NESTA PÁGINA
Exemplo: configurar a autenticação LDAP para o Juniper Secure Connect (procedimento de CLI)
Visão geral
O LDAP ajuda na autenticação dos usuários. Você pode definir um ou mais grupos LDAP e usar um pool de IP local específico para atribuição de endereços com base na associação de grupos quando você usa o LDAP como uma opção de autenticação. Se você não especificar o pool ip local por grupo, o Junos OS atribui um endereço IP do pool IP local configurado no perfil de acesso.
Para configurar grupos de usuários, inclua a allowed-groups
declaração no nível [edit access ldap-options
] de hierarquia. Esses nomes de grupo combinam com os nomes do seu diretório LDAP.
Considere os seguintes grupos LDAP, como grupo1, group2 e group3. Você pode designar o grupo1 para abordar o pool Juniper_Secure_Connect_Addr-Pool. Você pode atribuir o grupo2 ao pool de endereços poolB. Você pode atribuir o grupo3 ao pool de endereços PoolC.
-
O User1 pertence ao grupo1. O grupo do User1 combina com um dos grupos configurados, o User1 é autenticado. Com base na associação do grupo, o sistema atribui o endereço IP ao User1 a partir do pool de endereços seguinte Juniper_Secure_Connect_Addr Pool.
-
O user2 pertence ao grupo2. O grupo do User2 combina com um dos grupos configurados, o User2 é autenticado. Com base na associação do grupo, o sistema atribui o endereço IP ao Usuário2 a partir do pool de endereços seguinte.
-
O User3 pertence ao grupo3. O grupo do User3 combina com um dos grupos configurados, o User3 é autenticado. Com base na associação do grupo, o sistema atribui o endereço IP ao User3 a partir do pool de endereços seguinte.
-
O grupo do User4 não combina com nenhum dos grupos configurados.
A Tabela 1 descreve a resposta do servidor LDAP quando ela ldap-options
está configurada no nível de acesso global e dentro do perfil de acesso. A prioridade da configuração de perfil é maior do que a configuração global.
Servidor | LDAPde grupo configurado configurado em grupo | devolvido grupos | Ação do pool de endereços | |
---|---|---|---|---|
Usuário1 | group1 | grupo1, grupo2, grupo3 | pool de Juniper_Secure_Connect_Addr | Aceitar (Combinar grupos configurados) |
Usuário2 | group2 | grupo1, grupo2, grupo3 | poolB | Aceitar (Combinar grupos configurados) |
Usuário3 | grupo3 | grupo1, grupo2, grupo3 | poolC | Aceitar (Combinar grupos configurados) |
Usuário4 | group4 | groupX, groupY, groupZ | poolD | Rejeitar (sem combinar grupos configurados combinados) |
Este exemplo usa o LDAP como a opção de autenticação na qual o usuário pertence a um único grupo.
Requisitos
Este exemplo usa os seguintes componentes de hardware e software:
-
Qualquer firewall da Série SRX
-
Versão do Junos OS 23.1R1
Antes de começar:
-
opções de ldap, veja opções de ldap
-
Habilite a autenticação LDAP com TLS/SSL para conexões seguras, veja como ativar a autenticação LDAP com TLS/SSL para conexões seguras.
Para obter informações sobre pré-requisitos, consulte os requisitos do sistema.
Você deve garantir que o firewall da Série SRX use um certificado assinado ou um certificado auto-assinado em vez do certificado padrão gerado pelo sistema. Antes de começar a configurar o Juniper Secure Connect, você deve vincular o certificado ao firewall da Série SRX executando o seguinte comando:
user@host# set system services web-management https pki-local-certificate <cert_name>
Por exemplo:
user@host# set system services web-management https pki-local-certificate SRX_Certificate
Quando SRX_Certificate é o certificado obtido da CA ou certificado autografado.
Topologia
A figura abaixo mostra a topologia neste exemplo.
Figura 1: Configuração da autenticação LDAP para Juniper Secure Connect
Configuração
Neste exemplo, usamos o LDAP como a opção de autenticação onde o usuário pertence a um único grupo.
