Junos 10.3 kann dynamic VPN eigentlich nur per angeschlossenem Radius-Server. Auf der CLI geht es trotzdem.
# Test Setup Dynamic-VPN ohne Radius
# User myuser mypassword
# PSK mypsk
# Untrust-Zone auf ge-0/0/0.0 172.16.0.1/12
# Trust-Zone auf vlan.0 192.168.10.12
# Trust Untrust
# vlan.0 ge-0/0/0.0
#
# LAN - 192.168.10.12/24 - SRX - 172.16.0.1/12 —– Client
# Access Configuration
set access profile user-auth-profile client myuser firewall-user password mypassword
set access firewall-authentication web-authentication default-profile user-auth-profile
# HTTPS Configuration
set system services web-management https interface ge-0/0/0.0
# IKE/IPSEC configuration
# Phase – 1
set security ike proposal phase1-prop authentication-method pre-shared-keys
set security ike proposal phase1-prop dh-group group2
set security ike proposal phase1-prop authentication-algorithm sha1
set security ike proposal phase1-prop encryption-algorithm 3des-cbc
set security ike policy ike-pol mode aggressive
set security ike policy ike-pol proposals phase1-prop
set security ike policy ike-pol pre-shared-key ascii-text mypsk
set security ike gateway dyn-gw-my ike-policy ike-pol
set security ike gateway dyn-gw-my dynamic hostname myvpnhostname
set security ike gateway dyn-gw-my external-interface ge-0/0/0
set security ike gateway dyn-gw-my xauth access-profile user-auth-profile
# Phase – 2
set security ipsec proposal phase2-prop protocol esp
set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc
set security ipsec policy ipsec-pol perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol proposals phase2-prop
set security ipsec vpn dynamic-vpn-myuser ike gateway dyn-gw-my
set security ipsec vpn dynamic-vpn-myuser ike ipsec-policy ipsec-pol
# Dynamic VPN Configuration
set security dynamic-vpn access-profile user-auth-profile
set security dynamic-vpn clients client1 remote-protected-resources 192.168.10.0/24
set security dynamic-vpn clients client1 remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients client1 ipsec-vpn dynamic-vpn-myuser
set security dynamic-vpn clients client1 user myuser
# Policy Configuration
set security policies from-zone untrust to-zone trust policy vpn-pol match destination-address any
set security policies from-zone untrust to-zone trust policy vpn-pol match application any
set security policies from-zone untrust to-zone trust policy vpn-pol then permit tunnel ipsec-vpn dynamic-vpn-myuser
# Security …