Netscreen基于策略的自动密钥IKE Site to Site VPN 设定示例
[ 2010-06-11 18:09:32 | Author: Admin ]
设定需求:
1,接口IP(本地及远端的内、外接口)
2,内部网段(本地、远端)
设定步骤:
1,定义安全区段接口IP
2,为本地及远端实体生成通讯簿条目
3,定义远程网关和密钥交换模式,并指定预共享密钥或证书
4,创建“自动密钥IKE VPN”
5,设定到外部路由器的缺省路由
6,配置策略
WebUI(总部-东京)
1,接口
设定接口IP
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 10.1.1.1/24
选择以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 1.1.1.1/24
2,地址
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.1.1.0/24
Zone: Trust
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Paris_Office
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.2.2.0/24
Zone: Untrust
3,VPN
VPNs > AutoKey Advanced > Gateway > New: 输入以下内容,然后单击 OK:
Gateway Name: To_Paris
Security Level: Custom
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname: 2.2.2.2
预共享密钥
Preshared Key: 123456789
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): pre-g2-3des-sha
Mode (Initiator): Main (ID Protection)
(或 )
证书
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): rsa-g2-3des-sha
Preferred certificate (optional)
Peer CA: Entrust
Peer Type: X509-SIG
VPNs > AutoKey IKE > New: 输入以下内容,然后单击 OK:
VPN Name: Tokyo_Paris
Security Level: Compatible
Remote Gateway:
Predefined: ( 选择), To_Paris
4,路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet3
Gateway IP Address: 1.1.1.250
5,策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name: To/From Paris
Source Address: Trust_LAN
Destination Address: Paris_Office
Service: ANY
Action: Tunnel
Tunnel VPN: Tokyo_Paris
Modify matching bidirectional VPN policy:(选择)
Position at Top: (选择 )
WebUI (分部-巴黎)
1. 接口
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 10.2.2.1/24
选择以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 2.2.2.2/24
2. 地址
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.2.2.0/24
Zone: Trust
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Tokyo_Office
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.1.1.0/24
Zone: Untrust
3. VPN
VPNs > AutoKey Advanced > Gateway > New: 输入以下内容,然后单击 OK:
Gateway Name: To_Tokyo
Security Level: Custom
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname: 1.1.1.1
预共享密钥
Preshared Key: 123456789
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): pre-g2-3des-sha
Mode (Initiator): Main (ID Protection)
(或 )
证书
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): rsa-g2-3des-sha
Preferred certificate (optional)
Peer CA: Entrust
Peer Type: X509-SIG
VPNs > AutoKey IKE > New: 输入以下内容,然后单击 OK:
Name: Paris_Tokyo
Security Level: Compatible
Remote Gateway:
Predefined: ( 选择), To_Tokyo
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet3
Gateway IP Address: 2.2.2.250
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name: To/From Tokyo
Source Address:
Address Book Entry: (选择 ), Trust_LAN
Destination Address:
Address Book Entry: (选择 ), Tokyo_Office
Service: ANY
Action: Tunnel
Tunnel VPN: Paris_Tokyo
Modify matching bidirectional VPN policy:(选择)
Position at Top: (选择 )
Comments Feed: /mine/feed.asp?q=comment&id=323
1,接口IP(本地及远端的内、外接口)
2,内部网段(本地、远端)
设定步骤:
1,定义安全区段接口IP
2,为本地及远端实体生成通讯簿条目
3,定义远程网关和密钥交换模式,并指定预共享密钥或证书
4,创建“自动密钥IKE VPN”
5,设定到外部路由器的缺省路由
6,配置策略
WebUI(总部-东京)
1,接口
设定接口IP
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 10.1.1.1/24
选择以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 1.1.1.1/24
2,地址
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.1.1.0/24
Zone: Trust
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Paris_Office
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.2.2.0/24
Zone: Untrust
3,VPN
VPNs > AutoKey Advanced > Gateway > New: 输入以下内容,然后单击 OK:
Gateway Name: To_Paris
Security Level: Custom
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname: 2.2.2.2
预共享密钥
Preshared Key: 123456789
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): pre-g2-3des-sha
Mode (Initiator): Main (ID Protection)
(或 )
证书
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): rsa-g2-3des-sha
Preferred certificate (optional)
Peer CA: Entrust
Peer Type: X509-SIG
VPNs > AutoKey IKE > New: 输入以下内容,然后单击 OK:
VPN Name: Tokyo_Paris
Security Level: Compatible
Remote Gateway:
Predefined: ( 选择), To_Paris
4,路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet3
Gateway IP Address: 1.1.1.250
5,策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name: To/From Paris
Source Address: Trust_LAN
Destination Address: Paris_Office
Service: ANY
Action: Tunnel
Tunnel VPN: Tokyo_Paris
Modify matching bidirectional VPN policy:(选择)
Position at Top: (选择 )
WebUI (分部-巴黎)
1. 接口
Network > Interfaces > Edit ( 对于 ethernet1): 输入以下内容,然后单击Apply:
Zone Name: Trust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 10.2.2.1/24
选择以下内容,然后单击 OK:
Interface Mode: NAT
Network > Interfaces > Edit ( 对于 ethernet3): 输入以下内容,然后单击 OK:
Zone Name: Untrust
Static IP: ( 出现时选择此选项 )
IP Address/Netmask: 2.2.2.2/24
2. 地址
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.2.2.0/24
Zone: Trust
Objects > Addresses > List > New: 输入以下内容,然后单击 OK:
Address Name: Tokyo_Office
IP Address/Domain Name:
IP/Netmask: (选择 ), 10.1.1.0/24
Zone: Untrust
3. VPN
VPNs > AutoKey Advanced > Gateway > New: 输入以下内容,然后单击 OK:
Gateway Name: To_Tokyo
Security Level: Custom
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname: 1.1.1.1
预共享密钥
Preshared Key: 123456789
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): pre-g2-3des-sha
Mode (Initiator): Main (ID Protection)
(或 )
证书
Outgoing Interface: ethernet3
> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Gateway配置页 :
Security Level: Custom
Phase 1 Proposal (对于 Custom Security Level): rsa-g2-3des-sha
Preferred certificate (optional)
Peer CA: Entrust
Peer Type: X509-SIG
VPNs > AutoKey IKE > New: 输入以下内容,然后单击 OK:
Name: Paris_Tokyo
Security Level: Compatible
Remote Gateway:
Predefined: ( 选择), To_Tokyo
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet3
Gateway IP Address: 2.2.2.250
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name: To/From Tokyo
Source Address:
Address Book Entry: (选择 ), Trust_LAN
Destination Address:
Address Book Entry: (选择 ), Tokyo_Office
Service: ANY
Action: Tunnel
Tunnel VPN: Paris_Tokyo
Modify matching bidirectional VPN policy:(选择)
Position at Top: (选择 )
Comments Feed: /mine/feed.asp?q=comment&id=323
There is no comment on this article.
