Juniper SRX IPsec *** base route CLI

建立Tunnel

set security zones security-zone untrust interfaces st0.1

IPSec 两个阶段

Phase1：

set security ike proposal to_head authentication-method pre-shared-keys

set security ike proposal to_head dh-group group2

set security ike proposal to_head authentication-algorithm md5

set security ike proposal to_head encryption-algorithm 3des-cbc

set security ike policy to_head mode main

set security ike policy to_head proposals to_head

set security ike policy to_head pre-shared-key ascii-text "abc2010"

set security ike gateway to_head ike-policy to_head

set security ike gateway to_head address 10.100.100.100

set security ike gateway to_head external-interface fe-0/0/0.0

set security ike gateway to_head version v1-only

Phase2：

set security ipsec proposal to_head protocol esp

set security ipsec proposal to_head authentication-algorithm hmac-md5-96

set security ipsec proposal to_head encryption-algorithm 3des-cbc

set security ipsec policy to_head perfect-forward-secrecy keys group2

set security ipsec policy to_head proposals to_head

set security ipsec *** to_head bind-interface st0.1

set security ipsec *** to_head ***-monitor source-interface vlan.1

set security ipsec *** to_head ***-monitor destination-ip 10.200.100.100

set security ipsec *** to_head ike gateway to_head

set security ipsec *** to_head ike ipsec-policy to_head

set security ipsec *** to_head establish-tunnels on-traffic

set security ipsec *** to_head establish-tunnels immediately

策略：

set security policies from-zone trust to-zone untrust policy 1 match source-address any

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit

set security policies from-zone untrust to-zone trust policy 2 match source-address any

set security policies from-zone untrust to-zone trust policy 2 match destination-address any

set security policies from-zone untrust to-zone trust policy 2 match application any

set security policies from-zone untrust to-zone trust policy 2 then permit

路由：

set routing-options static route 192.168.0.0/16 next-hop st0.1

set routing-options static route 10.0.0.0/8 next-hop st0.1

转载于:https://blog.51cto.com/talk1985/1934195

Juniper SRX IPsec *** base route CLI相关推荐

JUNIPER SRX Ipsec ××× 点对点Policy base ×××连接测试
基于Ipsec ××× 点对点Policy base ×××连接测试功能的要求是:对2台SRX进行点对点的Ipsec通道连接,使两个SRX的内网数据能通过Ipsec ×××的加密进行广域网的数据传输. ...
juniper srx 3400 双机配置
单位最近更新防火墙,打算把10年前的2台juniper换成现在的2台juniper srx 3400,利用juniper的jsrp技术实现,双机设备,一台坏了,另一台自动接替.觉得这次juniper命 ...
JUNIPER SRX系列防火墙（JUNOS12.1）HA配置说明
JUNIPER SRX系列防火墙(JUNOS12.1)HA配置说明 Chassis Cluster概述和简介: Juniper SRX系列防火墙可以通过一组相同型号的SRX系列防火墙来提供网络节点的冗 ...
Juniper SRX JSRP 配置文档
请访问原文链接:https://sysin.org/blog/juniper-srx-jsrp-config/,查看最新版.原创作品,转载请保留出处. 作者:gc(at)sysin.org,主页:ww ...
Juniper SRX防火墙系统会话链接的清除
Juniper SRX防火墙系统会话链接的清除维护Juniper防火墙SRX系列防火墙,一段时间后,发现防火墙老是有时候登录不上去,有时候可以登录. 查看用户的时候,发现,系统挂了很多连接会话,怪不 ...
juniper srx 1500 HA及双线路自动切换配置
机房ISP提供了两条上联线路,分别接入ISP的两台核心交换机. 这两条线路是主备模式,同一时间只能有一条工作. 恰好等保要求,买了两台juniper srx 1500,为了节省设备,决定这两个墙既作为 ...
PPPOE拨号之五：juniper SRX 防火墙 PPPOE拨号配置
拓扑 Juniper SRX防火墙 PPPOE拨号配置封装PPPOE GW-root# set interfaces ge-0/0/0.0 encapsulation ppp-over-ether ...
juniper srx解决内网不能telnet公网IP的方法
juniper srx做好基于目的地址池的映射后外网可以telnet a.a.a.a 22(a.a.a.a为公网IP),但是内网不能telnet a.a.a.a 22.具体解决方法: /*/源地址转换 ...
Juniper SRX防火墙批量导入set格式配置
Juniper SRX防火墙批量导入set格式配置 SRX在进行大量配置时可能会出现一些小问题,可以使用load set terminal命令导入大量set格式的配置. root# load set ...

Juniper SRX IPsec *** base route CLI

Juniper SRX IPsec *** base route CLI相关推荐

最新文章

热门文章