Juniper SRX NHTB(Next-Hop Tunnel Binding) VPN設定

-

Juniper SRX NHTB(Next-Hop Tunnel Binding) VPN設定




NHTB是一台網路設備僅使用一個VPN通道要來跟數台網路設備彼此之間建立起VPN連線。

Multi-proxyNHTB的差異在於:Multi-proxy是兩台建立VPN連線的設備其下各有數個子網段要透過一個VPN通道來相互溝通。
 
Juniper SRX使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
就拿我們接下來要介紹的案例來說,四個防火牆要建立VPN連線,而其各自有三個子網段,並且彼此之間各網段都要能互通,其拓墣如下圖VPN設定拓墣圖所示,若不使用NHTB設定,則每個防火牆都要為其建立27條通道,27VPN設定才行,而若使用了NHTB設定,則每個防火牆只要為其建立1條通道,3VPN設定即可,這能讓設定少掉許多煩瑣重複的程序,而在維護上也明顯更輕鬆簡單的多。
ps:上述VPN通道計算方式:1台防火牆內含3個子網段,兩台防火牆之間要建立VPN連線則需要3*3=9條通道,若要跟另外三台防火牆建立連線總共就要9*3=27VPN通道。

您也可以參考相關連結:
JuniperSSG5 NHTB(Next-Hop Tunnel Binding) VPN設定

設定案例請參考以下JUNIPER原廠相關連結:

Hub-and-SpokeVPNs Using Next-Hop Tunnel Binding Overview
Example:Configuring Hub-and-Spoke VPNs using Next-Hop Tunnel Binding
nce-hub-spoke-vpn-nhtb.pdf

Next-HopTunnel Binding Table

通常您必須為每一個VPN連線綁定到個別的隧道介面,也就是說您若有5VPN連線,就必須建立5個隧道介面來給VPN連線使用。但您也可以將多個 IPSec VPN 隧道綁定到單個隧道介面。為了將多個 IPSec VPN 隧道綁定到單個隧道介面,安全設備要使用兩個表: 路由表下一躍點隧道綁定表(NHTB)。其目的是要將安全設備(Security Devices)路由表項中指定的下一躍點閘道 IP 位址映射到 NHTB 表中指定的特定VPN隧道。而通過這種技術,單通道介面就可以支援許多 VPN 隧道。
例如:路由表條目 192.168.2.0/24 可能指定1.1.100.2 作為下一躍點閘道Next-Hop,其中1.1.100.2 是遠端 IKE 對等方的隧道介面的IP位址,其CLI命令設定如下:
set vrouter trust-vr route 192.168.2.0/24 interface tunnel.1 gateway 1.1.100.2  ==> SSG5命令
set route 192.168.2.0/24 interface tunnel.1 gateway 1.1.100.2  ==> SSG5命令
set routing-options static route 192.168.2.0/24 next-hop st0.0        ==> SRX命令

當安全設備接收到的通信量為 192.168.2.0/24,路由表指定隧道介面-tunnel.1,但在這種情況下它並沒有指定要使用哪個 VPN 隧道。如果只有一個 VPN 隧道綁定到tunnel.1,則指定隧道介面就足夠了。如果有多個 VPN 隧道綁定到該介面,則需要在路由和特定隧道之間有一個連結。而NHTB表就提供了該連結。此示例的 NHTB CLI命令設定如下:
set interface tunnel.1 nhtb 1.1.100.2 vpn "Site4-Site2"                      ==> SSG5命令
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site4-to-Site2   ==> SRX命令
其中 "vpn1" 是連線到遠端IKE對等方的vpn隧道的名稱,其內部子網為192.168.2.0/24,使用唯一的 IP 位址1.1.100.2,即路由表條目和NHTB表條目有共同之處,因此安全設備就可以將目的地為192.168.2.0/24的通信轉發到tunnel.1,並且明確指定要使用VPN通道" Site4-Site2"
以下為VPN設定拓墣圖:


