Juniper SRX IPsec *** base route CLI
建立Tunnel
set security zones security-zone untrust interfaces st0.1
IPSec 两个阶段
Phase1:
set security ike proposal to_head authentication-method pre-shared-keys
set security ike proposal to_head dh-group group2
set security ike proposal to_head authentication-algorithm md5
set security ike proposal to_head encryption-algorithm 3des-cbc
set security ike policy to_head mode main
set security ike policy to_head proposals to_head
set security ike policy to_head pre-shared-key ascii-text "abc2010"
set security ike gateway to_head ike-policy to_head
set security ike gateway to_head address 10.100.100.100
set security ike gateway to_head external-interface fe-0/0/0.0
set security ike gateway to_head version v1-only
Phase2:
set security ipsec proposal to_head protocol esp
set security ipsec proposal to_head authentication-algorithm hmac-md5-96
set security ipsec proposal to_head encryption-algorithm 3des-cbc
set security ipsec policy to_head perfect-forward-secrecy keys group2
set security ipsec policy to_head proposals to_head
set security ipsec *** to_head bind-interface st0.1
set security ipsec *** to_head ***-monitor source-interface vlan.1
set security ipsec *** to_head ***-monitor destination-ip 10.200.100.100
set security ipsec *** to_head ike gateway to_head
set security ipsec *** to_head ike ipsec-policy to_head
set security ipsec *** to_head establish-tunnels on-traffic
set security ipsec *** to_head establish-tunnels immediately
策略:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 2 match source-address any
set security policies from-zone untrust to-zone trust policy 2 match destination-address any
set security policies from-zone untrust to-zone trust policy 2 match application any
set security policies from-zone untrust to-zone trust policy 2 then permit
路由:
set routing-options static route 192.168.0.0/16 next-hop st0.1
set routing-options static route 10.0.0.0/8 next-hop st0.1
转载于:https://blog.51cto.com/talk1985/1934195
Juniper SRX IPsec *** base route CLI相关推荐
- JUNIPER SRX Ipsec ××× 点对点Policy base ×××连接测试
基于Ipsec ××× 点对点Policy base ×××连接测试功能的要求是:对2台SRX进行点对点的Ipsec通道连接,使两个SRX的内网数据能通过Ipsec ×××的加密进行广域网的数据传输. ...
- juniper srx 3400 双机 配置
单位最近更新防火墙,打算把10年前的2台juniper换成现在的2台juniper srx 3400,利用juniper的jsrp技术实现,双机设备,一台坏了,另一台自动接替.觉得这次juniper命 ...
- JUNIPER SRX系列防火墙(JUNOS12.1)HA配置说明
JUNIPER SRX系列防火墙(JUNOS12.1)HA配置说明 Chassis Cluster概述和简介: Juniper SRX系列防火墙可以通过一组相同型号的SRX系列防火墙来提供网络节点的冗 ...
- Juniper SRX JSRP 配置文档
请访问原文链接:https://sysin.org/blog/juniper-srx-jsrp-config/,查看最新版.原创作品,转载请保留出处. 作者:gc(at)sysin.org,主页:ww ...
- Juniper SRX防火墙系统会话链接的清除
Juniper SRX防火墙系统会话链接的清除 维护Juniper防火墙SRX系列防火墙,一段时间后,发现防火墙老是有时候登录不上去,有时候可以登录. 查看用户的时候,发现,系统挂了很多连接会话,怪不 ...
- juniper srx 1500 HA及双线路自动切换配置
机房ISP提供了两条上联线路,分别接入ISP的两台核心交换机. 这两条线路是主备模式,同一时间只能有一条工作. 恰好等保要求,买了两台juniper srx 1500,为了节省设备,决定这两个墙既作为 ...
- PPPOE拨号之五:juniper SRX 防火墙 PPPOE拨号配置
拓扑 Juniper SRX防火墙 PPPOE拨号配置 封装PPPOE GW-root# set interfaces ge-0/0/0.0 encapsulation ppp-over-ether ...
- juniper srx解决内网不能telnet公网IP的方法
juniper srx做好基于目的地址池的映射后外网可以telnet a.a.a.a 22(a.a.a.a为公网IP),但是内网不能telnet a.a.a.a 22.具体解决方法: /*/源地址转换 ...
- Juniper SRX防火墙批量导入set格式配置
Juniper SRX防火墙批量导入set格式配置 SRX在进行大量配置时可能会出现一些小问题,可以使用load set terminal命令导入大量set格式的配置. root# load set ...
最新文章
- MATLAB_10-模式识别_
- 雷军这个程序员!真的牛逼!
- 《几何与代数导引》习题1.38
- 复合五点高斯公式计算(Python实现)
- 开发linux显卡驱动,显卡驱动开发DRM入门--Apple的学习笔记
- matlab lu分解求线性方程组_计算方法(二)直接三角分解法解线性方程组
- 7-26 Windows消息队列(25 分)
- VIPKID上云 解决多云Web统一安全防护问题
- Android 开发笔记 ProgressDialog的Back健关闭
- double to string 损失精度的问题
- 如何选择华为MATE 30 PRO 5G和P40 PRO?
- Dubbo 分布式事务一致性实现
- 黑马品优购项目的总结二
- linux下分析prn文件,linux专题一之文件描述符、重定向、管道符、tee命令
- 详解 ManualResetEvent(转)
- m2 ngff无线网卡接口的笔记本电脑加装苹果网卡,完美安装苹果mac OS
- 拯救者Y7000在ubuntu下的1660Ti驱动安装
- 第二章 蜕变!上古剑修!
- 千人千面系统,这样搞比较靠谱【干货】
- 小程序(原生) 跳转页面的几种方法