Juniper NetScreen-500使用手册(一)
更新时间:2024-01-09 01:24:01 阅读量: 教育文库 文档下载
- juniper是什么品牌推荐度:
- 相关推荐
Juniper NetScreen-500使用手册(一) 内部公开
华为三康技术有限公司 Huawei-3Com Technologies Co., Ltd. 文档编号 Document ID 文档状态 Document Status Draft 1.00 密级 Confidentiality level 内部公开 共42页 Total 42 pages
Juniper NetScreen-500 使用手册(一)
拟制
Prepared by 评审人 Reviewed by
批准 Approved by
刘永忠
Date 日期 Date 日期 Date 日期
2004-11-01
华为三康技术有限公司
Huawei-3Com Technologies Co., Ltd.
版权所有 侵权必究 All rights reserved
2004-11-01
华为三康机密,未经许可不得扩散 第1页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
修订记录 Revision Record
日期 Date 修订 版本 Revision Version 1.00
2004-11-01
华为三康机密,未经许可不得扩散
第2页, 共42页
修改 章节 Sec No. 修改描述 Change Description 作者 Author 2004-11-01 initial 初稿完成 刘永忠
Juniper NetScreen-500使用手册(一) 内部公开
1
目 录
NetScreen-500的产品 ....................................................................................................... 5 1.1 1.2
简介 ....................................................................................................................... 5 主要产品特点: ................................................................................................... 5
2 几个概念 ........................................................................................................................... 6 2.1 2.2 2.3
安全区 ................................................................................................................... 6 虚拟路由器 ........................................................................................................... 6 接口模式 ............................................................................................................... 6
3 简单配置 ........................................................................................................................... 7 3.1 3.2 3.3
遗失Admin口令应急办法 .................................................................................... 7 常用管理命令 ....................................................................................................... 8 路由协议 ............................................................................................................... 8 3.3.1 OSPF ............................................................................................................. 8 3.3.2 RIP ................................................................................................................ 8 3.3.3 BGP ............................................................................................................... 9 3.4
WEB页管理 .......................................................................................................... 9
4 Juniper NetScreen-500 与 Quidway SecPath-1000 互通实例 .................................... 10 4.1 4.2
网络拓扑图 ......................................................................................................... 11 NetScreen-500 基于策略 自动协商 SecPath-1000 自动协商 参数缺省 ..... 11 4.2.1 Juniper NetScreen-500 配置 ...................................................................... 11 4.2.2 Quidway SecPath-1000 配置 ..................................................................... 14 4.2.3 Juniper NetScreen-500 显示 ...................................................................... 15 4.2.4 Quidway SecPath-1000 显示 ..................................................................... 16 4.3
NetScreen-500 基于策略 手工方式 SecPath-1000 手工方式 参数缺省 ..... 18 4.3.1 Juniper NetScreen-500 配置 ...................................................................... 18 4.3.2 Quidway SecPath-1000 配置 ..................................................................... 21 4.3.3 Juniper NetScreen-500 显示 ...................................................................... 22 4.3.4 Quidway SecPath-1000 显示 ..................................................................... 24
2004-11-01
华为三康机密,未经许可不得扩散 第3页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
4.4 NetScreen-500 基于策略 动态配置 SecPath-1000 自动协商 参数缺省 ..... 25 4.4.1 Juniper NetScreen-500 配置 ...................................................................... 25 4.4.2 Quidway SecPath-1000 配置 ..................................................................... 28 4.4.3 Juniper NetScreen-500 显示 ...................................................................... 30 4.4.4 Quidway SecPath-1000 显示 ..................................................................... 32
4.5 NetScreen-500 基于策略 自动协商 SecPath-1000 动态配置 参数缺省 ..... 34 4.5.1 Juniper NetScreen-500 配置 ...................................................................... 34 4.5.2 Quidway SecPath-1000 配置 ..................................................................... 37 4.5.3 Juniper NetScreen-500 显示 ...................................................................... 39 4.5.4 Quidway SecPath-1000 显示 ..................................................................... 40
2004-11-01
华为三康机密,未经许可不得扩散 第4页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
Juniper NetScreen-500使用手册(一)
1 NetScreen-500的产品
1.1 简介
NetScreen-500为Juniper公司状态检验的整和式系统安全产品,它整合了防火墙、VPN及流量管理的功能,仅占用2U的机架空间。它是一款高性能的产品,不但具有备援能力,而且管理容易,并支援多重安全网域。NetScreen-500是一独特平台,兼具NetScreen-1000及NetScreen-100的优点。NetScreen-500是依据模块概念设计,具备多项出众的性能。另外,在备援功能上还设有高可用性交换口、管理接口和四个流量模块,还有一个可制定程序的LCD,以便管理者远端设置。
1.2 主要产品特点:
? ? ? ? ? ? ? ? ? ? ?