Configuração rápida da CLI
Para configurar este exemplo rapidamente, copie os seguintes comandos, cole-os em um arquivo de texto, remova quaisquer quebras de linha, altere os detalhes necessários para combinar com a configuração de sua rede e, em seguida, copie e cole os comandos na CLI no nível de hierarquia [edit].
set security ike proposal JUNIPER_SECURE_CONNECT authentication-method pre-shared-keys set security ike proposal JUNIPER_SECURE_CONNECT dh-group group19 set security ike proposal JUNIPER_SECURE_CONNECT authentication-algorithm sha-384 set security ike proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-cbc set security ike proposal JUNIPER_SECURE_CONNECT lifetime-seconds 28800 set security ike policy JUNIPER_SECURE_CONNECT mode aggressive set security ike policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT set security ike policy JUNIPER_SECURE_CONNECT pre-shared-key ascii-text "$9$vWL8xd24Zk.5bs.5QFAtM8X7bsgoJDHq4o" set security ike gateway JUNIPER_SECURE_CONNECT dynamic hostname ra.example.com set security ike gateway JUNIPER_SECURE_CONNECT dynamic ike-user-type shared-ike-id set security ike gateway JUNIPER_SECURE_CONNECT ike-policy JUNIPER_SECURE_CONNECT set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection optimized set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection interval 10 set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5 set security ike gateway JUNIPER_SECURE_CONNECT version v1-only set security ike gateway JUNIPER_SECURE_CONNECT aaa access-profile JUNIPER_SECURE_CONNECT set security ike gateway JUNIPER_SECURE_CONNECT tcp-encap-profile SSL-VPN set security ike gateway JUNIPER_SECURE_CONNECT external-interface ge-0/0/0 set security ipsec proposal JUNIPER_SECURE_CONNECT authentication-algorithm hmac-sha-256-128 set security ipsec proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-cbc set security ipsec proposal JUNIPER_SECURE_CONNECT lifetime-seconds 3600 set security ipsec policy JUNIPER_SECURE_CONNECT perfect-forward-secrecy keys group19 set security ipsec policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT bind-interface st0.0 set security ipsec vpn JUNIPER_SECURE_CONNECT ike gateway JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT ike ipsec-policy JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts1 local-ip 0.0.0.0/0 set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts1 remote-ip 0.0.0.0/0 set security remote-access profile ra.example.com ipsec-vpn JUNIPER_SECURE_CONNECT set security remote-access profile ra.example.com access-profile JUNIPER_SECURE_CONNECT set security remote-access profile ra.example.com client-config JUNIPER_SECURE_CONNECT set security remote-access client-config JUNIPER_SECURE_CONNECT connection-mode manual set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection interval 10 set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet network 192.168.2.0/24 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-dns 10.8.8.8/32 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-wins 192.168.3.10/32 set access profile JUNIPER_SECURE_CONNECT authentication-order ldap set access profile JUNIPER_SECURE_CONNECT ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net set access profile JUNIPER_SECURE_CONNECT ldap-options search search-filter CN= set access profile JUNIPER_SECURE_CONNECT ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniper,DC=net set access profile JUNIPER_SECURE_CONNECT ldap-options search admin-search password "$9$Bmf1hreK8x7Vrl24ZGiHkqmPQ36/t0OR" set access profile JUNIPER_SECURE_CONNECT ldap-options allowed-groups group1 address-assignment pool Juniper_Secure_Connect_Addr-Pool set access profile JUNIPER_SECURE_CONNECT ldap-server 192.168.3.10 set access firewall-authentication web-authentication default-profile JUNIPER_SECURE_CONNECT set services ssl termination profile Juniper_SCC-SSL-Term-Profile server-certificate JUNIPER_SECURE_CONNECT(RSA) set security tcp-encap profile SSL-VPN ssl-profile Juniper_SCC-SSL-Term-Profile set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match source-address any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match destination-address any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match application any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then permit set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then log session-close set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match source-address any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match destination-address any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match application any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then permit set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then log session-close set interfaces ge-0/0/0 description untrust set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24 set interfaces ge-0/0/1 description trust set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services tcp-encap set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone vpn interface st0.0
Procedimento passo a passo
O exemplo a seguir exige que você navegue por vários níveis na hierarquia de configuração.
