крош Опубликовано 8 ноября, 2013 · Жалоба Добрый день. Есть Juniper SRX 110, настроил на нем VPN для мобильных пользователей. Использую приложение JunOS которое скачивается с SRX-а для VPN. VPN-соединение создается, доступ в удаленную локалку получаю, к ресурсам цепляюсь. Но при попытке подсоединится другого пользователя через VPN, первого соединившегося выбрасывает и просит ввести пароль заново. Соответственно не могут подцепиться одновременно несколько пользователей. Лицензий на VPN - 10 подключений. Подскажите в чем может быть ошибка?? Конфиг устройства ниже. Используется локальная база пользователей. ## Last changed: 2013-11-06 23:06:10 UTC version 11.4R7.5; system { host-name SRX110; root-authentication { encrypted-password "$1$SxgC2E1vAkoA545ll6eTHy/"; } name-server { 81.10.10.10; 81.10.10.11; } services { ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { port 443; system-generated-certificate; interface fe-0/0/0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member-range fe-0/0/1 to fe-0/0/6; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/0 { unit 0 { family inet { address 14.25.25.13/27; } } } fe-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.0.110/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 14.25.25.1; } } security { ike { proposal VPN-Clients { description VPN-Clients; authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 28800; } policy VPN-Clients { mode aggressive; description VPN-Clients; proposals VPN-Clients; pre-shared-key ascii-text "$9434356$0EfdfyW6568xN-bcSwhfdjYY%483HzFn"; } gateway VPN-Clients { ike-policy VPN-Clients; dynamic { hostname vpnrsi; connections-limit 10; ike-user-type shared-ike-id; } external-interface fe-0/0/0; xauth access-profile VPN-Clients; } } ipsec { proposal VPN-Clients { description VPN-Clients; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy VPN-Clients { description VPN-Clients; perfect-forward-secrecy { keys group2; } proposals VPN-Clients; } vpn VPN-Users { ike { gateway VPN-Clients; idle-time 3600; ipsec-policy VPN-Clients; } } } address-book { global { address trust-lan 192.168.0.0/24; address web_server 192.168.0.5/32; } } dynamic-vpn { access-profile VPN-Clients; clients { VPN-users { remote-protected-resources { 192.168.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn VPN-Users; user { vpnUsers; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool web-server { address 192.168.0.5/32 port 80; } rule-set DNAT { from interface fe-0/0/0.0; rule dnat_for_web { match { destination-address 14.25.25.13/32; destination-port 80; } then { destination-nat pool web-server; } } } } proxy-arp { interface vlan.0 { address { 192.168.0.20/32 to 192.168.0.40/32; } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy VPN-Access { match { source-address any; destination-address trust-lan; application any; } then { permit { tunnel { ipsec-vpn VPN-Users; } } } } policy web_access { match { source-address any; destination-address web_server; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { ike; ping; https; } } } } } } } access { profile VPN-Clients { authentication-order password; client vpnUsers { firewall-user { password "$9$hb1y432v8Ngfd-Vw24W8fdfdFnCA0Ehr"; } } address-assignment { pool VPN-Clients; } } address-assignment { pool VPN-Clients { family inet { network 192.168.0.0/24; range VPN-Clients { low 192.168.0.20; high 192.168.0.40; } dhcp-attributes { maximum-lease-time 20000; domain-name vpn; } xauth-attributes { primary-dns 192.168.0.111/24; } } } } firewall-authentication { web-authentication { default-profile VPN-Clients; } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } } root@SRX110> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed dynamic-vpn 1 10 0 permanent ax411-wlan-ap 0 2 0 permanent Licenses installed: License identifier: JUNOS14 License version: 2 Valid for device: B34343F0532 Features: dynamic-vpn-10-users - Dynamic VPN permanent Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...