以下為相關環境設定:
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.13/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.10.1/24
set interfaces fe-0/0/6 unit 0 family inet address 192.168.11.1/24
set interfaces fe-0/0/7 unit 0 family inet address 192.168.12.1/24
set interfaces st0 unit 0 family inet address 1.1.100.4/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178


以下為Site4-to-Site2 vpn設定(展示Site2 ip 192.168.188.11,可供NHTB參考)
set security ike proposal srx-ike-proposal authentication-method pre-shared-keys
set security ike proposal srx-ike-proposal dh-group group2
set security ike proposal srx-ike-proposal authentication-algorithm md5
set security ike proposal srx-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal srx-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx-to-srx mode main
set security ike policy ike_pol_srx-to-srx proposals srx-ike-proposal
set security ike policy ike_pol_srx-to-srx pre-shared-key ascii-text "netscreen"
set security ike gateway Site2_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site2_GW address 192.168.188.11
set security ike gateway Site2_GW dead-peer-detection
set security ike gateway Site2_GW no-nat-traversal
set security ike gateway Site2_GW external-interface fe-0/0/0.0
set security ike gateway Site2_GW version v1-only
set security ipsec proposal srx-ipsec-proposal protocol esp
set security ipsec proposal srx-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal srx-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal srx-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx-to-srx proposals srx-ipsec-proposal
set security ipsec vpn Site4-to-Site2 bind-interface st0.0
set security ipsec vpn Site4-to-Site2 vpn-monitor optimized
set security ipsec vpn Site4-to-Site2 ike gateway Site1_GW
set security ipsec vpn Site4-to-Site2 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site4-to-Site2 establish-tunnels immediately



以下為SRXHNTB設定。
-------- SRX HNTB設定 Site 4 ---------
## SRX本身為Site4WAN IP: 192.168.188.13st0.0 IP: 1.1.100.4/32
set interfaces st0 unit 0 multipoint     ##將多個 IPSec VPN 隧道綁定到單個隧道介面
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.1 ipsec-vpn Site4-to-Site1  ##(Site1 wan ip 192.168.188.10)指定next-hop ipvpn tunnel
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site4-to-Site2  ## (Site2 wan ip 192.168.188.11,此IP隱藏在VPNgateway設定之中,所以此處看不到)
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.3 ipsec-vpn Site4-to-Site3  ## (Site3 wan ip 192.168.188.12)
set routing-options static route 192.168.1.0/24 next-hop st0.0  ##遠端的網段指定要從通道st0.0傳送
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.5.0/24 next-hop st0.0
set routing-options static route 192.168.2.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
set routing-options static route 192.168.6.0/24 next-hop st0.0
set routing-options static route 192.168.7.0/24 next-hop st0.0
set routing-options static route 192.168.8.0/24 next-hop st0.0
set routing-options static route 192.168.9.0/24 next-hop st0.0

以下這條命令非必要,但是建議要加。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRXSSG5是正常的,而SSG5SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interfaces st0 unit 0 family inet mtu 1500
-------- SRX HNTB設定 Site 4 END ---------

-------- SSG5 HNTB設定 Site 2 --------
## SSG本身為Site2WAN IP: 192.168.188.11tunnel.1 IP: 1.1.100.2/32
set interface tunnel.1 nhtb 1.1.100.1 vpn "Site2-Site1"  ## (Site1 wan ip 192.168.188.10)指定要往Site1的目標ipvpn name
set interface tunnel.1 nhtb 1.1.100.3 vpn "Site2-Site3"  ## (Site3 wan ip 192.168.188.12ip隱藏在vpngateway設定中,所以此處看不到)
set interface tunnel.1 nhtb 1.1.100.4 vpn "Site2-Site4"  ## (Site4 wan ip 192.168.188.13)
set route 192.168.1.0/24 interface tunnel.1 gateway 1.1.100.1  ## 遠端的網段指定要走tunnel.1並送往Site1tunnel.1 IP
set route 192.168.3.0/24 interface tunnel.1 gateway 1.1.100.1
set route 192.168.4.0/24 interface tunnel.1 gateway 1.1.100.1
set route 192.168.7.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.8.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.9.0/24 interface tunnel.1 gateway 1.1.100.3
set route 192.168.10.0/24 interface tunnel.1 gateway 1.1.100.4
set route 192.168.11.0/24 interface tunnel.1 gateway 1.1.100.4
set route 192.168.12.0/24 interface tunnel.1 gateway 1.1.100.4

