Juniper SRX NHTB(Next-Hop Tunnel Binding) VPN設定


Juniper SRX NHTB(Next-Hop Tunnel Binding) VPN設定




NHTB是一台網路設備僅使用一個VPN通道要來跟數台網路設備彼此之間建立起VPN連線。

Multi-proxyNHTB的差異在於:Multi-proxy是兩台建立VPN連線的設備其下各有數個子網段要透過一個VPN通道來相互溝通。
 
Juniper SRX使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
就拿我們接下來要介紹的案例來說,四個防火牆要建立VPN連線,而其各自有三個子網段,並且彼此之間各網段都要能互通,其拓墣如下圖VPN設定拓墣圖所示,若不使用NHTB設定,則每個防火牆都要為其建立27條通道,27VPN設定才行,而若使用了NHTB設定,則每個防火牆只要為其建立1條通道,3VPN設定即可,這能讓設定少掉許多煩瑣重複的程序,而在維護上也明顯更輕鬆簡單的多。
ps:上述VPN通道計算方式:1台防火牆內含3個子網段,兩台防火牆之間要建立VPN連線則需要3*3=9條通道,若要跟另外三台防火牆建立連線總共就要9*3=27VPN通道。

您也可以參考相關連結:

設定案例請參考以下JUNIPER原廠相關連結:



通常您必須為每一個VPN連線綁定到個別的隧道介面,也就是說您若有5VPN連線,就必須建立5個隧道介面來給VPN連線使用。但您也可以將多個 IPSec VPN 隧道綁定到單個隧道介面。為了將多個 IPSec VPN 隧道綁定到單個隧道介面,安全設備要使用兩個表: 路由表下一躍點隧道綁定表(NHTB)。其目的是要將安全設備(Security Devices)路由表項中指定的下一躍點閘道 IP 位址映射到 NHTB 表中指定的特定VPN隧道。而通過這種技術,單通道介面就可以支援許多 VPN 隧道。
例如:路由表條目 192.168.2.0/24 可能指定1.1.100.2 作為下一躍點閘道Next-Hop,其中1.1.100.2 是遠端 IKE 對等方的隧道介面的IP位址,其CLI命令設定如下:
set vrouter trust-vr route 192.168.2.0/24 interface tunnel.1 gateway 1.1.100.2  ==> SSG5命令
set route 192.168.2.0/24 interface tunnel.1 gateway 1.1.100.2  ==> SSG5命令
set routing-options static route 192.168.2.0/24 next-hop st0.0        ==> SRX命令

當安全設備接收到的通信量為 192.168.2.0/24,路由表指定隧道介面-tunnel.1,但在這種情況下它並沒有指定要使用哪個 VPN 隧道。如果只有一個 VPN 隧道綁定到tunnel.1,則指定隧道介面就足夠了。如果有多個 VPN 隧道綁定到該介面,則需要在路由和特定隧道之間有一個連結。而NHTB表就提供了該連結。此示例的 NHTB CLI命令設定如下:
set interface tunnel.1 nhtb 1.1.100.2 vpn "Site4-Site2"                      ==> SSG5命令
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site4-to-Site2   ==> SRX命令
其中 "vpn1" 是連線到遠端IKE對等方的vpn隧道的名稱,其內部子網為192.168.2.0/24,使用唯一的 IP 位址1.1.100.2,即路由表條目和NHTB表條目有共同之處,因此安全設備就可以將目的地為192.168.2.0/24的通信轉發到tunnel.1,並且明確指定要使用VPN通道" Site4-Site2"
以下為VPN設定拓墣圖:


以下為相關環境設定:
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.13/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.10.1/24
set interfaces fe-0/0/6 unit 0 family inet address 192.168.11.1/24
set interfaces fe-0/0/7 unit 0 family inet address 192.168.12.1/24
set interfaces st0 unit 0 family inet address 1.1.100.4/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178


