第七部分第二十章：虚拟专用网互联网协议安全性：基于路由的×××-白红宇

第七部分第二十章：虚拟专用网互联网协议安全性：基于路由的×××

阅读量：6425 次

发布时间：2019-06-23

本文共 2676 字，大约阅读时间需要 8 分钟。

一、基于路由的×××拓扑

二、基于路由的×××

-------------------------------------------------------------------------------------------

interfaces {

em0 {

unit 0 {

family inet {

address 202.0.0.2/24;

}

em1 {

unit 0 {

family inet {

address 192.168.0.1/24;

}

st0 {

unit 0 {

family inet {

address 172.16.0.2/24;

}

-------------------------------------------------------------------------------------------

routing-options {

static {

route 0.0.0.0/0 next-hop 202.0.0.1;

route 10.0.0.0/24 next-hop st0.0;

}

-------------------------------------------------------------------------------------------

security {

-------------------------------------------------------------------------------------------

ike {

proposal ike-phase1-proposal {

authentication-method pre-shared-keys;

dh-group group2;

authentication-algorithm sha1;

encryption-algorithm aes-128-cbc;

}

policy ike-phase-policy {

mode main;

proposals ike-phase1-proposal;

pre-shared-key ascii-text "$9$n9t19t0EclLxdBIxdbsJZn/C"; ## SECRET-DATA

}

gateway gw-sunnyvale {

ike-policy ike-phase-policy;

address 202.0.0.1;

external-interface em0.0;

}

-------------------------------------------------------------------------------------------

ipsec {

proposal ipse-phase2-proposal {

protocol esp;

authentication-algorithm hmac-sha1-96;

encryption-algorithm aes-128-cbc;

}

policy ipsec-phase2-policy {

perfect-forward-secrecy {

keys group2;

}

proposals ipse-phase2-proposal;

}

*** ike-***-sunnyvale {

bind-interface st0.0;

ike {

gateway gw-sunnyvale;

ipsec-policy ipsec-phase2-policy;

}

-------------------------------------------------------------------------------------------

address-book {

book1 {

address chicago 192.168.0.0/24;

address sunnyvale 10.0.0.0/24;

attach {

zone trunst;

zone untrunst;

}

-------------------------------------------------------------------------------------------

flow {

tcp-mss {

ipsec-*** {

mss 1350;

}

-------------------------------------------------------------------------------------------

policies {

from-zone trunst to-zone ***-sunnyvale {

policy ***-tr-sun {

match {

source-address chicago;

destination-address sun;

application any;

}

then {

permit;

}

from-zone ***-sunnyvale to-zone trunst {

policy ***-sun-tr {

match {

source-address sunnyvale;

destination-address chicago;

application any;

}

then {

permit;

}

-------------------------------------------------------------------------------------------

zones {

security-zone untrunst {

host-inbound-traffic {

system-services {

ike;

}

security-zone trunst {

host-inbound-traffic {

system-services {

all;

}

security-zone ***-sunnyvale {

interfaces {

st0.0;

}

转载于:https://blog.51cto.com/theelephant/1544205

你可能感兴趣的文章

10个大坑，当你产品上架AppStore会遇到

关于ASP.NET MVC4 Web API简单总结

查看>>

BGP最新的AS号：4-byte-as 转换为十进制及AS号兼容性

查看>>

Windows2008server R2 组策略批量更改本地管理员密码

查看>>

ubutnu安装geany

查看>>

webservice 之 Java CXF实战效果 RS WS（一）

IBM x3850 RAID5数据恢复方案及过程

查看>>

移动计算领域五大机遇：交通运输优势待挖掘

查看>>

如何把win7 旗舰版升级到sp1最新版本

查看>>