以下這條命令非必要,只是說明而已。SRX st0.0通道預設mtu 9192,而SSG5 tunnel.1通道預設mtu 1500,所以當兩者互相建立vpn通道成功時,您會發現SRXSSG5是正常的,而SSG5SRX則不通,原因是當對方的mtu小於等於你時,你能接受,但是當對方的mtu大於你時,你就無法接受了。所以當SRX設備與非JunOS設備建立vpn通道時,建議要加上這條命令,而若能清楚知道對端設備的mtu值則就完美了。
set interface tunnel.1 mtu 1500
ssg5-serial-> set interface tunnel.1 mtu ?
<number>             mtu size, <1280-1500>
ssg5-serial->
-------- SSG5 HNTB設定 Site 2 END --------



使用HNTB的好處:
能減少系統開銷,降低設定及維護成本。在大型網路上,設定vpn若能搭配NHTB設定加上OSPF設定的方案,則會有更明顯的效果。
設定案例請參考以下JUNIPER原廠相關連結:
Hub-and-SpokeVPNs Using Next-Hop Tunnel Binding Overview
Example:Configuring Hub-and-Spoke VPNs using Next-Hop Tunnel Binding
nce-hub-spoke-vpn-nhtb.pdf


以下用兩個現成的檔案來作說明:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

下面為4SRXVPN設定範例,因為使用了NHTBOSPF之設定,所以您可發現在設定上反而比3SRXVPN設定要簡短很多,而且當成員越多顆時差距反而更明顯。
在這裡我們可以參考相關的連結:
JuniperSRX OSPF設定

vpn-route_based- multi_lan_to_multi_lan - ospf  - SRX - 4_router_of_router_a -  ok - lan_1_3_5--good - vlan.conf
## 帳號root   密碼srx100   IP192.168.1.1
## fe-0/0/0.0 WAN ,  fe-0/0/0/1--fe-0/0/4 Lan1  ,  fe-0/0/6 Lan2  ,  fe-0/0/7 Lan3  ,  fe-0/0/5.0 Sub-VLan66 ,  fe-0/0/5.1 Sub-VLan66 ,  fe-0/0/5.2 Sub-VLan66
## fe-0/0/0/1--fe-0/0/4 Lan1  乃是L2(layer 2) vlan之設定。
##  fe-0/0/5 乃是L3(layer 3) vlan之設定且須下接switches(設定3VLANvlan ID分別為666768以及vlan tagPVID相關之設定)
## 本地端網路-192.168.1.0 192.168.3.0 192.168.5.0  遠端網路1-192.168.2.0 192.168.4.0 192.168.6.0 遠端網路2-192.168.7.0 192.168.8.0 192.168.9.0 遠端網路2-192.168.10.0 192.168.11.0 192.168.12.0
## 本地端網路3個子網路與遠端網路1的3個子網路及遠端網路2的3個子網路,彼此皆可互通
## 本設定檔開放wan端PING及web服務(方便測試),為了資安考量可將其關閉,設定請參考SRX防火牆常規操作與維護.txt
## 套用本設定檔時請自行調整以下IP:WAN-192.168.188.10   static-route-192.168.188.178   VPN遠端IP-192.168.188.11 VPN遠端IP-192.168.188.12 VPN遠端IP-192.168.188.13
## 在大型網路中,vpn設定採用OSPF方法,可減少維護成本及設定之困難度,以及防火牆資源之占用
## 本設定使用OSPF設定,讓與遠端能與本地端溝通,可用於跟他廠牌router做vpn連結,而不同廠牌間之端口MTU預設值會不同,要設定一致才能互相溝通
## SSG tunnel.1端口預設MTU=1500,SRX ST0.0端口預設MTU=9192,故本例在ST0.0端口設定MTU=1500才能與SSG設備溝通
## 本CD中之OSPF 4 ROUTER系列,router a b c d之間,SRX與SSG router皆可互為替換
## VPN phase1 ike proposol pre-g2-3des-md5    phase2 ipsec proposol nopfs-esp-3des-md5 
## pre-shared-key  "netscreen"