以下為Site4-to-Site2 vpn設定(展示Site2 ip 192.168.188.11,可供NHTB參考)
set security ike proposal srx-ike-proposal authentication-method pre-shared-keys
set security ike proposal srx-ike-proposal dh-group group2
set security ike proposal srx-ike-proposal authentication-algorithm md5
set security ike proposal srx-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal srx-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx-to-srx mode main
set security ike policy ike_pol_srx-to-srx proposals srx-ike-proposal
set security ike policy ike_pol_srx-to-srx pre-shared-key ascii-text "netscreen"
set security ike gateway Site2_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site2_GW address 192.168.188.11
set security ike gateway Site2_GW dead-peer-detection
set security ike gateway Site2_GW no-nat-traversal
set security ike gateway Site2_GW external-interface fe-0/0/0.0
set security ike gateway Site2_GW version v1-only
set security ipsec proposal srx-ipsec-proposal protocol esp
set security ipsec proposal srx-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal srx-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal srx-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx-to-srx proposals srx-ipsec-proposal
set security ipsec vpn Site4-to-Site2 bind-interface st0.0
set security ipsec vpn Site4-to-Site2 vpn-monitor optimized
set security ipsec vpn Site4-to-Site2 ike gateway Site1_GW
set security ipsec vpn Site4-to-Site2 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site4-to-Site2 establish-tunnels immediately



以下為SRXHNTB設定。
-------- SRX HNTB設定 Site 4 ---------
## SRX本身為Site4WAN IP: 192.168.188.13st0.0 IP: 1.1.100.4/32
set interfaces st0 unit 0 multipoint     ##將多個 IPSec VPN 隧道綁定到單個隧道介面
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.1 ipsec-vpn Site4-to-Site1  ##(Site1 wan ip 192.168.188.10)指定next-hop ipvpn tunnel
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site4-to-Site2  ## (Site2 wan ip 192.168.188.11,此IP隱藏在VPNgateway設定之中,所以此處看不到)
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.3 ipsec-vpn Site4-to-Site3  ## (Site3 wan ip 192.168.188.12)
set routing-options static route 192.168.1.0/24 next-hop st0.0  ##遠端的網段指定要從通道st0.0傳送
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.5.0/24 next-hop st0.0
set routing-options static route 192.168.2.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
set routing-options static route 192.168.6.0/24 next-hop st0.0
set routing-options static route 192.168.7.0/24 next-hop st0.0
set routing-options static route 192.168.8.0/24 next-hop st0.0
set routing-options static route 192.168.9.0/24 next-hop st0.0

以下這條命令非必要,但是建議要加。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRXSSG5是正常的,而SSG5SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interfaces st0 unit 0 family inet mtu 1500
-------- SRX HNTB設定 Site 4 END ---------

-------- SSG5 HNTB設定 Site 2 --------
## SSG本身為Site2WAN IP: 192.168.188.11tunnel.1 IP: 1.1.100.2/32
set interface tunnel.1 nhtb 1.1.100.1 vpn "Site2-Site1"  ## (Site1 wan ip 192.168.188.10)指定要往Site1的目標ipvpn name
set interface tunnel.1 nhtb 1.1.100.3 vpn "Site2-Site3"  ## (Site3 wan ip 192.168.188.12ip隱藏在vpngateway設定中,所以此處看不到)
set interface tunnel.1 nhtb 1.1.100.4 vpn "Site2-Site4"  ## (Site4 wan ip 192.168.188.13)
set route 192.168.1.0/24 interface tunnel.1 gateway 1.1.100.1  ## 遠端的網段指定要走tunnel.1並送往Site1tunnel.1 IP
set route 192.168.3.0/24 interface tunnel.1 gateway 1.1.100.1
set route 192.168.4.0/24 interface tunnel.1 gateway 1.1.100.1
set route 192.168.7.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.8.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.9.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.10.0/24 interface tunnel.1 gateway 1.1.100.4
set route 192.168.11.0/24 interface tunnel.1 gateway 1.1.100.4
set route 192.168.12.0/24 interface tunnel.1 gateway 1.1.100.4