700Mbps防火墙和NAT传输速率 250Mbps 3DES VPN传输速率 能处理250,000个并发会话 每秒处理22,000个新会话 10,000个VPN通道
25个虚拟系统,100个VLAN NAT,路由及透明模式运作 基于策略的NAT 支援中转站VPN
与Websense内容过滤方案兼容
10/100双交换端口或GBIC(SX或LX接受器)模块卡
2004-11-01
华为三康机密,未经许可不得扩散
第5页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
4.1 网络拓扑图
4.2 NetScreen-500 基于策略 自动协商 SecPath-1000 自动协商 参数缺省 4.2.1 Juniper NetScreen-500 配置
ns-500-> get config get config
Total Config size 2831: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第11页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set zone \set zone \set zone \set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip
2004-11-01
华为三康机密,未经许可不得扩散
第12页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set interface ethernet1/1 ip manageable set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \
set ike gateway \\
set ike respond-bad-spi 1
set vpn \\
set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \\
set policy id 2 name \ \\
set policy id 1 from \ \
set vpn \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
2004-11-01
华为三康机密,未经许可不得扩散
第13页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set route 0.0.0.0/0 interface ethernet3/1 exit
4.2.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ike peer peer pre-shared-key vpn remote-address 12.1.1.1 #
ipsec proposal vpn #
ipsec policy vpnmap 10 isakmp security acl 3000 ike-peer peer proposal vpn #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap #
2004-11-01
华为三康机密,未经许可不得扩散
第14页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
interface GigabitEthernet0/1 ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.2.3 Juniper NetScreen-500 显示
ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 12.1.1.2 -500 esp: des/md5 743a4ae1 3574 1799M A/- 3 0 00000002> 12.1.1.2 -500 esp: des/md5 3d9d264f 3574 1799M A/- 2 0 ns-500->
2004-11-01
华为三康机密,未经许可不得扩散
第15页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ns-500-> get sa stat get sa stat
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000002< 12.1.1.2 0 0 0 1604 00000002> 12.1.1.2 0 0 0 2504 ns-500-> ns-500->
4.2.4 Quidway SecPath-1000 显示
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
connection-id peer flag phase doi ----------------------------------------------------------
26 12.1.1.1 RD|ST 2 IPSEC
2004-11-01
华为三康机密,未经许可不得扩散
第16页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
25 12.1.1.1 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
=============================== Interface: GigabitEthernet0/0 path MTU: 1-500
===============================
----------------------------- IPsec policy name: \ sequence number: 10 mode: isakmp
----------------------------- connection id: 26
encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1
[inbound ESP SAs]
spi: 1809669894 (0x6bdd5f06)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966684/3489 max received sequence-number: 9 udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1949977312 (0x743a4ae0)
2004-11-01
华为三康机密,未经许可不得扩散
第17页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966540/3489 max sent sequence-number: 10
udp encapsulation used for nat traversal: N
4.3 NetScreen-500 基于策略 手工方式 SecPath-1000 手工方式 参数缺省 4.3.1 Juniper NetScreen-500 配置
ns-500-> get config get config
Total Config size 2776: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \set zone \set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第18页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set interface \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23
set interface tunnel.1 ip unnumbered interface ethernet3/1 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable
2004-11-01
华为三康机密,未经许可不得扩散
第19页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \set ike respond-bad-spi 1
set vpn \\ esp des key 1234567890123456 auth md5 key 1234567890123456,7890123456789012
set vpn \set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \\
set policy id 2 name \ \\
set policy id 1 from \ \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