set system host-name srx100
set system time-zone Asia/Taipei
set system root-authentication encrypted-password "$1$Fg/DP18.$xeq4lIWwyYkVqaKa4d63F1"
set system name-server 168.95.192.1
set system name-server 168.95.1.1
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$dYTGDNPV$0GUdFo.gWl4RzhZSH72O91"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management http interface fe-0/0/6.0
set system services web-management http interface fe-0/0/7.0
set system services web-management http interface all
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/6.0
set system services web-management https interface fe-0/0/7.0
set system services dhcp name-server 168.95.1.1
set system services dhcp name-server 168.95.192.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.111
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.0
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.11
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.111
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings fe-0/0/6.0
set system services dhcp pool 192.168.5.0/24 address-range low 192.168.5.11
set system services dhcp pool 192.168.5.0/24 address-range high 192.168.5.111
set system services dhcp pool 192.168.5.0/24 router 192.168.5.1
set system services dhcp pool 192.168.5.0/24 propagate-settings fe-0/0/7.0
set system services dhcp pool 192.168.66.0/24 address-range low 192.168.66.11
set system services dhcp pool 192.168.66.0/24 address-range high 192.168.66.111
set system services dhcp pool 192.168.66.0/24 router 192.168.66.1
set system services dhcp pool 192.168.66.0/24 propagate-settings fe-0/0/5.0
set system services dhcp pool 192.168.67.0/24 address-range low 192.168.67.11
set system services dhcp pool 192.168.67.0/24 address-range high 192.168.67.111
set system services dhcp pool 192.168.67.0/24 router 192.168.67.1
set system services dhcp pool 192.168.67.0/24 propagate-settings fe-0/0/5.1
set system services dhcp pool 192.168.68.0/24 address-range low 192.168.68.11
set system services dhcp pool 192.168.68.0/24 address-range high 192.168.68.111
set system services dhcp pool 192.168.68.0/24 router 192.168.68.1
set system services dhcp pool 192.168.68.0/24 propagate-settings fe-0/0/5.2
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 192.168.1.11 any any
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 15
set system max-configuration-rollbacks 15
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 118.163.81.61
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 vlan-tagging
set interfaces fe-0/0/5 unit 0 vlan-id 66
set interfaces fe-0/0/5 unit 0 family inet address 192.168.66.1/24
set interfaces fe-0/0/5 unit 1 vlan-id 67
set interfaces fe-0/0/5 unit 1 family inet address 192.168.67.1/24
set interfaces fe-0/0/5 unit 2 vlan-id 68
set interfaces fe-0/0/5 unit 2 family inet address 192.168.68.1/24
set interfaces fe-0/0/6 unit 0 family inet address 192.168.3.1/24
set interfaces fe-0/0/7 unit 0 family inet address 192.168.5.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.2 ipsec-vpn Site1-to-Site2
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.3 ipsec-vpn Site1-to-Site3
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.100.4 ipsec-vpn Site1-to-Site4
set interfaces st0 unit 0 family inet address 1.1.100.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.5.0/24 next-hop st0.0
set routing-options static route 192.168.2.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
set routing-options static route 192.168.6.0/24 next-hop st0.0
set routing-options static route 192.168.7.0/24 next-hop st0.0
set routing-options static route 192.168.8.0/24 next-hop st0.0
set routing-options static route 192.168.9.0/24 next-hop st0.0
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 10
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 40
set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface vlan.0 metric 1
set protocols ospf area 0.0.0.0 interface vlan.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.1 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/5.2 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/6.0 priority 10
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 passive
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 metric 1
set protocols ospf area 0.0.0.0 interface fe-0/0/7.0 priority 10
set protocols stp
set security ike proposal srx-ike-proposal authentication-method pre-shared-keys
set security ike proposal srx-ike-proposal dh-group group2
set security ike proposal srx-ike-proposal authentication-algorithm md5
set security ike proposal srx-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal srx-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx-to-srx mode main
set security ike policy ike_pol_srx-to-srx proposals srx-ike-proposal
set security ike policy ike_pol_srx-to-srx pre-shared-key ascii-text "$9$U9i.5n6AOIcCtORcSW8-VwYgJTQn"
set security ike gateway Site2_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site2_GW address 192.168.188.11
set security ike gateway Site2_GW dead-peer-detection
set security ike gateway Site2_GW no-nat-traversal