以下這條命令非必要,只是說明而已。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRXSSG5是正常的,而SSG5SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interface tunnel.1 mtu 1500
ssg5-serial-> set interface tunnel.1 mtu ?
<number>             mtu size, <1280-1500>
ssg5-serial->
-------- SSG5 HNTB設定 Site 2 END --------



使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
設定案例請參考以下JUNIPER原廠相關連結:


以下用兩個現成的檔案來作說明:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

下面為4SRXVPN設定範例,因為使用了NHTBOSPF之設定,所以您可發現在設定上反而比3SRXVPN設定要簡短很多,而且當成員越多顆時差距反而更明顯。
在這裡我們可以參考相關的連結:

vpn-route_based- multi_lan_to_multi_lan - ospf  - SRX - 4_router_of_router_a -  ok - lan_1_3_5--good - vlan.conf
## 帳號root   密碼srx100   IP192.168.1.1
## fe-0/0/0.0 WAN ,  fe-0/0/0/1--fe-0/0/4 Lan1  ,  fe-0/0/6 Lan2  ,  fe-0/0/7 Lan3  ,  fe-0/0/5.0 Sub-VLan66 ,  fe-0/0/5.1 Sub-VLan66 ,  fe-0/0/5.2 Sub-VLan66
## fe-0/0/0/1--fe-0/0/4 Lan1  乃是L2(layer 2) vlan之設定。
##  fe-0/0/5 乃是L3(layer 3) vlan之設定且須下接switches(設定3VLANvlan ID分別為666768以及vlan tagPVID相關之設定)
## 本地端網路-192.168.1.0 192.168.3.0 192.168.5.0  遠端網路1-192.168.2.0 192.168.4.0 192.168.6.0 遠端網路2-192.168.7.0 192.168.8.0 192.168.9.0 遠端網路2-192.168.10.0 192.168.11.0 192.168.12.0
## 本地端網路3個子網路與遠端網路1的3個子網路及遠端網路2的3個子網路,彼此皆可互通
## 本設定檔開放wan端PING及web服務(方便測試),為了資安考量可將其關閉,設定請參考SRX防火牆常規操作與維護.txt
## 套用本設定檔時請自行調整以下IP:WAN-192.168.188.10   static-route-192.168.188.178   VPN遠端IP-192.168.188.11 VPN遠端IP-192.168.188.12 VPN遠端IP-192.168.188.13
## 在大型網路中,vpn設定採用OSPF方法,可減少維護成本及設定之困難度,以及防火牆資源之占用
## 本設定使用OSPF設定,讓與遠端能與本地端溝通,可用於跟他廠牌router做vpn連結,而不同廠牌間之端口MTU預設值會不同,要設定一致才能互相溝通
## SSG tunnel.1端口預設MTU=1500,SRX ST0.0端口預設MTU=9192,故本例在ST0.0端口設定MTU=1500才能與SSG設備溝通
## 本CD中之OSPF 4 ROUTER系列,router a b c d之間,SRX與SSG router皆可互為替換
## VPN phase1 ike proposol pre-g2-3des-md5    phase2 ipsec proposol nopfs-esp-3des-md5 
## pre-shared-key  "netscreen"