set route 0.0.0.0/0 interface ethernet3/1 exit
2004-11-01
华为三康机密,未经许可不得扩散
第20页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
4.3.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ipsec proposal vpn #
ipsec policy vpnmap 10 manual security acl 3000 proposal vpn tunnel local 12.1.1.2 tunnel remote 12.1.1.1 sa spi inbound esp 12345
sa encryption-hex inbound esp 1234567890123456
sa authentication-hex inbound esp 12345678901234567890123456789012 sa spi outbound esp 54321
sa encryption-hex outbound esp 1234567890123456
sa authentication-hex outbound esp 12345678901234567890123456789012 #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 speed 100 duplex full
ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap
2004-11-01
华为三康机密,未经许可不得扩散
第21页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
interface GigabitEthernet0/1 speed 100 duplex full
ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.3.3 Juniper NetScreen-500 显示
ns-500-> get sa get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 12.1.1.2 -500 esp: des/md5 0000d431 n/a n/a M/- 3 0 00000001> 12.1.1.2 -500 esp: des/md5 00003039 n/a n/a M/- 2 0
2004-11-01
华为三康机密,未经许可不得扩散
第22页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 12.1.1.2 -500 esp: des/md5 0000d431 n/a n/a M/- 3 0 00000001> 12.1.1.2 -500 esp: des/md5 00003039 n/a n/a M/- 2 0 ns-500-> ns-500-> ping ping
Target IP address: Target IP address:20.2.2.2 20.2.2.2 Repeat count [5]: Datagram size [100]:
Timeout in seconds[2]: Source interface:e1/1 e1/1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 20.2.2.2, timeout is 2 seconds from ethernet1/1 !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/3 ms ns-500->
ns-500-> get sa stat
2004-11-01
华为三康机密,未经许可不得扩散
第23页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
get sa stat
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000001< 12.1.1.2 0 0 0 640 00000001> 12.1.1.2 0 0 0 920 ns-500-> ns-500->
4.3.4 Quidway SecPath-1000 显示
connection-id peer flag phase doi ----------------------------------------------------------
=============================== Interface: GigabitEthernet0/0 path MTU: 1-500
===============================
----------------------------- IPsec policy name: \ sequence number: 10 mode: manual ----------------------------- encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1
[inbound ESP SAs]
2004-11-01
华为三康机密,未经许可不得扩散
第24页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
spi: 12345 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 No duration limit for this sa
[outbound ESP SAs] spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 No duration limit for this sa
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
NetScreen-500 基于策略 动态配置 SecPath-1000 自动协商 参数缺省
4.4.1 Juniper NetScreen-500 配置
ns-500->
2004-11-01
华为三康机密,未经许可不得扩散
第25页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ns-500-> get config get config
Total Config size 3060: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \set zone \set zone \set zone \set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第26页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set interface \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23
set interface tunnel.1 ip unnumbered interface ethernet3/1 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \
set ike gateway \\
2004-11-01
华为三康机密,未经许可不得扩散
第27页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
\
unset ike gateway \set ike respond-bad-spi 1
set vpn \compatible
set vpn \set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \\
set policy id 2 name \ \\
set policy id 1 from \ \
set vpn \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
set route 0.0.0.0/0 interface ethernet3/1 exit
4.4.2 Quidway SecPath-1000 配置
2004-11-01
华为三康机密,未经许可不得扩散
第28页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
sysname SecPath-1000 #
ike local-name SecPath-1000 #
ike peer peer
exchange-mode aggressive pre-shared-key vpn id-type name
remote-name NetScreen-500 remote-address 12.1.1.1 #
