第七部分第二十章:虚拟专用网互联网协议安全性:基于策略的×××
一、基于策略的×××拓扑
二、基于策略的×××
-------------------------------------------------------------------------------------------
interfaces {
em0 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
em1 {
unit 0 {
family inet {
address 202.0.0.1/24;
}
}
}
}
-------------------------------------------------------------------------------------------
routing-options {
static {
route 0.0.0.0/0 next-hop 202.0.0.2;
}
}
-------------------------------------------------------------------------------------------
security {
-----------------------------------------------------------------------------------------
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$m5zntu1ylM/ClM8XbwmfT"; ## SECRET-DATA
}
gateway gw-chicago {
ike-policy ike-phase1-policy;
address 202.0.0.2;
external-interface em1.0;
}
}
-------------------------------------------------------------------------------------------
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
*** ike-***-chicago {
ike {
gateway gw-chicago;
ipsec-policy ipsec-phase2-policy;
}
}
}
-------------------------------------------------------------------------------------------
address-book {
book1 {
address sunnyval 10.0.0.0/24;
attach {
zone trunst;
}
}
book2 {
address chicago 192.168.0.0/24;
attach {
zone untrust;
}
}
}
------------------------------------------------------------------------------------------- flow {
tcp-mss {
ipsec-*** {
mss 1350;
}
}
}
-------------------------------------------------------------------------------------------
policies {
from-zone trunst to-zone untrust {
policy ***-tr-untr {
match {
source-address sunnyval;
destination-address chicago;
application any;
}
then {
permit {
tunnel {
ipsec-*** ike-***-chicago;
pair-policy ***-untr-tr;
}
}
}
}
policy permit-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trunst {
policy ***-untr-tr {
match {
source-address chicago;
destination-address sunnyval;
application any;
}
then {
permit {
tunnel {
ipsec-*** ike-***-chicago;
pair-policy ***-tr-untr;
}
}
}
}
}
}
-------------------------------------------------------------------------------------------
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
}
security-zone trunst {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
转载于:https://blog.51cto.com/theelephant/1544192