文档库 最新最全的文档下载
当前位置:文档库 › 经验总结

经验总结

经验总结
经验总结

基础数据配置

set interfaces st0 unit 0 family inet address 172.16.1.1/30//启用安全通道,IP地址选配

set routing-options static route 10.142.0.0/16 next-hop st0.0//定义加密数据

set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ping //开启端口Ping功能

set security zones security-zone Internet interfaces st0.0 host-inbound-traffic protocols all//将端口划分到安全区域,并配置放行的服务

set security zones security-zone Internet host-inbound-traffic system-services ping //开通安全区域可Ping功能

安全区域内设置端口IP可Ping

set security zones security-zone Internet host-inbound-traffic system-services ping //开通安全区域可Ping功能

set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ping //开通安全区域内端口Ping功能

配置IKE阶段的认证策略

set security ike policy IKE-shahe mode aggressive//设置IKE模式

set security ike policy IKE-shahe description IKE-shahe //创建IKE策略模板

set security ike policy IKE-shahe proposal-set standard//设置IKE认证规则

set security ike policy IKE-shahe pre-shared-key ascii-text "$9$lojKLx-VwgaZLXjHqmTQyle"//设置IKE认证模式,并配置shared-key

配置IKE阶段的网关,并引用IKE策略

set security ike gateway GW-shahe ike-policy IKE-shahe//创建网关并引用认证策略

set security ike gateway GW-shahe address 118.26.13.129//握手ID选择IP地址方式,并配置对端IP

set security ike gateway GW-shahe no-nat-traversal //关闭NAT穿越功能,可选配置

set security ike gateway GW-shahe local-identity inet 118.26.23.109//设置本端ID,可选配置set security ike gateway GW-shahe external-interface reth2.0//是设置数据出口

set security ike gateway GW-shahe version v1-only//设置IKE版本

配置IPSec阶段的加密方式,此为可选配置

set security ipsec proposal IPSEC description IPSEC//创建IPSEC认证模板

set security ipsec proposal IPSEC protocol esp//配置IPSec认证方式

set security ipsec proposal IPSEC authentication-algorithm hmac-md5-96

set security ipsec proposal IPSEC encryption-algorithm 3des-cbc

set security ipsec proposal IPSEC lifetime-seconds 28800//设置隧道生存时间

配置IPSec阶段的认证策略

set security ipsec policy IPSec-shahe description IPSec-shahe//创建IPSec认证策略模板

set security ipsec policy IPSec-shahe perfect-forward-secrecy keys group2//设置DH组

set security ipsec policy IPSec-shahe proposals IPSEC//应用IPSec加密模板

绑定IPSec安全端口,网关,引用IPSec策略

set security ipsecvpn VPNshahe bind-interface st0.0//创建VPN模板,绑定数据加密端口set security ipsecvpnVPNshaheike gateway GW-shahe//绑定加密网关

set security ipsecvpnVPNshaheike no-anti-replay

set security ipsecvpnVPNshaheikeipsec-policy IPSec-shahe//绑定IPSec认证模板

set security ipsecvpnVPNshahe establish-tunnels immediately

相关文档