Jump to content
Калькуляторы

Jun SRX dynamic VPN не пускает больше 1 пользователя

Добрый день.

 

Есть Juniper SRX 110, настроил на нем VPN для мобильных пользователей. Использую приложение JunOS которое скачивается с SRX-а для VPN. VPN-соединение создается, доступ в удаленную локалку получаю, к ресурсам цепляюсь. Но при попытке подсоединится другого пользователя через VPN, первого соединившегося выбрасывает и просит ввести пароль заново. Соответственно не могут подцепиться одновременно несколько пользователей. Лицензий на VPN - 10 подключений. Подскажите в чем может быть ошибка?? Конфиг устройства ниже. Используется локальная база пользователей.

 

## Last changed: 2013-11-06 23:06:10 UTC
version 11.4R7.5;
system {
   host-name SRX110;
   root-authentication {
       encrypted-password "$1$SxgC2E1vAkoA545ll6eTHy/";
   }
   name-server {
       81.10.10.10;
       81.10.10.11;
   }
   services {
       ssh;
       telnet;
       xnm-clear-text;
       web-management {
           http {
               interface vlan.0;
           }
           https {
               port 443;
               system-generated-certificate;
               interface fe-0/0/0.0;
           }
       }
   }
   syslog {
       archive size 100k files 3;
       user * {
           any emergency;
       }
       file messages {
           any critical;
           authorization info;
       }
       file interactive-commands {
           interactive-commands error;
       }
       file policy_session {
           user info;
           match RT_FLOW;
           archive size 1000k world-readable;
           structured-data;
       }
   }
   max-configurations-on-flash 5;
   max-configuration-rollbacks 5;
   license {
       autoupdate {
           url https://ae1.juniper.net/junos/key_retrieval;
       }
   }
}
interfaces {
   interface-range interfaces-trust {
       member-range fe-0/0/1 to fe-0/0/6;
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/0 {
       unit 0 {
           family inet {
               address 14.25.25.13/27;
           }
       }
   }
   fe-0/0/1 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/2 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/3 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/4 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/5 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/6 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   fe-0/0/7 {
       unit 0 {
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }
           }
       }
   }
   vlan {
       unit 0 {
           family inet {
               address 192.168.0.110/24;
           }
       }
   }
}
routing-options {
   static {
       route 0.0.0.0/0 next-hop 14.25.25.1;
   }
}
security {
   ike {
       proposal VPN-Clients {
           description VPN-Clients;
           authentication-method pre-shared-keys;
           dh-group group2;
           authentication-algorithm sha1;
           encryption-algorithm aes-128-cbc;
           lifetime-seconds 28800;
       }
       policy VPN-Clients {
           mode aggressive;
           description VPN-Clients;
           proposals VPN-Clients;
           pre-shared-key ascii-text "$9434356$0EfdfyW6568xN-bcSwhfdjYY%483HzFn";
       }
       gateway VPN-Clients {
           ike-policy VPN-Clients;
           dynamic {
               hostname vpnrsi;
               connections-limit 10;
               ike-user-type shared-ike-id;
           }
           external-interface fe-0/0/0;
           xauth access-profile VPN-Clients;
       }
   }
   ipsec {
       proposal VPN-Clients {
           description VPN-Clients;
           protocol esp;
           authentication-algorithm hmac-sha1-96;
           encryption-algorithm 3des-cbc;
           lifetime-seconds 3600;
       }
       policy VPN-Clients {
           description VPN-Clients;
           perfect-forward-secrecy {
               keys group2;
           }
           proposals VPN-Clients;
       }
       vpn VPN-Users {
           ike {
               gateway VPN-Clients;
               idle-time 3600;
               ipsec-policy VPN-Clients;
           }
       }
   }
   address-book {
       global {
           address trust-lan 192.168.0.0/24;
           address web_server 192.168.0.5/32;
       }
   }
   dynamic-vpn {
       access-profile VPN-Clients;
       clients {
           VPN-users {
               remote-protected-resources {
                   192.168.0.0/24;
               }
               remote-exceptions {
                   0.0.0.0/0;
               }
               ipsec-vpn VPN-Users;
               user {
                   vpnUsers;
               }
           }
       }
   }
   screen {
       ids-option untrust-screen {
           icmp {
               ping-death;
           }
           ip {
               source-route-option;
               tear-drop;
           }
           tcp {
               syn-flood {
                   alarm-threshold 1024;
                   attack-threshold 200;
                   source-threshold 1024;
                   destination-threshold 2048;
                   timeout 20;
               }
               land;
           }
       }
   }
   nat {
       source {
           rule-set trust-to-untrust {
               from zone trust;
               to zone untrust;
               rule source-nat-rule {
                   match {
                       source-address 0.0.0.0/0;
                   }
                   then {
                       source-nat {
                           interface;
                       }
                   }
               }
           }
       }
       destination {
           pool web-server {
               address 192.168.0.5/32 port 80;
           }
           rule-set DNAT {
               from interface fe-0/0/0.0;
               rule dnat_for_web {
                   match {
                       destination-address 14.25.25.13/32;
                       destination-port 80;
                   }
                   then {
                       destination-nat pool web-server;
                   }
               }
           }
       }
       proxy-arp {
           interface vlan.0 {
               address {
                   192.168.0.20/32 to 192.168.0.40/32;
               }
           }
       }
   }
   policies {
       from-zone trust to-zone untrust {
           policy trust-to-untrust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone trust to-zone trust {
           policy trust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone untrust to-zone trust {
           policy VPN-Access {
               match {
                   source-address any;
                   destination-address trust-lan;
                   application any;
               }
               then {
                   permit {
                       tunnel {
                           ipsec-vpn VPN-Users;
                       }
                   }
               }
           }
           policy web_access {
               match {
                   source-address any;
                   destination-address web_server;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
   }
   zones {
       security-zone trust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               vlan.0;
           }
       }
       security-zone untrust {
           screen untrust-screen;
           interfaces {
               fe-0/0/0.0 {
                   host-inbound-traffic {
                       system-services {
                           ike;
                           ping;
                           https;
                       }
                   }
               }
           }
       }
   }
}
access {
   profile VPN-Clients {
       authentication-order password;
       client vpnUsers {
           firewall-user {
               password "$9$hb1y432v8Ngfd-Vw24W8fdfdFnCA0Ehr";
           }
       }
       address-assignment {
           pool VPN-Clients;
       }
   }
   address-assignment {
       pool VPN-Clients {
           family inet {
               network 192.168.0.0/24;
               range VPN-Clients {
                   low 192.168.0.20;
                   high 192.168.0.40;
               }
               dhcp-attributes {
                   maximum-lease-time 20000;
                   domain-name vpn;
               }
               xauth-attributes {
                   primary-dns 192.168.0.111/24;
               }
           }
       }
   }
   firewall-authentication {
       web-authentication {
           default-profile VPN-Clients;
       }
   }
}
vlans {
   vlan-trust {
       vlan-id 3;
       l3-interface vlan.0;
   }
}

 

 

root@SRX110> show system license
License usage:
                                Licenses     Licenses    Licenses    Expiry
 Feature name                       used    installed      needed
 dynamic-vpn                           1           10           0    permanent
 ax411-wlan-ap                         0            2           0    permanent

Licenses installed:
 License identifier: JUNOS14
 License version: 2
 Valid for device: B34343F0532
 Features:
   dynamic-vpn-10-users - Dynamic VPN       permanent

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this