Juniper NetScreen-500使用手册(一) 内部公开
set interface \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23
set interface tunnel.1 ip unnumbered interface ethernet3/1 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \
set ike gateway \\
set ike respond-bad-spi 1
set vpn \compatible
set vpn \set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \
2004-11-01
华为三康机密,未经许可不得扩散
第36页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
\
set policy id 2 name \ \\
set policy id 1 from \ \
set vpn \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
set route 0.0.0.0/0 interface ethernet3/1 exit
4.5.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ike local-name SecPath-1000 #
ike peer peer pre-shared-key vpn #
ipsec proposal vpn
2004-11-01
华为三康机密,未经许可不得扩散
第37页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
ipsec policy-template temp 10 ike-peer peer proposal vpn #
ipsec policy vpnmap 10 isakmp template temp #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 speed 100 duplex full
ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap #
interface GigabitEthernet0/1 speed 100 duplex full
ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
2004-11-01
华为三康机密,未经许可不得扩散
第38页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.5.3 Juniper NetScreen-500 显示
ns-500-> get sa get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 9fd739f5 3571 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 fe1ddd65 3571 1799M A/- 2 0 ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 9fd739f5 3567 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 fe1ddd65 3567 1799M A/- 2 0 ns-500->
ns-500-> get sa stat get sa stat
2004-11-01
华为三康机密,未经许可不得扩散
第39页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000004< 12.1.1.2 0 0 0 512 00000004> 12.1.1.2 0 0 0 736 ns-500-> ns-500->
4.5.4 Quidway SecPath-1000 显示
connection-id peer flag phase doi ----------------------------------------------------------
3 12.1.1.1 RD 2 IPSEC 2 12.1.1.1 RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
----------------------------- IPsec policy name: \ sequence number: 10 mode: template ----------------------------- connection id: 3
encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1 flow source: 20.2.2.2/255.255.255.255 0/0 flow destination: 10.1.1.1/255.255.255.255 0/0
2004-11-01
华为三康机密,未经许可不得扩散
第40页, 共42页