本文介绍如何使用Juniper SSG140防火墙建立自动VPN连接,实现不同地区间的服务器安全通信。包括定义接口IP、生成通信地址段、设置远程网关等步骤。
实验环境:
公司游戏上线,需要搭建一条×××通道供认证与计费系统对不同地区内部通信,还有日常维护服务器也是通过×××连接.从此达到一个安全加密的环境
解决方案:采用Juniper netscreen SSG140-SB自动×××功能来解决这个问题,由于要架设很多点,设置几乎都一样,就以上海机房与长春机房做个范例
步骤如下:
1. 定义Trust与Untrust接口 IP 地址。
2. 为本地及远程端生成通讯ip地址段。
3. 定义远程网关
4. 创建“自动密钥 IKE ×××”。
5. 设置到外部路由器的缺省路由。
6. 配置策略。
实验图
WebUI ( 上海IDC)
1. 接口
Network > Interfaces > ethernet0/0àEdit 输入以下内容后单击OK:
Zone Name: Trust
Static IP:(选择)Address/Netmask: 10.1.1.1/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1à Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 1.1.1.1/24
Interface Mode:Route
2. 地址
Policy > Policy Elements > Addresses > List > New 输入以下内容后单击OK:
Address Name:SH-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择) 10.1.1.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New: 输入以下内容后单击OK:
Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择), 10.2.2.0/24
Zone: Untrust
3. ×××
×××s > AutoKey Advanced > Gateway > New: 输入以下内容后单击OK:
Gateway Name: CC-IDC
Version:(选择)IKEv1
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname: 2.2.2.254
点Advanced—> Preshared Key:shanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
|
Security Levelà PredefinedàStandard
Mode (Initiator) Main (ID Protection) Aggressive
| |||||||||||||||
Return
×××s > AutoKey IKE > New: 输入以下内容,然后单击 OK:
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: ( 选择), CC-IDC
点Advanced—> Security Level
|
Predefined
|
Standard Compatible Basic
|
Return
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择)
Interface: ethernet0/1
Gateway IP Address: 1.1.1.254
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name:
Source Address:
Address Book Entry: ( 选择), SH-IDC
Destination Address:
Address Book Entry: ( 选择), CC-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: ( 选择打勾)
Position at Top: ( 选择)
WebUI (长春IDC)
1. 接口
Network > Interfaces > ethernet0/0àEdit 输入以下内容后单击OK:
Zone Name: Trust
Static IP:(选择)Address/Netmask: 10.2.2.2/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1à Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 2.2.2.2/24
Interface Mode:Route
2. 地址
Policy > Policy Elements > Addresses > List > New 输入以下内容后单击OK:
Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择) 10.2.2.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New: 输入以下内容后单击OK:
Address Name: SH-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择), 10.1.1.0/24
Zone: Untrust
3. ×××
×××s > AutoKey Advanced > Gateway > New: 输入以下内容后单击OK:
Gateway Name: SH-IDC
Version:(选择)IKEv1
Remote Gateway Type:
Static IP Address: ( 选择), IP Address/Hostname:1.1.1.254
点Advanced—> Preshared Key:shanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
|
Security Levelà PredefinedàStandard
Mode (Initiator) Main (ID Protection) Aggressive
| |||||||||||||||
Return
×××s > AutoKey IKE > New: 输入以下内容,然后单击 OK:
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: ( 选择), SH-IDC
点Advanced—> Security Level
|
Predefined
|
Standard Compatible Basic
|
Return
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择)
Interface: ethernet0/1
Gateway IP Address: 2.2.2.254
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK:
Name:
Source Address:
Address Book Entry: ( 选择), CC-IDC
Destination Address:
Address Book Entry: ( 选择), SH-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: ( 选择打勾)
Position at Top: ( 选择)
转载于:https://blog.51cto.com/xiaoqu/533417
扫一扫
31
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