set system host-name srx100
set system time-zone Asia/Taipei
set system root-authentication encrypted-password "$1$Fg/DP18.$xeq4lIWwyYkVqaKa4d63F1"
set system name-server 168.95.192.1
set system name-server 168.95.1.1
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$dYTGDNPV$0GUdFo.gWl4RzhZSH72O91"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management http interface fe-0/0/6.0
set system services web-management http interface fe-0/0/7.0
set system services web-management http interface all
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/6.0
set system services web-management https interface fe-0/0/7.0
set system services dhcp name-server 168.95.1.1
set system services dhcp name-server 168.95.192.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.111
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.0
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.11
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.111
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings fe-0/0/6.0
set system services dhcp pool 192.168.5.0/24 address-range low 192.168.5.11
set system services dhcp pool 192.168.5.0/24 address-range high 192.168.5.111
set system services dhcp pool 192.168.5.0/24 router 192.168.5.1
set system services dhcp pool 192.168.5.0/24 propagate-settings fe-0/0/7.0
set system services dhcp pool 192.168.66.0/24 address-range low 192.168.66.11
set system services dhcp pool 192.168.66.0/24 address-range high 192.168.66.111
set system services dhcp pool 192.168.66.0/24 router 192.168.66.1
set system services dhcp pool 192.168.66.0/24 propagate-settings fe-0/0/5.0
set system services dhcp pool 192.168.67.0/24 address-range low 192.168.67.11
set system services dhcp pool 192.168.67.0/24 address-range high 192.168.67.111
set system services dhcp pool 192.168.67.0/24 router 192.168.67.1
set system services dhcp pool 192.168.67.0/24 propagate-settings fe-0/0/5.1
set system services dhcp pool 192.168.68.0/24 address-range low 192.168.68.11
set system services dhcp pool 192.168.68.0/24 address-range high 192.168.68.111
set system services dhcp pool 192.168.68.0/24 router 192.168.68.1
set system services dhcp pool 192.168.68.0/24 propagate-settings fe-0/0/5.2
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 192.168.1.11 any any
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 15
set system max-configuration-rollbacks 15
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 118.163.81.61
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 vlan-tagging
set interfaces fe-0/0/5 unit 0 vlan-id 66
set interfaces fe-0/0/5 unit 0 family inet address 192.168.66.1/24
set interfaces fe-0/0/5 unit 1 vlan-id 67
set interfaces fe-0/0/5 unit 1 family inet address 192.168.67.1/24
set interfaces fe-0/0/5 unit 2 vlan-id 68
set interfaces fe-0/0/5 unit 2 family inet address 192.168.68.1/24
set interfaces fe-0/0/6 unit 0 family inet address 192.168.3.1/24
set interfaces fe-0/0/7 unit 0 family inet address 192.168.5.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site1-to-Site2
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.3 ipsec-vpn Site1-to-Site3
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.4 ipsec-vpn Site1-to-Site4
set interfaces st0 unit 0 family inet address 1.1.100.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.5.0/24 next-hop st0.0
set routing-options static route 192.168.2.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
set routing-options static route 192.168.6.0/24 next-hop st0.0
set routing-options static route 192.168.7.0/24 next-hop st0.0
set routing-options static route 192.168.8.0/24 next-hop st0.0
set routing-options static route 192.168.9.0/24 next-hop st0.0
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 10
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 40
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface vlan.0 metric 1
set protocols ospf area 0.0.0.0 interface vlan.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 priority 10
set protocols stp
set security ike proposal srx-ike-proposal authentication-method pre-shared-keys
set security ike proposal srx-ike-proposal dh-group group2
set security ike proposal srx-ike-proposal authentication-algorithm md5
set security ike proposal srx-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal srx-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx-to-srx mode main
set security ike policy ike_pol_srx-to-srx proposals srx-ike-proposal
set security ike policy ike_pol_srx-to-srx pre-shared-key ascii-text "$9$U9i.5n6AOIcCtORcSW8-VwYgJTQn"
set security ike gateway Site2_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site2_GW address 192.168.188.11
set security ike gateway Site2_GW dead-peer-detection
set security ike gateway Site2_GW no-nat-traversal
set security ike gateway Site2_GW external-interface fe-0/0/0.0