- Configure uma ou mais propostas de Troca de Chaves da Internet (IKE) ; e você associa essas propostas a uma política de IKE. Configure opções de gateway IKE.
user@host# set security ike proposal JUNIPER_SECURE_CONNECT authentication-method pre-shared-keys user@host# set security ike proposal JUNIPER_SECURE_CONNECT dh-group group19 user@host# set security ike proposal JUNIPER_SECURE_CONNECT authentication-algorithm sha-384 user@host# set security ike proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-cbc user@host# set security ike proposal JUNIPER_SECURE_CONNECT lifetime-seconds 28800 user@host# set security ike policy JUNIPER_SECURE_CONNECT mode aggressive user@host# set security ike policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT user@host# set security ike policy JUNIPER_SECURE_CONNECT pre-shared-key ascii-text "$9$vWL8xd24Zk.5bs.5QFAtM8X7bsgoJDHq4o" user@host# set security ike gateway JUNIPER_SECURE_CONNECT dynamic hostname ra.example.com user@host# set security ike gateway JUNIPER_SECURE_CONNECT dynamic ike-user-type shared-ike-id user@host# set security ike gateway JUNIPER_SECURE_CONNECT ike-policy JUNIPER_SECURE_CONNECT user@host# set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection optimized user@host# set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection interval 10 user@host# set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5 user@host# set security ike gateway JUNIPER_SECURE_CONNECT version v1-only user@host# set security ike gateway JUNIPER_SECURE_CONNECT aaa access-profile JUNIPER_SECURE_CONNECT user@host# set security ike gateway JUNIPER_SECURE_CONNECT tcp-encap-profile SSL-VPN user@host# set security ike gateway JUNIPER_SECURE_CONNECT external-interface ge-0/0/0
- Configure uma ou mais propostas IPsec; e você associa essas propostas a uma política IPsec. Configure parâmetros de VPN IPsec e seletores de tráfego.
user@host# set security ipsec proposal JUNIPER_SECURE_CONNECT authentication-algorithm hmac-sha-256-128 user@host# set security ipsec proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-cbc user@host# set security ipsec proposal JUNIPER_SECURE_CONNECT lifetime-seconds 3600 user@host# set security ipsec policy JUNIPER_SECURE_CONNECT perfect-forward-secrecy keys group19 user@host# set security ipsec policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT user@host# set security ipsec vpn JUNIPER_SECURE_CONNECT bind-interface st0.0 user@host# set security ipsec vpn JUNIPER_SECURE_CONNECT ike gateway JUNIPER_SECURE_CONNECT user@host# set security ipsec vpn JUNIPER_SECURE_CONNECT ike ipsec-policy JUNIPER_SECURE_CONNECT user@host# set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts1 local-ip 0.0.0.0/0 user@host# set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts1 remote-ip 0.0.0.0/0
- Configure um perfil de acesso remoto e a configuração do cliente.
user@host# set security remote-access profile ra.example.com ipsec-vpn JUNIPER_SECURE_CONNECT user@host# set security remote-access profile ra.example.com access-profile JUNIPER_SECURE_CONNECT user@host# set security remote-access profile ra.example.com client-config JUNIPER_SECURE_CONNECT user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT connection-mode manual user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection interval 10 user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5
- Especifique o servidor LDAP para pedido de autenticação externa.
user@host# set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet network 192.168.2.0/24 user@host# set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-dns 10.8.8.8/32 user@host# set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-wins 192.168.3.10/32 user@host# set access profile JUNIPER_SECURE_CONNECT authentication-order ldap user@host# set access profile JUNIPER_SECURE_CONNECT ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net user@host# set access profile JUNIPER_SECURE_CONNECT ldap-options search search-filter CN= user@host# set access profile JUNIPER_SECURE_CONNECT ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniper,DC=net user@host# set access profile JUNIPER_SECURE_CONNECT ldap-options search admin-search password "$9$Bmf1hreK8x7Vrl24ZGiHkqmPQ36/t0OR" user@host# set access profile JUNIPER_SECURE_CONNECT ldap-options allowed-groups group1 address-assignment pool Juniper_Secure_Connect_Addr-Pool user@host# set access profile JUNIPER_SECURE_CONNECT ldap-server 192.168.3.10 user@host# set access firewall-authentication web-authentication default-profile JUNIPER_SECURE_CONNECT
-
Crie um perfil de encerramento de SSL. O encerramento de SSL é um processo em que os firewalls da Série SRX atuam como um servidor proxy SSL e encerra a sessão SSL do cliente. Digite o nome do perfil de encerramento de SSL e selecione o certificado de servidor que você usa para o encerramento de SSL nos firewalls da Série SRX. O certificado do servidor é um identificador de certificado local. Os certificados de servidor são usados para autenticar a identidade de um servidor.
user@host# set services ssl termination profile Juniper_SCC-SSL-Term-Profile server-certificate JUNIPER_SECURE_CONNECT(RSA)
Crie um perfil de VPN SSL. Veja tcp-encap.
user@host# set security tcp-encap profile SSL-VPN ssl-profile Juniper_SCC-SSL-Term-Profile
-
Crie políticas de firewall.