set security ike gateway Site2_GW external-interface fe-0/0/0.0
set security ike gateway Site2_GW version v1-only
set security ike gateway Site3_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site3_GW address 192.168.188.12
set security ike gateway Site3_GW dead-peer-detection
set security ike gateway Site3_GW no-nat-traversal
set security ike gateway Site3_GW external-interface fe-0/0/0.0
set security ike gateway Site3_GW version v1-only
set security ike gateway Site4_GW ike-policy ike_pol_srx-to-srx
set security ike gateway Site4_GW address 192.168.188.13
set security ike gateway Site4_GW dead-peer-detection
set security ike gateway Site4_GW no-nat-traversal
set security ike gateway Site4_GW external-interface fe-0/0/0.0
set security ike gateway Site4_GW version v1-only
set security ipsec proposal srx-ipsec-proposal protocol esp
set security ipsec proposal srx-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal srx-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal srx-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx-to-srx proposals srx-ipsec-proposal
set security ipsec vpn Site1-to-Site2 bind-interface st0.0
set security ipsec vpn Site1-to-Site2 vpn-monitor optimized
set security ipsec vpn Site1-to-Site2 ike gateway Site2_GW
set security ipsec vpn Site1-to-Site2 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site2 establish-tunnels immediately
set security ipsec vpn Site1-to-Site3 bind-interface st0.0
set security ipsec vpn Site1-to-Site3 vpn-monitor optimized
set security ipsec vpn Site1-to-Site3 ike gateway Site3_GW
set security ipsec vpn Site1-to-Site3 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site3 establish-tunnels immediately
set security ipsec vpn Site1-to-Site4 bind-interface st0.0
set security ipsec vpn Site1-to-Site4 vpn-monitor optimized
set security ipsec vpn Site1-to-Site4 ike gateway Site4_GW
set security ipsec vpn Site1-to-Site4 ike ipsec-policy ipsec_pol_srx-to-srx
set security ipsec vpn Site1-to-Site4 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match application any
set security policies from-zone trust to-zone VPN policy trust-to-vpn then permit
set security policies from-zone VPN to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone VPN to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone VPN to-zone trust policy vpn-to-trust match application any
set security policies from-zone VPN to-zone trust policy vpn-to-trust then permit
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match source-address any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match destination-address any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn match application any
set security policies from-zone VPN to-zone VPN policy vpn-to-vpn then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security zones security-zone trust address-book address addr_192_168_1_0_24 192.168.1.0/24
set security zones security-zone trust address-book address addr_192_168_3_0_24 192.168.3.0/24
set security zones security-zone trust address-book address addr_192_168_5_0_24 192.168.5.0/24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_1_0_24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_3_0_24
set security zones security-zone trust address-book address-set Local_Lans address addr_192_168_5_0_24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces fe-0/0/5.0
set security zones security-zone trust interfaces fe-0/0/5.1
set security zones security-zone trust interfaces fe-0/0/5.2
set security zones security-zone trust interfaces fe-0/0/6.0 host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces fe-0/0/7.0 host-inbound-traffic protocols ospf
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone VPN address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone VPN address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone VPN address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone VPN address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone VPN address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone VPN address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone VPN address-book address addr_192_168_10_0_24 192.168.10.0/24
set security zones security-zone VPN address-book address addr_192_168_11_0_24 192.168.11.0/24
set security zones security-zone VPN address-book address addr_192_168_12_0_24 192.168.12.0/24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_2_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_4_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_6_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_7_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_8_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_9_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_10_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_11_0_24
set security zones security-zone VPN address-book address-set Remote_Lans address addr_192_168_12_0_24
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic protocols ospf
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++

