Juniper NetScreen-500使用手册(一) 内部公开
4.1 网络拓扑图
4.2 NetScreen-500 基于策略 自动协商 SecPath-1000 自动协商 参数缺省 4.2.1 Juniper NetScreen-500 配置
ns-500-> get config get config
Total Config size 2831: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第11页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set zone \set zone \set zone \set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip
2004-11-01
华为三康机密,未经许可不得扩散
第12页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set interface ethernet1/1 ip manageable set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \
set ike gateway \\
set ike respond-bad-spi 1
set vpn \\
set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \\
set policy id 2 name \ \\
set policy id 1 from \ \
set vpn \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
2004-11-01
华为三康机密,未经许可不得扩散
第13页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set route 0.0.0.0/0 interface ethernet3/1 exit
4.2.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ike peer peer pre-shared-key vpn remote-address 12.1.1.1 #
ipsec proposal vpn #
ipsec policy vpnmap 10 isakmp security acl 3000 ike-peer peer proposal vpn #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap #
2004-11-01
华为三康机密,未经许可不得扩散
第14页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
interface GigabitEthernet0/1 ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.2.3 Juniper NetScreen-500 显示
ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 12.1.1.2 -500 esp: des/md5 743a4ae1 3574 1799M A/- 3 0 00000002> 12.1.1.2 -500 esp: des/md5 3d9d264f 3574 1799M A/- 2 0 ns-500->
2004-11-01
华为三康机密,未经许可不得扩散
第15页, 共42页