set security ike gateway Site2_GW version v1-only
set security ike gateway Site3_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site3_GW address 192.168.188.12
set security ike gateway Site3_GW dead-peer-detection
set security ike gateway Site3_GW no-nat-traversal
set security ike gateway Site3_GW external-interface fe-0/0/0.0
set security ike gateway Site3_GW version v1-only
set security ike gateway Site4_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site4_GW address 192.168.188.13
set security ike gateway Site4_GW dead-peer-detection
set security ike gateway Site4_GW no-nat-traversal
set security ike gateway Site4_GW external-interface fe-0/0/0.0
set security ike gateway Site4_GW version v1-only
set security ipsec proposal srx-ipsec-proposal protocol esp
set security ipsec proposal srx-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal srx-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal srx-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx-to-srx proposals srx-ipsec-proposal
set security ipsec vpn Site1-to-Site2 bind-interface st0.0
set security ipsec vpn Site1-to-Site2 vpn-monitor optimized
set security ipsec vpn Site1-to-Site2 ike gateway Site2_GW
set security ipsec vpn Site1-to-Site2 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site2 establish-tunnels immediately
set security ipsec vpn Site1-to-Site3 bind-interface st0.0
set security ipsec vpn Site1-to-Site3 vpn-monitor optimized
set security ipsec vpn Site1-to-Site3 ike gateway Site3_GW
set security ipsec vpn Site1-to-Site3 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site3 establish-tunnels immediately
set security ipsec vpn Site1-to-Site4 bind-interface st0.0
set security ipsec vpn Site1-to-Site4 vpn-monitor optimized
set security ipsec vpn Site1-to-Site4 ike gateway Site4_GW
set security ipsec vpn Site1-to-Site4 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site4 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match application any
set security policies from-zone trust to-zone VPN policy trust-to-vpn then permit
set security policies from-zone VPN to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone VPN to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone VPN to-zone trust policy vpn-to-trust match application any
set security policies from-zone VPN to-zone trust policy vpn-to-trust then permit
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match source-address any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match destination-address any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match application any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security zones security-zone trust address-book address addr_192_168_1_0_24 192.168.1.0/24
set security zones security-zone trust address-book address addr_192_168_3_0_24 192.168.3.0/24
set security zones security-zone trust address-book address addr_192_168_5_0_24 192.168.5.0/24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_1_0_24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_3_0_24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_5_0_24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces fe-0/0/5.0
set security zones security-zone trust interfaces fe-0/0/5.1
set security zones security-zone trust interfaces fe-0/0/5.2
set security zones security-zone trust interfaces fe-0/0/6.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces fe-0/0/7.0 host-inbound-traffic protocols ospf
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone VPN address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone VPN address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone VPN address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone VPN address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone VPN address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone VPN address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone VPN address-book address addr_192_168_10_0_24 192.168.10.0/24
set security zones security-zone VPN address-book address addr_192_168_11_0_24 192.168.11.0/24
set security zones security-zone VPN address-book address addr_192_168_12_0_24 192.168.12.0/24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_2_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_4_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_6_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_7_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_8_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_9_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_10_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_11_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_12_0_24
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic protocols ospf
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++

