JUNIPER 防火墙 后端搭建PPTPD 服务器

PPTPD 服务器搭建略，网上很多资料。

需要特别注意的是需要 注释  /etc/pptpd.conf   里面的logwtmp

设置/etc/sysctl.conf 里面 net.ipv4.ip_forward =1   退出  sysctl -p

网上说的要打开juniper  的 ALG  pptp  应用层网关，感觉是错误的。千万别勾选这个选项，不然有可能导致只有一个用户可以同时登陆。

我这里是做的MIP  外网一个固定IP地址 对应 内网一台服务器。

设置一个CUSTOMPPTP服务，

其实就是放行GRE 和  1723 端口

做策略放行ANY————》固定MIP 的  CUSTOMPPTP  service。

经测试，完美。

如果是用的VIP 来做，需要放开VIP 的多端口支持。其实就是因为VIP 只有一个端口，而VPN 一个是连接端口，一个是数据传输端口。

以下为找得英文文档，没有测试。（好像不用变成ROUTE模式）

Configure Juniper SSG-5 to pass-through PPTP traffic

ByEsmé

– 19 May 2011Posted in:General,Technology

When it comes to configuring your SSG-5 Juniper firewall to pass-through PPTP traffic, it can be a pain in the **s. As I discovered myself after two days struggling…

So, I case you end up in the same situation, here’s my solution; How to configure the Juniper SSG-5 to pass-through PPTP trafic? Forgive me that this explanation uses the WebGUI, but it’s actually very easy.

Before starting you have to have to set VIP multi-port on.  This can only be done trough the command-line interface. ArticleKB5471 from Juniper knowledge-base is describing this set-up:

set vip multi-port [Enter]
save [Enter]
reset [Enter]

First of all you have to punt your existing network interfaces in ROUTE mode, instead of NAT. If you already have policies defined, don’t panic! I will come shortly to how to fix NAT transition.

So, go to: Network > Interfaces > List and edit both trusted and untrusted interfaces, set interface mode on ROUTE.

At the untrusted interface (that’s where the internet is connected to, and you will be pointing your PPTP client to) click also on de Properties VIP.

Add a VIP entry with the [Same as the interface IP adres].

Go to Policy > Policy Elements > Services > Custom. Click the new button.

Give the service name: CustomPPTP

Add the protocol information accordingly and press OK.

Do understand; the PPTP protocol self uses TCP and port 1723. Protocol 47 (GRE) is using port 2048.

Go back to the interface configuration of your untrusted VIP settings and add a New VIP service. Select your CustomPPTP service and map it to the IP of your PPTP server:

Go to Policy > Policies and add a new policy from the UNTRUSTED zone to the TRUSTED zone:

Go to the Advanced tap (you should do this for ALL your existing policies when you’ve changed the interface settings from NAT to ROUTE!) and turn NAT Source Translation ON and press OK:

That’s all you have to do. Try connect your client to the server, all should work now.

Please note: The above IP-addresses are for example.

If you think this article was helpful or you’ve still got some questions, then please feel free to drop a comment!