Juniper NetScreen-500使用手册（一）(7)

Juniper NetScreen-500使用手册（一） 内部公开

Repeat count [5]: Datagram size [100]:

Timeout in seconds[2]: Source interface:e1/1 e1/1

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 20.2.2.2, timeout is 2 seconds from ethernet1/1 !!!!!

Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/3 ms ns-500-> ns-500-> get sa get sa

total configured sa: 1

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys

00000004< 12.1.1.2 -500 esp: des/md5 990675ab 3417 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 943be7ec 3417 1799M A/- 2 0 ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys

00000004< 12.1.1.2 -500 esp: des/md5 990675ab 3413 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 943be7ec 3413 1799M A/- 2 0

2004-11-01

华为三康机密，未经许可不得扩散

第31页, 共42页

Juniper NetScreen-500使用手册（一） 内部公开

ns-500->

ns-500-> get sa stat get sa stat

total configured sa: 1

HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000004< 12.1.1.2 0 0 0 640 00000004> 12.1.1.2 0 0 0 920 ns-500-> ns-500->

4.4.4 Quidway SecPath-1000 显示

ping -a 20.2.2.2 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=64 time=30 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=64 time=10 ms

--- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 1/8/30 ms

dis ike sa

connection-id peer flag phase doi

2004-11-01

华为三康机密，未经许可不得扩散

第32页, 共42页

Juniper NetScreen-500使用手册（一） 内部公开

----------------------------------------------------------

14 12.1.1.1 RD|ST 2 IPSEC 13 12.1.1.1 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT dis ipsec sa

=============================== Interface: GigabitEthernet0/0 path MTU: 1-500

===============================

----------------------------- IPsec policy name: \ sequence number: 10 mode: isakmp

----------------------------- connection id: 14

encapsulation mode: tunnel

tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1

[inbound ESP SAs]

spi: 1883473128 (0x704384e8)

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966684/3559 max received sequence-number: 9 udp encapsulation used for nat traversal: N

2004-11-01

华为三康机密，未经许可不得扩散

第33页, 共42页

Juniper NetScreen-500使用手册（一） 内部公开

[outbound ESP SAs]

dis ipsec stat the security packet statistics: input/output security packets: 5/5 input/output security bytes: 680/420 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0 can't find SA: 0 queue is full: 0

authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0 4.5

NetScreen-500 基于策略 自动协商 SecPath-1000 动态配置 参数缺省

4.5.1 Juniper NetScreen-500 配置

ns-500-> get config get config

Total Config size 2974: set clock timezone 0 set vrouter trust-vr sharable

unset vrouter \set auth-server \

2004-11-01

华为三康机密，未经许可不得扩散

第34页, 共42页

Juniper NetScreen-500使用手册（一） 内部公开

set auth-server \set auth default auth server \set admin name \

set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos

set zone \set zone \set zone \set zone \set zone \set zone %unset zone \set zone \set zone \set zone \

set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \

2004-11-01

华为三康机密，未经许可不得扩散

第35页, 共42页