下面為3顆的VPN設定範例,此案例並未使用NHTBOSPF之設定,所以您可以發現其設定非常之冗長。


而同一個案例,在SSG5的設定上長度就簡短很多,原因是因為ScreenOS支援Multi-proxy的功能,ssg5只要建立兩條通道,兩個vpn就好,而在SRX則需要建立18條通道,18VPN才行。
 
vpn-route_based- multi_lan_to_multi_lan - 3_router_of_router_a - SRX - OK - lan_1_3_5 - firewall_filter-good.conf
## 帳號root   密碼srx210   IP192.168.1.1
## fe-0/0/0.0 WAN ,  fe-0/0/0/1--fe-0/0/5 Lan1  ,  fe-0/0/6 Lan2  ,  fe-0/0/7 Lan3 
## 本地端網路-192.168.1.0 192.168.3.0 192.168.5.0   ssg遠端網路1-192.168.2.0 192.168.4.0 192.168.6.0   netscreen遠端網路2-192.168.7.0 192.168.8.0 192.168.9.0
## 本地端網路3個子網路與遠端網路1的3個子網路及遠端網路2的3個子網路,皆透過VPN,讓彼此都能互通
## 本設定使用filter將vpn從st0.1-st0.19作相對應的分流,讓與遠端VPN能與本地端VPN溝通, 可用於跟他廠牌router做vpn連結
## 本設定檔開放wan端PING及web服務(方便測試),為了資安考量可將其關閉,設定請參考 SRX防火牆常規操作與維護.txt
## 套用本設定檔時請自行調整以下IP:WAN-192.168.188.10   static-route-192.168.188.178   VPN遠端IP-192.168.188.11 VPN遠端IP-192.168.188.12
## 為測試只採用基本加密設定,請自行更改成高安全性設定
## pre-shared-key  "netscreen"
## 閱讀下列設定之前,關於firewall filter和routing-instance的部分可先參考以下連結:
Configuringsite-to-site VPNs between SRX and Cisco ASA, with multiple networks behind theSRX and ASA, and full mesh traffic between networks