ipsec proposal vpn #
ipsec policy vpnmap 10 isakmp security acl 3000 ike-peer peer proposal vpn #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 speed 100 duplex full
ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap
2004-11-01
华为三康机密,未经许可不得扩散
第29页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
interface GigabitEthernet0/1 speed 100 duplex full
ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.4.3 Juniper NetScreen-500 显示
ns-500-> ns-500-> ping ping
Target IP address: Target IP address:20.2.2.2 20.2.2.2
2004-11-01
华为三康机密,未经许可不得扩散
第30页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
Repeat count [5]: Datagram size [100]:
Timeout in seconds[2]: Source interface:e1/1 e1/1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 20.2.2.2, timeout is 2 seconds from ethernet1/1 !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/3 ms ns-500-> ns-500-> get sa get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 990675ab 3417 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 943be7ec 3417 1799M A/- 2 0 ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 990675ab 3413 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 943be7ec 3413 1799M A/- 2 0
2004-11-01
华为三康机密,未经许可不得扩散
第31页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ns-500->
ns-500-> get sa stat get sa stat
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000004< 12.1.1.2 0 0 0 640 00000004> 12.1.1.2 0 0 0 920 ns-500-> ns-500->
4.4.4 Quidway SecPath-1000 显示
PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=64 time=30 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=64 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=64 time=10 ms
--- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 1/8/30 ms
connection-id peer flag phase doi
2004-11-01
华为三康机密,未经许可不得扩散
第32页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
----------------------------------------------------------
14 12.1.1.1 RD|ST 2 IPSEC 13 12.1.1.1 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
=============================== Interface: GigabitEthernet0/0 path MTU: 1-500
===============================
----------------------------- IPsec policy name: \ sequence number: 10 mode: isakmp
----------------------------- connection id: 14
encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1
[inbound ESP SAs]
spi: 1883473128 (0x704384e8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 4294966684/3559 max received sequence-number: 9 udp encapsulation used for nat traversal: N
2004-11-01
华为三康机密,未经许可不得扩散
第33页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
[outbound ESP SAs]
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
NetScreen-500 基于策略 自动协商 SecPath-1000 动态配置 参数缺省
4.5.1 Juniper NetScreen-500 配置
ns-500-> get config get config
Total Config size 2974: set clock timezone 0 set vrouter trust-vr sharable
unset vrouter \set auth-server \
2004-11-01
华为三康机密,未经许可不得扩散
第34页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set auth-server \set auth default auth server \set admin name \
set admin password \set admin scs password disable username cisco set admin auth timeout 10 set admin auth server \set admin format dos
set zone \set zone \set zone \set zone \set zone \set zone %unset zone \set zone \set zone \set zone \
set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \set zone \
2004-11-01
华为三康机密,未经许可不得扩散
第35页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
set interface \set interface \set interface \set interface ethernet1/1 ip 10.1.1.1/24 set interface ethernet1/1 nat
set interface ethernet3/1 ip 12.1.1.1/24 set interface ethernet3/1 route unset interface vlan1 ip
set interface mgt ip 10.153.102.187/23
set interface tunnel.1 ip unnumbered interface ethernet3/1 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable set interface ethernet3/1 ip manageable set interface ethernet3/1 manage ping set console timeout 0 set hostname ns-500
set address \set address \
set ike gateway \\
set ike respond-bad-spi 1
