Juniper NetScreen-500使用手册(一) 内部公开
4.3.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ipsec proposal vpn #
ipsec policy vpnmap 10 manual security acl 3000 proposal vpn tunnel local 12.1.1.2 tunnel remote 12.1.1.1 sa spi inbound esp 12345
sa encryption-hex inbound esp 1234567890123456
sa authentication-hex inbound esp 12345678901234567890123456789012 sa spi outbound esp 54321
sa encryption-hex outbound esp 1234567890123456
sa authentication-hex outbound esp 12345678901234567890123456789012 #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 speed 100 duplex full
ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap
2004-11-01
华为三康机密,未经许可不得扩散
第21页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
interface GigabitEthernet0/1 speed 100 duplex full
ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.3.3 Juniper NetScreen-500 显示
ns-500-> get sa get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 12.1.1.2 -500 esp: des/md5 0000d431 n/a n/a M/- 3 0 00000001> 12.1.1.2 -500 esp: des/md5 00003039 n/a n/a M/- 2 0
2004-11-01
华为三康机密,未经许可不得扩散
第22页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 12.1.1.2 -500 esp: des/md5 0000d431 n/a n/a M/- 3 0 00000001> 12.1.1.2 -500 esp: des/md5 00003039 n/a n/a M/- 2 0 ns-500-> ns-500-> ping ping
Target IP address: Target IP address:20.2.2.2 20.2.2.2 Repeat count [5]: Datagram size [100]:
Timeout in seconds[2]: Source interface:e1/1 e1/1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 20.2.2.2, timeout is 2 seconds from ethernet1/1 !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/3 ms ns-500->
ns-500-> get sa stat
2004-11-01
华为三康机密,未经许可不得扩散
第23页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
get sa stat
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000001< 12.1.1.2 0 0 0 640 00000001> 12.1.1.2 0 0 0 920 ns-500-> ns-500->
4.3.4 Quidway SecPath-1000 显示
connection-id peer flag phase doi ----------------------------------------------------------
=============================== Interface: GigabitEthernet0/0 path MTU: 1-500
===============================
----------------------------- IPsec policy name: \ sequence number: 10 mode: manual ----------------------------- encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1
[inbound ESP SAs]
2004-11-01
华为三康机密,未经许可不得扩散
第24页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
spi: 12345 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 No duration limit for this sa
[outbound ESP SAs] spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 No duration limit for this sa
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
NetScreen-500 基于策略 动态配置 SecPath-1000 自动协商 参数缺省
4.4.1 Juniper NetScreen-500 配置
ns-500->
2004-11-01
华为三康机密,未经许可不得扩散
第25页, 共42页