root@srx100# show | display set | no-more
set version 12.1X46-D55.3
set system host-name srx100
set system time-zone Asia/Taipei
set system root-authentication encrypted-password "$1$Fg/DP18.$xeq4lIWwyYkVqaKa4d63F1"
set system name-server 168.95.192.1
set system name-server 168.95.1.1
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$dYTGDNPV$0GUdFo.gWl4RzhZSH72O91"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management http interface fe-0/0/6.0
set system services web-management http interface fe-0/0/7.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/6.0
set system services web-management https interface fe-0/0/7.0
set system services dhcp name-server 168.95.1.1
set system services dhcp name-server 168.95.192.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.111
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.11
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.111
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.5.0/24 address-range low 192.168.5.11
set system services dhcp pool 192.168.5.0/24 address-range high 192.168.5.111
set system services dhcp pool 192.168.5.0/24 router 192.168.5.1
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 15
set system max-configuration-rollbacks 15
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 118.163.81.61
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family inet filter input SSG_vpn
set interfaces fe-0/0/6 unit 0 family inet address 192.168.3.1/24
set interfaces fe-0/0/7 unit 0 family inet filter input SSG_vpn
set interfaces fe-0/0/7 unit 0 family inet address 192.168.5.1/24
set interfaces st0 unit 1 family inet mtu 1500
set interfaces st0 unit 2 family inet mtu 1500
set interfaces st0 unit 3 family inet mtu 1500
set interfaces st0 unit 4 family inet mtu 1500
set interfaces st0 unit 5 family inet mtu 1500
set interfaces st0 unit 6 family inet mtu 1500
set interfaces st0 unit 7 family inet mtu 1500
set interfaces st0 unit 8 family inet mtu 1500
set interfaces st0 unit 9 family inet mtu 1500
set interfaces st0 unit 11 family inet mtu 1500
set interfaces st0 unit 12 family inet mtu 1500
set interfaces st0 unit 13 family inet mtu 1500
set interfaces st0 unit 14 family inet mtu 1500
set interfaces st0 unit 15 family inet mtu 1500
set interfaces st0 unit 16 family inet mtu 1500
set interfaces st0 unit 17 family inet mtu 1500
set interfaces st0 unit 18 family inet mtu 1500
set interfaces st0 unit 19 family inet mtu 1500
set interfaces vlan unit 0 family inet filter input SSG_vpn
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options interface-routes rib-group inet group1
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178
set routing-options rib-groups group1 import-rib inet.0
set routing-options rib-groups group1 import-rib SSG-1.inet.0
set routing-options rib-groups group1 import-rib SSG-2.inet.0
set routing-options rib-groups group1 import-rib SSG-3.inet.0
set protocols stp
set security ike proposal ssg-ike-proposal authentication-method pre-shared-keys
set security ike proposal ssg-ike-proposal dh-group group2
set security ike proposal ssg-ike-proposal authentication-algorithm md5
set security ike proposal ssg-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal ssg-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx210-to-ssg5 mode main
set security ike policy ike_pol_srx210-to-ssg5 proposals ssg-ike-proposal
set security ike policy ike_pol_srx210-to-ssg5 pre-shared-key ascii-text "$9$U9i.5n6AOIcCtORcSW8-VwYgJTQn"
set security ike gateway gw_srx210-to-ssg5 ike-policy ike_pol_srx210-to-ssg5
set security ike gateway gw_srx210-to-ssg5 address 192.168.188.11
set security ike gateway gw_srx210-to-ssg5 dead-peer-detection
set security ike gateway gw_srx210-to-ssg5 no-nat-traversal
set security ike gateway gw_srx210-to-ssg5 external-interface fe-0/0/0.0
set security ike gateway gw_srx210-to-ssg5 version v1-only
set security ike gateway gw_srx210-to-netscreen ike-policy ike_pol_srx210-to-ssg5
set security ike gateway gw_srx210-to-netscreen address 192.168.188.12
set security ike gateway gw_srx210-to-netscreen dead-peer-detection
set security ike gateway gw_srx210-to-netscreen no-nat-traversal
set security ike gateway gw_srx210-to-netscreen external-interface fe-0/0/0.0
set security ike gateway gw_srx210-to-netscreen version v1-only
set security ipsec proposal ssg-ipsec-proposal protocol esp
set security ipsec proposal ssg-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ssg-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal ssg-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx210-to-ssg5 proposals ssg-ipsec-proposal
set security ipsec vpn srx1-to-ssg2 bind-interface st0.1
set security ipsec vpn srx1-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg2 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx1-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx1-to-ssg4 bind-interface st0.2
set security ipsec vpn srx1-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg4 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx1-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx1-to-ssg6 bind-interface st0.3
set security ipsec vpn srx1-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg6 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx1-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg2 bind-interface st0.4
set security ipsec vpn srx3-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg2 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx3-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg4 bind-interface st0.5
set security ipsec vpn srx3-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg4 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx3-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg6 bind-interface st0.6
set security ipsec vpn srx3-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg6 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx3-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg2 bind-interface st0.7
set security ipsec vpn srx5-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg2 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx5-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg4 bind-interface st0.8
set security ipsec vpn srx5-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg4 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx5-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg6 bind-interface st0.9
set security ipsec vpn srx5-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg6 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx5-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen7 bind-interface st0.11
set security ipsec vpn srx1-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen8 bind-interface st0.12
