set system services ssh protocol-version v2 set system services telnet
set system services xnm-clear-text
set system services web-management http port 8080
set system services web-management http interface vlan.0 set system services web-management https port 9443 set system services web-management https interface all
允许对外网口的ping,http,telnet,ssh等访问
set security zones security-zone untrust interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces vlan.1 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces vlan.1 host-inbound-traffic system-services ssh
配置策略允许trust区域互访
set security policies from-zone trust to-zone trust policy t-t match source-address any destination-address any application any
set security policies from-zone trust to-zone trust policy t-t then permit
配置安全策略允许trust区域访问untrust区域:
set security policies from-zone trust to-zone untrust policy t-u match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy t-u then permit
创建虚拟接口st0.9并设置其属于trust区域: set interfaces st0 unit 9 family inet
set security zones security-zone trust interfaces st0.9
配置到中心的内网路由:
set routing-options static route 10.0.0.0/24 next-hop st0.9
在外网口上放行vpn协商:
set security zones security-zone untrust interface vlan.1 host-inbound-traffic system-services ike
创建地址簿:
set security zones security-zone trust address-book address Local_172.16.1.0/24 172.16.1.0/24 set security zones security-zone trust address-book address Remote_10.0.0.0/24 10.0.0.0/24
SRX没有像SSG那样预置ike或ipsecproposal,处于习惯考虑可以自己创建:
创建名为pre-g2-3des-sha的ike proposal:
set security ike proposal pre-g2-3des-sha authentication-method pre-shared-keys set security ike policy ike-policy-hmc proposals pre-g2-3des-sha
set security ike proposal pre-g2-3des-sha encryption-algorithm 3des-cbc set security ike proposal pre-g2-3des-sha authentication-algorithm sha1 set security ike proposal pre-g2-3des-sha dh-group group2
set security ike proposal pre-g2-3des-sha lifetime-seconds 28800
创建名为nopfs-esp-3des-sha的ipsec proposal:
set security ipsec proposal nopfs-esp-3des-sha protocol esp
set security ipsec policy ipsec-policy-hmc proposals nopfs-esp-3des-sha
set security ipsec proposal nopfs-esp-3des-sha encryption-algorithm 3des-cbc
set security ipsec proposal nopfs-esp-3des-sha authentication-algorithm hmac-sha1-96 set security ipsec proposal nopfs-esp-3des-sha lifetime-seconds 3600
配置vpn第一阶段,创建名为ike-policy-2center的ike策略,设置模式为aggr,密码为testvpnkey
set security ike policy ike-policy-2center(仅为本地标识无意义,下同)mode aggressive set security ike policy ike-policy-2centerpre-shared-key ascii-text \set security ike policy ike-policy-2centerproposals pre-g2-3des-sha
配置第一阶段的ike信息:
set security ike gateway 2center(仅为本地标识无意义,下同)ike-policy ike-policy-2center
set security ike gateway 2center address 1.1.1.2
set security ike gateway 2center external-interface vlan.1
set security ike gateway 2center local-identity hostname 2center(用于与中心验证的hostname,相当于ssg中的local-id)
set security ike gateway 2center general-ikeid set security ike gateway 2center version v1-only ########
以上的一大堆相当于ssg中的set ike gateway \outgoing-interface \############
配置vpn第二阶段:
set security ipsec policy ipsec-policy-2center(本地识别无意义) proposals nopfs-esp-3des-sha set security ipsecvpn2center(本地识别无意义)ike gateway 2center(上面定义的那个第一阶段配置)
set security ipsecvpn2centerikeipsec-policy ipsec-policy-2center(上面定义的那个)
########
以上这一大堆相当于ssg5的set vpn \gateway \no-replay tunnel idletime 0 proposal \#########
将vpn与虚拟接口st0.9绑定:
set security ipsecvpn2center bind-interface st0.9
相当于ssg5的set vpn \
配置感兴趣流:
set security ipsecvpn2centerike proxy-identity local 172.16.1.0/24 remote 10.0.0.0/24
