_secure_connect_policy mode aggressive
set security ike policy Juniper_secure_connect_policy proposals JSC-proposal
set security ike policy Juniper_secure_connect_policy pre-shared-key ascii-text 123456

set security ike gateway Juniper_secure_connect_ike_gw ike-policy Juniper_secure_connect_policy
set security ike gateway Juniper_secure_connect_ike_gw dynamic user-at-hostname "srx@juniper.com"
set security ike gateway Juniper_secure_connect_ike_gw dynamic ike-user-type shared-ike-id
set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection optimized
set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection interval 10
set security ike gateway Juniper_secure_connect_ike_gw dead-peer-detection threshold 5
set security ike gateway Juniper_secure_connect_ike_gw external-interface ge-0/0/1.0
set security ike gateway Juniper_secure_connect_ike_gw local-address 1.1.1.1
set security ike gateway Juniper_secure_connect_ike_gw aaa access-profile remote-access-vpn-access-profile
set security ike gateway Juniper_secure_connect_ike_gw version v1-only
set security ike gateway Juniper_secure_connect_ike_gw tcp-encap-profile SSL-JSC-profile

设置IPSec

set security ipsec policy Remote-access-vpn-policy perfect-forward-secrecy keys group19
set security ipsec policy Remote-access-vpn-policy proposal-set standard

set security ipsec vpn Remote-access-vpn bind-interface st0.0
set security ipsec vpn Remote-access-vpn df-bit clear
set security ipsec vpn Remote-access-vpn copy-outer-dscp
set security ipsec vpn Remote-access-vpn ike gateway Juniper_secure_connect_ike_gw
set security ipsec vpn Remote-access-vpn ike ipsec-policy Remote-access-vpn-policy
set security ipsec vpn Remote-access-vpn traffic-selector ts-1 local-ip 10.0.0.0/8
set security ipsec vpn Remote-access-vpn traffic-selector ts-1 remote-ip 0.0.0.0/0
set security ipsec vpn Remote-access-vpn traffic-selector ts-2 local-ip 192.168.0.0/16
set security ipsec vpn Remote-access-vpn traffic-selector ts-2 remote-ip 0.0.0.0/0

设置Remote-access

set security remote-access profile RA-JSC-1 ipsec-vpn Remote-access-vpn
set security remote-access profile RA-JSC-1 access-profile remote-access-vpn-access-profile
set security remote-access profile RA-JSC-1 client-config RA-JSC-Client
set security remote-access client-config RA-JSC-Client connection-mode manual
set security remote-access client-config RA-JSC-Client dead-peer-detection interval 60
set security remote-access client-config RA-JSC-Client dead-peer-detection threshold 5
set security remote-access default-profile RA-JSC-1

设置安全区域和策略

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

set security tcp-encap profile SSL-JSC-profile ssl-profile SSL-JSC-term

set security zones security-zone vpn interfaces st0.0 
set security zones security-zone vpn interfaces st0.0 

其它

set interfaces st0 unit 0 family inet

set access profile remote-access-vpn-access-profile client user_username firewall-user password "$98xNrloJUjq.Apu1Ic-dsaZj"
set access profile remote-access-vpn-access-profile address-assignment pool remote-access-vpn-pool
set access address-assignment pool remote-access-vpn-pool family inet network 192.168.254.0/24
set access address-assignment pool remote-access-vpn-pool family inet xauth-attributes primary-dns 114.114.114.114/32
set access firewall-authentication web-authentication default-profile remote-access-vpn-access-profile

客户端下载地址：

https://support.juniper.net/support/downloads/   输入设备的公网IP进行链接即可 若设备的443端口被封，可通过命令更改为其它端口： set system services web-management https port 8443

----------------------------

对接ldap

# create an access profile
edit access profile JSC-RA-PROFILE

set authentication-order ldap

# use an existing address pool
set address-assignment RAS-POOL1

# reset the values for windowsdomain companyname and local approriately for your windows domain
set ldap-options base-distinguished-name DC=windowsdomain,DC=companyname,DC=local

# gotta have this line as is
set ldap-options search search-filter sAMAccountNAme=

# create a non-admin account to authenticate users. make sure you have CN correct for this user
# if you think there may be (or may not be) a space in the CN - use ADSI (inside the windows administrative tools)
# to make sure you have it correct
set ldap-options search admin-search distinguished-name CN=VPNAuth,CN=Users,DC=windowsdomain,DC=companyname,DC=local

# password for VPNAuth
set ldap-options search admin-search password "MyPasswordInWindowsForVPNAuth"

# server(s) ip address(es)
set ldap-server 192.168.11.99 port 389