Juniper SRX IPsec VPN base route CLI

Juniper SRX IPsec VPN base route CLI

建立Tunnel

set security zones security-zone untrust interfaces st0.1

IPSec 两个阶段

Phase1：

set security ike proposal to_head authentication-method pre-shared-keys

set security ike proposal to_head dh-group group2

set security ike proposal to_head authentication-algorithm md5

set security ike proposal to_head encryption-algorithm 3des-cbc

set security ike policy to_head mode main

set security ike policy to_head proposals to_head

set security ike policy to_head pre-shared-key ascii-text "abc2010"

set security ike gateway to_head ike-policy to_head

set security ike gateway to_head address 10.100.100.100

set security ike gateway to_head external-interface fe-0/0/0.0

set security ike gateway to_head version v1-only

Phase2：

set security ipsec proposal to_head protocol esp

set security ipsec proposal to_head authentication-algorithm hmac-md5-96

set security ipsec proposal to_head encryption-algorithm 3des-cbc

set security ipsec policy to_head perfect-forward-secrecy keys group2

set security ipsec policy to_head proposals to_head

set security ipsec vpn to_head bind-interface st0.1

set security ipsec vpn to_head vpn-monitor source-interface vlan.1

set security ipsec vpn to_head vpn-monitor destination-ip 10.200.100.100

set security ipsec vpn to_head ike gateway to_head

set security ipsec vpn to_head ike ipsec-policy to_head

set security ipsec vpn to_head establish-tunnels on-traffic

set security ipsec vpn to_head establish-tunnels immediately

策略：

set security policies from-zone trust to-zone untrust policy 1 match source-address any

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit

set security policies from-zone untrust to-zone trust policy 2 match source-address any

set security policies from-zone untrust to-zone trust policy 2 match destination-address any

set security policies from-zone untrust to-zone trust policy 2 match application any

set security policies from-zone untrust to-zone trust policy 2 then permit

路由：

set routing-options static route 192.168.0.0/16 next-hop st0.1

set routing-options static route 10.0.0.0/8 next-hop st0.1

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。