set vpn \compatible
set vpn \set pki authority default scep mode \set pki x509 default cert-path partial
set policy id 3 name \ \
2004-11-01
华为三康机密,未经许可不得扩散
第36页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
\
set policy id 2 name \ \\
set policy id 1 from \ \
set vpn \set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter \exit
set vrouter %unset add-default-route
set route 0.0.0.0/0 interface ethernet3/1 exit
4.5.2 Quidway SecPath-1000 配置
sysname SecPath-1000 #
ike local-name SecPath-1000 #
ike peer peer pre-shared-key vpn #
ipsec proposal vpn
2004-11-01
华为三康机密,未经许可不得扩散
第37页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
#
ipsec policy-template temp 10 ike-peer peer proposal vpn #
ipsec policy vpnmap 10 isakmp template temp #
interface Aux0 async mode flow link-protocol ppp #
interface GigabitEthernet0/0 speed 100 duplex full
ip address 12.1.1.2 255.255.255.0 ipsec policy vpnmap #
interface GigabitEthernet0/1 speed 100 duplex full
ip address 20.2.2.2 255.255.255.0 #
interface NULL0 #
acl number 3000
rule 0 permit ip source 20.2.2.2 0 destination 10.1.1.1 0 rule 1 deny ip #
2004-11-01
华为三康机密,未经许可不得扩散
第38页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
ip route-static 10.1.1.0 255.255.255.0 12.1.1.1 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4 # return
4.5.3 Juniper NetScreen-500 显示
ns-500-> get sa get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 9fd739f5 3571 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 fe1ddd65 3571 1799M A/- 2 0 ns-500-> ns-500-> get sa act get sa act Total active sa: 1 total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000004< 12.1.1.2 -500 esp: des/md5 9fd739f5 3567 1799M A/- 3 0 00000004> 12.1.1.2 -500 esp: des/md5 fe1ddd65 3567 1799M A/- 2 0 ns-500->
ns-500-> get sa stat get sa stat
2004-11-01
华为三康机密,未经许可不得扩散
第39页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes 00000004< 12.1.1.2 0 0 0 512 00000004> 12.1.1.2 0 0 0 736 ns-500-> ns-500->
4.5.4 Quidway SecPath-1000 显示
connection-id peer flag phase doi ----------------------------------------------------------
3 12.1.1.1 RD 2 IPSEC 2 12.1.1.1 RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
----------------------------- IPsec policy name: \ sequence number: 10 mode: template ----------------------------- connection id: 3
encapsulation mode: tunnel
tunnel local : 12.1.1.2 tunnel remote: 12.1.1.1 flow source: 20.2.2.2/255.255.255.255 0/0 flow destination: 10.1.1.1/255.255.255.255 0/0
2004-11-01
华为三康机密,未经许可不得扩散
第40页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
[inbound ESP SAs]
spi: 2789510093 (0xa6448bcd)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887435756/3223 max received sequence-number: 9 udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2681682419 (0x9fd739f3)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887435648/3223 max sent sequence-number: 10
udp encapsulation used for nat traversal: N
authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
2004-11-01
华为三康机密,未经许可不得扩散
第41页, 共42页
Juniper NetScreen-500使用手册(一) 内部公开
2004-11-01
华为三康机密,未经许可不得扩散 第42页, 共42页
- exercise2
- 铅锌矿详查地质设计 - 图文
- 厨余垃圾、餐厨垃圾堆肥系统设计方案
- 陈明珠开题报告
- 化工原理精选例题
- 政府形象宣传册营销案例
- 小学一至三年级语文阅读专项练习题
- 2014.民诉 期末考试 复习题
- 巅峰智业 - 做好顶层设计对建设城市的重要意义
- (三起)冀教版三年级英语上册Unit4 Lesson24练习题及答案
- 2017年实心轮胎现状及发展趋势分析(目录)
- 基于GIS的农用地定级技术研究定稿
- 2017-2022年中国医疗保健市场调查与市场前景预测报告(目录) - 图文
- 作业
- OFDM技术仿真(MATLAB代码) - 图文
- Android工程师笔试题及答案
- 生命密码联合密码
- 空间地上权若干法律问题探究
- 江苏学业水平测试《机械基础》模拟试题
- 选课走班实施方案
- NetScreen
- Juniper
- 手册
- 使用
- 500
- 附表仪器设备验收记录表
- 电气设备运行维护规程
- 六年级英语上册第九单元复习目标(上海教育出版社,三年级起点)
- 苏州CMA考点在哪 苏州CMA持证者薪资待遇
- 干法读后感
- 成都市XX中学2016-2017学年七年级下期末数学试卷含答案解析
- (江苏)高考数学 高考必会题型 专题三 函数与导数 第8练 函数性质在运用中的巧思妙解
- 2015学年第二学期高一外贸专业《外贸商函》期末试卷 P.1-4
- 教育部全国翻译证书考试2002年试题(中级笔译)
- 万里羽毛球理论考试部分题库
- 钢结构基本原理及设计试题
- 华南理工网络教育经济数学随堂练习答案
- 里脊外焦里嫩的诀窍在于调制全蛋糊 - 图文
- 2015年会计证《电算化》专项及答案每日一练(7月4日)
- 百货运营手册 - 图文
- 2011年每周一考第十期 4.24联考冲刺卷:行测答案
- 加强党风廉政建设,保持共产党员先进性
- 水吸收二氧化硫设计任务书 - 图文
- 改性聚醚破乳剂的研究
- 苏教版小学语文四年级上册教案全集(178页)