Crie a política de segurança para permitir o tráfego da zona de confiança até a zona vpn.
user@host# set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match source-address any user@host# set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match destination-address anyuser@host# set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match application any user@host# set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then permit user@host# set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then log session-close
Crie a política de segurança para permitir o tráfego da zona vpn até a zona de confiança.
user@host# set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match source-address any user@host# set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match destination-address any user@host# set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match application any user@host# set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then permit user@host# set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then log session-close
-
Configure as informações da interface Ethernet.
user@host# set interfaces ge-0/0/0 description untrust user@host# set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24 user@host# set interfaces ge-0/0/1 description trust user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
Configure a interface st0 com o conjunto familiar como inet.
user@host# set interfaces st0 unit 0 family inet
-
Configure zonas de segurança.
user@host# set security zones security-zone untrust host-inbound-traffic system-services ike user@host# set security zones security-zone untrust host-inbound-traffic system-services https user@host# set security zones security-zone untrust host-inbound-traffic system-services tcp-encap user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 user@host# set security zones security-zone trust interfaces ge-0/0/1.0 user@host# set security zones security-zone vpn interface st0.0
Resultados
Confira os resultados da configuração:
[edit security ike] proposal JUNIPER_SECURE_CONNECT { authentication-method pre-shared-keys; dh-group group19; authentication-algorithm sha-384; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy JUNIPER_SECURE_CONNECT { mode aggressive; proposals JUNIPER_SECURE_CONNECT; pre-shared-key ascii-text “$9$vWL8xd24Zk.5bs.5QFAtM8X7bsgoJDHq4o"; ## SECRET-DATA } gateway JUNIPER_SECURE_CONNECT { dynamic { hostname ra.example.com; ike-user-type shared-ike-id; } ike-policy JUNIPER_SECURE_CONNECT; dead-peer-detection { optimized; interval 10; threshold 5; } version v1-only; aaa { access-profile JUNIPER_SECURE_CONNECT; } tcp-encap-profile SSL-VPN; external-interface ge-0/0/0; }
[edit security ipsec] proposal JUNIPER_SECURE_CONNECT { authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } policy JUNIPER_SECURE_CONNECT { perfect-forward-secrecy { keys group19; } proposals JUNIPER_SECURE_CONNECT; } vpn JUNIPER_SECURE_CONNECT { bind-interface st0.0; ike { gateway JUNIPER_SECURE_CONNECT; ipsec-policy JUNIPER_SECURE_CONNECT; } traffic-selector ts1 { local-ip 0.0.0.0/0; remote-ip 0.0.0.0/0; } }
[edit security remote-access] profile ra.example.com { ipsec-vpn JUNIPER_SECURE_CONNECT; access-profile JUNIPER_SECURE_CONNECT; client-config JUNIPER_SECURE_CONNECT; } client-config JUNIPER_SECURE_CONNECT { connection-mode manual; dead-peer-detection { interval 10; threshold 5; } }
[edit access] address-assignment { pool Juniper_Secure_Connect_Addr-Pool { family inet { network 192.168.2.0/24; xauth-attributes { primary-dns 10.8.8.8/32; primary-wins 192.168.3.10/32; } } } } profile JUNIPER_SECURE_CONNECT { authentication-order ldap; ldap-options { base-distinguished-name DC=juniper,DC=net; search { search-filter CN= admin-search { distinguished-name CN=Administrator,CN=Users,DC=juniper,DC=net; password "$9$Bmf1hreK8x7Vrl24ZGiHkqmPQ36/t0OR"; ## SECRET-DATA } } allowed-groups { group1 { address-assignment { pool Juniper_Secure_Connect_Addr-Pool; } } } } ldap-server 192.168.3.10; } firewall-authentication { web-authentication { default-profile JUNIPER_SECURE_CONNECT; } }
[edit services] ssl { termination { profile Juniper_SCC-SSL-Term-Profile { server-certificate JUNIPER_SECURE_CONNECT(RSA); } } }
Certifique-se de que você já tem um certificado de servidor para anexar ao perfil de encerramento do SSL.
