透明模式下的IPSec
VPN接入+Xauth用户身份
认证描述:拓扑
图片:
IPsec
VPN以Internet为传输媒介,极大的降低了企业的长途专线费用,成为现在主流的通讯手段并广泛应用于企业网互连及远程用户接入等环境;但由于IETF的IPsec规范(RFC2401-RFC2411)中并没有定义用户身份认证和隧道内地址分配的机制,而只定义了设备/网关身份认证的机制(Preshared
Secret或Certificate),因此各大厂商都针对IKE的用户身份认证部分做出了自己的扩展,由此导致了Xauth和Hybrid机制的产生。Juniper的
防火墙实现了Xauth机制(跟Cisco一样,而另一巨头CheckPoint采用Hybrid机制);
众所周知,Juniper防火墙还支持透明模式下的VPN接入,以下是一个简单的透明模式下IPSec
VPN接入+Xauth用户认证的试验
配置
环境:
2*PC,OS均为WinXP,一台模拟Internet用户,预装Netscreen-Remote
8.7VPN客户端软件
1*
juniper
NS-5GT模拟
路由器
1*juniper
NS-5GT作为VPN接入网关
拓扑
见篇首
VPN接入网关(NS-5GT)配置:
set interface "trust" zone "V1-Trust"
set interface "untrust" zone
"V1-Untrust"
set
interface vlan1 ip 192.168.0.1/24
set interface vlan1 ip manageable
set zone V1-Untrust manage ping
set zone V1-Untrust manage
ssh
set zone V1-Untrust
manage telnet
set zone
V1-Untrust manage snmp
set zone V1-Untrust manage ssl
set zone V1-Untrust manage web
set address V1-Trust
"net192.168.0.0" 192.168.0.0 255.255.255.0
set user "james" uid 1
set user "james" ike-id u-fqdn "
james@juniper.net" share-limit 1
set user "james" type ike
xauth
set user "james"
password "eczNfrrTNuT2PCsRpJCaq2bPxrnJBN4+Ww=="
unset user "james" type auth
set user "james" "enable"
set user-group "xauthgrp" id
1
set user-group
"xauthgrp" user "james"
set ike gateway "xauthgw" dialup "xauthgrp" Aggr outgoing-zone
"V1-Untrust" preshare "BEwyBw5xNnGh6us2XACvl/PMPZn23ktq/Q==" proposal
"pre-g2-3des-md5"
unset
ike gateway "xauthgw" nat-traversal udp-checksum
set ike gateway "xauthgw" nat-traversal
keepalive-frequency 5
set ike gateway "xauthgw" xauth server "Local" user-group
"xauthgrp"
set vpn
"xauthvpn" gateway "xauthgw" no-replay
tunnel idletime 0 proposal
"nopfs-esp-3des-md5"
set
policy id 2 from "V1-Trust" to "V1-Untrust" "net192.168.0.0" "Dial-Up VPN" "ANY"
tunnel vpn "xauthvpn" id 2 pair-policy 1 log
set policy id 2
set log session-init
exit
set policy id 1 from "V1-Untrust" to "V1-Trust" "Dial-Up VPN"
"net192.168.0.0" "ANY" tunnel vpn "xauthvpn" id 2 pair-policy 2 log
set policy id 1
set log session-init
exit
set route 0.0.0.0/0
interface vlan1 gateway 192.168.0.254
Netscreen-Remote 客户端配置
见附件
附件:
[
本帖最后由 主动脉 于 2007-8-10 13:55 编辑 ]
2001-2007 Comsenz Inc.
