Juniper NetScreen-500使用手册(一) 内部公开
ns-500-> get sa stat get sa stat
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000002< 12.1.1.2 0 0 0 1604 00000002> 12.1.1.2 0 0 0 2504 ns-500-> ns-500->
4.2.4 Quidway SecPath-1000 显示
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
connection-id peer flag phase doi ----------------------------------------------------------
26 12.1.1.1 RD|ST 2 IPSEC
2004-11-01
华为三康机密,未经许可不得扩散
第16页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
25 12.1.1.1 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
=============================== Interface: GigabitEthernet0/0 path MTU: 1-500
===============================
----------------------------- IPsec policy name: \ sequence number: 10 mode: isakmp
----------------------------- connection id: 26
encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1
[inbound ESP SAs]
spi: 1809669894 (0x6bdd5f06)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966684/3489 max received sequence-number: 9 udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1949977312 (0x743a4ae0)
2004-11-01
华为三康机密,未经许可不得扩散
第17页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966540/3489 max sent sequence-number: 10
udp encapsulation used for nat traversal: N
4.3 NetScreen-500 基于策略 手工方式 SecPath-1000 手工方式 参数缺省 4.3.1 Juniper NetScreen-500 配置
ns-500-> get config get config
Total Config size 2776: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \set zone \set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第18页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set interface \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23
set interface tunnel.1 ip unnumbered interface ethernet3/1 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable
2004-11-01
华为三康机密,未经许可不得扩散
第19页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \set ike respond-bad-spi 1
set vpn \\ esp des key 1234567890123456 auth md5 key 1234567890123456,7890123456789012
set vpn \set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \\
set policy id 2 name \ \\
set policy id 1 from \ \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
set route 0.0.0.0/0 interface ethernet3/1 exit
2004-11-01
华为三康机密,未经许可不得扩散
第20页, 共42页