[edit security] tcp-encap { profile SSL-VPN { ssl-profile Juniper_SCC-SSL-Term-Profile; } } policies { from-zone trust to-zone VPN { policy JUNIPER_SECURE_CONNECT-1 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } from-zone VPN to-zone trust { policy JUNIPER_SECURE_CONNECT-2 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } }
[edit interfaces] ge-0/0/0 { description untrust; unit 0 { family inet { address 192.0.2.1/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 192.168.1.1/24; } } } st0 { unit 0 { family inet; } }
[edit security zones] security-zone untrust { host-inbound-traffic { system-services (ike | https | tcp-encap); } interfaces { ge-0/0/0.0; } } security-zone trust { interfaces { ge-0/0/1.0; } } security-zone vpn { interfaces { st0.0; } }
Verificação
Para confirmar se a configuração está funcionando corretamente, insira os seguintes comandos de show.
Verifique as informações do IPsec, IKE e grupo
Propósito
Exibir a lista de resultados possíveis com base na resposta do servidor LDAP quando você usar JUNIPER_SECURE_CONNECT perfil de acesso e configurar ldap-options
dentro do perfil.
Ação
A partir do modo operacional, insira esses comandos:
user@host> show network-access address-assignment pool Juniper_Secure_Connect_Addr-Pool IP address/prefix Hardware address Host/User Type 192.168.2.3 FF:FF:C0:A8:02:03 user1 xauth
user@host> show security ike security-associations detail IKE peer 192.0.2.100, Index 6771534, Gateway Name: JUNIPER_SECURE_CONNECT Role: Responder, State: UP Initiator cookie: f174398039244783, Responder cookie: ffb63035b9f3f098 Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 192.0.2.1:500, Remote: 192.0.2.100:10952 Lifetime: Expires in 28746 seconds Reauth Lifetime: Disabled IKE Fragmentation: Disabled, Size: 0 Remote Access Client Info: Juniper Secure Connect Peer ike-id: ra.example.com AAA assigned IP: 192.168.2.3 Algorithms: Authentication : hmac-sha384-192 Encryption : aes256-cbc Pseudo random function: hmac-sha384 Diffie-Hellman group : DH-group-19 Traffic statistics: Input bytes : 2058 Output bytes : 1680 Input packets: 12 Output packets: 10 Input fragmentated packets: 0 Output fragmentated packets: 0 IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.0.2.1:500, Remote: 192.0.2.100:10952 Local identity: 192.0.2.1 Remote identity: ra.example.com Flags: IKE SA is created
user@host> show security ike active-peer detail Peer address: 192.0.2.100, Port: 10952, Peer IKE-ID : ra.example.com AAA username: user1 Assigned network attributes: IP Address : 192.168.2.3 , netmask : 255.255.255.0 DNS Address : 10.8.8.8 , DNS2 Address : 0.0.0.0 WINS Address : 192.168.3.10 , WINS2 Address : 0.0.0.0 Previous Peer address : 0.0.0.0, Port : 0 Active IKE SA indexes : 6771534 IKE SA negotiated : 1 IPSec tunnels active : 1, IPSec Tunnel IDs : 67108869 DPD Config Mode : optimized DPD Config Interval: 10 DPD Config Treshold: 5 DPD Config P1SA IDX: 6771534 DPD Flags : REMOTE_ACCESS DPD Stats Req sent: 0, DPD Stats Resp rcvd: 0 DPD Statistics : DPD TTL :5 DPD seq-no :515423892 DPD Statistics : DPD triggerd p1SA :0 DPD Reserved :0
user@host> show security ipsec security-associations detail ID: 67108869 Virtual-system: root, VPN Name: JUNIPER_SECURE_CONNECT Local Gateway: 192.0.2.1, Remote Gateway: 192.0.2.100 Traffic Selector Name: ts1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(192.168.2.3) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0 Port: 500, Nego#: 4, Fail#: 0, Def-Del#: 0 Flag: 0x24608f29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Tunnel events: Tue Mar 28 2023 11:34:36: IPSec SA negotiation successfully completed (1 times) Tue Mar 28 2023 11:34:36: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Mar 28 2023 11:34:35: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: f74fcaad, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2838 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 8605b13f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2838 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
Significado
A saída de comando fornece detalhes do grupo combinado.