1. 程式人生 > 實用技巧 >第七部分第二十章:虛擬專用網網際網路協議安全性:基於路由的×××

第七部分第二十章:虛擬專用網網際網路協議安全性:基於路由的×××


一、基於路由的×××拓撲

wKioL1P57bnjO-03AAGQJ1ts1Ec157.jpg


二、基於路由的×××

-------------------------------------------------------------------------------------------


interfaces {
em0 {
unit 0 {
family inet {
address 202.0.0.2/24;
}
}
}
em1 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 172.16.0.2/24;

}
}
}
}

-------------------------------------------------------------------------------------------


routing-options {
static {
route 0.0.0.0/0 next-hop 202.0.0.1;
route 10.0.0.0/24 next-hop st0.0;
}
}

-------------------------------------------------------------------------------------------


security {

-------------------------------------------------------------------------------------------


ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$n9t19t0EclLxdBIxdbsJZn/C"; ## SECRET-DATA

}
gateway gw-sunnyvale {
ike-policy ike-phase-policy;
address 202.0.0.1;
external-interface em0.0;
}
}

-------------------------------------------------------------------------------------------


ipsec {
proposal ipse-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipse-phase2-proposal;
}
*** ike-***-sunnyvale {
bind-interface st0.0;
ike {
gateway gw-sunnyvale;
ipsec-policy ipsec-phase2-policy;
}
}
}

-------------------------------------------------------------------------------------------


address-book {
book1 {
address chicago 192.168.0.0/24;
address sunnyvale 10.0.0.0/24;
attach {
zone trunst;
zone untrunst;
}
}
}

-------------------------------------------------------------------------------------------


flow {
tcp-mss {
ipsec-*** {
mss 1350;
}
}
}

-------------------------------------------------------------------------------------------


policies {
from-zone trunst to-zone ***-sunnyvale {
policy ***-tr-sun {
match {
source-address chicago;
destination-address sun;
application any;
}
then {
permit;
}
}
}
from-zone ***-sunnyvale to-zone trunst {
policy ***-sun-tr {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit;
}
}
}
}

-------------------------------------------------------------------------------------------


zones {
security-zone untrunst {
host-inbound-traffic {
system-services {
ike;
}
}
}
security-zone trunst {
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone ***-sunnyvale {
interfaces {
st0.0;
}
}
}
}