SSG140-SB点对点基于策略VPN自动密钥IKE

JuniperSSG140-SB点对点基于策略VPN.自动密钥IKE2009-12-2322:28:24实验环境:公司游戏上线，需要搭建一条VPN通道供认证与计费系统对不同地区内部通信，还有日常维护服务器也是通过VPN连接.从此达到一个安全加密的环境解决方案：采用JunipernetscreenSSG140-SB自动VPN功能来解决这个问题，由于要架设很多点，设置几乎都一样，就以上海机房与长春机房做个范例步骤如下:1.定义Trust与Untrust接口IP地址。2.为本地及远程端生成通讯ip地址段。3.定义远程网关4.创建“自动密钥IKEVPN”。5.设置到外部路由器的缺省路由。6.配置策略。实验图WebUI(上海IDC)1.接口NetworkInterfacesethernet0/0Edit输入以下内容后单击OK:ZoneName:TrustStaticIP:（选择）Address/Netmask:10.1.1.1/24InterfaceMode:NATNetworkInterfacesethernet0/1EditZoneName:UntrustStaticIP:IPAddress/Netmask:1.1.1.1/24InterfaceMode:Route2.地址PolicyPolicyElementsAddressesListNew输入以下内容后单击OK:AddressName:SH-IDCIPAddress/DomainName:IP/Netmask:(选择)10.1.1.0/24Zone:TrustPolicyPolicyElementsAddressesListNew:输入以下内容后单击OK:AddressName:CC-IDCIPAddress/DomainName:IP/Netmask:(选择),10.2.2.0/24Zone:Untrust3.VPNVPNsAutoKeyAdvancedGatewayNew:输入以下内容后单击OK:GatewayName:CC-IDCVersion：（选择）IKEv1RemoteGatewayType:StaticIPAddress:(选择),IPAddress/Hostname:2.2.2.254点Advanced—PresharedKey：shanghai_vpn_changchun(必须要8位及以上，因为netscreenremoteclient要求必须8位以上)SecurityLevelPredefinedStandardMode(Initiator)Main(IDProtection)AggressivePeerStatusDetection（设置VPN自动连接）HeartbeatHello30Seconds(1~3600,0:disable)Reconnect60Seconds(60~9999,0:default)Threshold5(2-9999)ReturnVPNsAutoKeyIKENew:输入以下内容，然后单击OK:VPNName:SH-IDC_TO_CC-IDCRemoteGateway:Predefined:(选择),CC-IDC点Advanced—SecurityLevelPredefinedStandardCompatibleBasicReturn4.路由NetworkRoutingRoutingEntriestrust-vrNew:输入以下内容，然后单击OK:NetworkAddress/Netmask:0.0.0.0/0Gateway:(选择)Interface:ethernet0/1GatewayIPAddress:1.1.1.2545.策略Policies(From:Trust,To:Untrust)New:输入以下内容，然后单击OK:Name:SourceAddress:AddressBookEntry:(选择),SH-IDCDestinationAddress:AddressBookEntry:(选择),CC-IDCService:ANYAction:TunnelTunnelVPN:SH-IDC_TO_CC-IDCModifymatchingbidirectionalVPNpolicy:(选择打勾)PositionatTop:(选择)WebUI(长春IDC)1.接口NetworkInterfacesethernet0/0Edit输入以下内容后单击OK:ZoneName:TrustStaticIP:（选择）Address/Netmask:10.2.2.2/24InterfaceMode:NATNetworkInterfacesethernet0/1EditZoneName:UntrustStaticIP:IPAddress/Netmask:2.2.2.2/24InterfaceMode:Route2.地址PolicyPolicyElementsAddressesListNew输入以下内容后单击OK:AddressName:CC-IDCIPAddress/DomainName:IP/Netmask:(选择)10.2.2.0/24Zone:TrustPolicyPolicyElementsAddressesListNew:输入以下内容后单击OK:AddressName:SH-IDCIPAddress/DomainName:IP/Netmask:(选择),10.1.1.0/24Zone:Untrust3.VPNVPNsAutoKeyAdvancedGatewayNew:输入以下内容后单击OK:GatewayName:SH-IDCVersion：（选择）IKEv1RemoteGatewayType:StaticIPAddress:(选择),IPAddress/Hostname:1.1.1.254点Advanced—PresharedKey：shanghai_vpn_changchun(必须要8位及以上，因为netscreenremoteclient要求必须8位以上)SecurityLevelPredefinedStandardMode(Initiator)Main(IDProtection)AggressivePeerStatusDetection（设置VPN自动连接）HeartbeatHello30Seconds(1~3600,0:disable)Reconnect60Seconds(60~9999,0:default)Threshold5(2-9999)ReturnVPNsAutoKeyIKENew:输入以下内容，然后单击OK:VPNName:SH-IDC_TO_CC-IDCRemoteGateway:Predefined:(选择),SH-IDC点Advanced—SecurityLevelPredefinedStandardCompatibleBasicReturn4.路由NetworkRoutingRoutingEntriestrust-vrNew:输入以下内容，然后单击OK:NetworkAddress/Netmask:0.0.0.0/0Gateway:(选择)Interface:ethernet0/1GatewayIPAddress:2.2.2.2545.策略Policies(From:Trust,To:Untrust)New:输入以下内容，然后单击OK:Name:SourceAddress:AddressBookEntry:(选择),CC-IDCDestinationAddress:AddressBookEntry:(选择),SH-IDCService:ANYAction:TunnelTunnelVPN:SH-IDC_TO_CC-IDCModifymatchingbidirectionalVPNpolicy:(选择打勾)PositionatTop:(选择)本文出自“技术在于折腾”博客，请务必保留此出处