set security ipsec vpn srx1-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen9 bind-interface st0.13
set security ipsec vpn srx1-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen9 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen7 bind-interface st0.14
set security ipsec vpn srx3-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen8 bind-interface st0.15
set security ipsec vpn srx3-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen9 bind-interface st0.16
set security ipsec vpn srx3-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen9 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen7 bind-interface st0.17
set security ipsec vpn srx5-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen8 bind-interface st0.18
set security ipsec vpn srx5-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen9 bind-interface st0.19
set security ipsec vpn srx5-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen9 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match source-address addr_192_168_1_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG then permit
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match source-address addr_192_168_3_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG then permit
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match source-address addr_192_168_5_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG then permit
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match destination-address addr_192_168_1_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match application any
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 then permit
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match destination-address addr_192_168_3_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match application any
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 then permit
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match destination-address addr_192_168_5_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match application any
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 then permit
set security zones security-zone trust address-book address addr_192_168_1_0_24 192.168.1.0/24
set security zones security-zone trust address-book address addr_192_168_3_0_24 192.168.3.0/24
set security zones security-zone trust address-book address addr_192_168_5_0_24 192.168.5.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/6.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_1 interfaces st0.1
set security zones security-zone untrust_vpn_1 interfaces st0.2
set security zones security-zone untrust_vpn_1 interfaces st0.3
set security zones security-zone untrust_vpn_1 interfaces st0.11
set security zones security-zone untrust_vpn_1 interfaces st0.12
set security zones security-zone untrust_vpn_1 interfaces st0.13
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_2 interfaces st0.4
set security zones security-zone untrust_vpn_2 interfaces st0.5
set security zones security-zone untrust_vpn_2 interfaces st0.6
set security zones security-zone untrust_vpn_2 interfaces st0.14
set security zones security-zone untrust_vpn_2 interfaces st0.15
set security zones security-zone untrust_vpn_2 interfaces st0.16
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_3 interfaces st0.7
set security zones security-zone untrust_vpn_3 interfaces st0.8
set security zones security-zone untrust_vpn_3 interfaces st0.9
set security zones security-zone untrust_vpn_3 interfaces st0.17
set security zones security-zone untrust_vpn_3 interfaces st0.18
set security zones security-zone untrust_vpn_3 interfaces st0.19
set firewall family inet filter SSG_vpn term 1 from source-address 192.168.1.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 1 then routing-instance SSG-1
set firewall family inet filter SSG_vpn term 2 from source-address 192.168.3.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 2 then routing-instance SSG-2
set firewall family inet filter SSG_vpn term 3 from source-address 192.168.5.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 3 then routing-instance SSG-3
set firewall family inet filter SSG_vpn term 4 then accept
set routing-instances SSG-1 instance-type virtual-router
set routing-instances SSG-1 interface st0.1
set routing-instances SSG-1 interface st0.2
set routing-instances SSG-1 interface st0.3
set routing-instances SSG-1 interface st0.11
set routing-instances SSG-1 interface st0.12
set routing-instances SSG-1 interface st0.13
set routing-instances SSG-1 routing-options static route 192.168.2.0/24 next-hop st0.1
set routing-instances SSG-1 routing-options static route 192.168.4.0/24 next-hop st0.2
set routing-instances SSG-1 routing-options static route 192.168.6.0/24 next-hop st0.3
set routing-instances SSG-1 routing-options static route 192.168.7.0/24 next-hop st0.11
set routing-instances SSG-1 routing-options static route 192.168.8.0/24 next-hop st0.12
set routing-instances SSG-1 routing-options static route 192.168.9.0/24 next-hop st0.13
set routing-instances SSG-2 instance-type virtual-router
set routing-instances SSG-2 interface st0.4
set routing-instances SSG-2 interface st0.5
set routing-instances SSG-2 interface st0.6
set routing-instances SSG-2 interface st0.14
set routing-instances SSG-2 interface st0.15
set routing-instances SSG-2 interface st0.16
set routing-instances SSG-2 routing-options static route 192.168.2.0/24 next-hop st0.4
set routing-instances SSG-2 routing-options static route 192.168.4.0/24 next-hop st0.5
set routing-instances SSG-2 routing-options static route 192.168.6.0/24 next-hop st0.6
set routing-instances SSG-2 routing-options static route 192.168.7.0/24 next-hop st0.14
set routing-instances SSG-2 routing-options static route 192.168.8.0/24 next-hop st0.15
set routing-instances SSG-2 routing-options static route 192.168.9.0/24 next-hop st0.16
set routing-instances SSG-3 instance-type virtual-router
set routing-instances SSG-3 interface st0.7
set routing-instances SSG-3 interface st0.8
set routing-instances SSG-3 interface st0.9
set routing-instances SSG-3 interface st0.17
set routing-instances SSG-3 interface st0.18
set routing-instances SSG-3 interface st0.19
set routing-instances SSG-3 routing-options static route 192.168.2.0/24 next-hop st0.7
set routing-instances SSG-3 routing-options static route 192.168.4.0/24 next-hop st0.8
set routing-instances SSG-3 routing-options static route 192.168.6.0/24 next-hop st0.9
set routing-instances SSG-3 routing-options static route 192.168.7.0/24 next-hop st0.17
set routing-instances SSG-3 routing-options static route 192.168.8.0/24 next-hop st0.18
set routing-instances SSG-3 routing-options static route 192.168.9.0/24 next-hop st0.19
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