下面為3顆的VPN設定範例,此案例並未使用NHTBOSPF之設定,所以您可以發現其設定非常之冗長。


而同一個案例,在SSG5的設定上長度就簡短很多,原因是因為ScreenOS支援Multi-proxy的功能,ssg5只要建立兩條通道,兩個vpn就好,而在SRX則需要建立18條通道,18VPN才行。
 
vpn-route_based- multi_lan_to_multi_lan - 3_router_of_router_a - SRX - OK - lan_1_3_5 - firewall_filter-good.conf
## 帳號root   密碼srx210   IP192.168.1.1
## fe-0/0/0.0 WAN ,  fe-0/0/0/1--fe-0/0/5 Lan1  ,  fe-0/0/6 Lan2  ,  fe-0/0/7 Lan3 
## 本地端網路-192.168.1.0 192.168.3.0 192.168.5.0   ssg遠端網路1-192.168.2.0 192.168.4.0 192.168.6.0   netscreen遠端網路2-192.168.7.0 192.168.8.0 192.168.9.0
## 本地端網路3個子網路與遠端網路1的3個子網路及遠端網路2的3個子網路,皆透過VPN,讓彼此都能互通
## 本設定使用filter將vpn從st0.1-st0.19作相對應的分流,讓與遠端VPN能與本地端VPN溝通, 可用於跟他廠牌router做vpn連結
## 本設定檔開放wan端PING及web服務(方便測試),為了資安考量可將其關閉,設定請參考 SRX防火牆常規操作與維護.txt
## 套用本設定檔時請自行調整以下IP:WAN-192.168.188.10   static-route-192.168.188.178   VPN遠端IP-192.168.188.11 VPN遠端IP-192.168.188.12
## 為測試只採用基本加密設定,請自行更改成高安全性設定
## pre-shared-key  "netscreen"
## 閱讀下列設定之前,關於firewall filter和routing-instance的部分可先參考以下連結:
Configuringsite-to-site VPNs between SRX and Cisco ASA, with multiple networks behind theSRX and ASA, and full mesh traffic between networks


root@srx100# show | display set | no-more
set version 12.1X46-D55.3
set system host-name srx100
set system time-zone Asia/Taipei
set system root-authentication encrypted-password "$1$Fg/DP18.$xeq4lIWwyYkVqaKa4d63F1"
set system name-server 168.95.192.1
set system name-server 168.95.1.1
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$dYTGDNPV$0GUdFo.gWl4RzhZSH72O91"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management http interface fe-0/0/6.0
set system services web-management http interface fe-0/0/7.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface fe-0/0/6.0
set system services web-management https interface fe-0/0/7.0
set system services dhcp name-server 168.95.1.1
set system services dhcp name-server 168.95.192.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.11
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.111
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.11
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.111
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.5.0/24 address-range low 192.168.5.11
set system services dhcp pool 192.168.5.0/24 address-range high 192.168.5.111
set system services dhcp pool 192.168.5.0/24 router 192.168.5.1
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 15
set system max-configuration-rollbacks 15
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 118.163.81.61
set interfaces fe-0/0/0 unit 0 family inet address 192.168.188.10/24
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family inet filter input SSG_vpn
set interfaces fe-0/0/6 unit 0 family inet address 192.168.3.1/24
set interfaces fe-0/0/7 unit 0 family inet filter input SSG_vpn
set interfaces fe-0/0/7 unit 0 family inet address 192.168.5.1/24
set interfaces st0 unit 1 family inet mtu 1500
set interfaces st0 unit 2 family inet mtu 1500
set interfaces st0 unit 3 family inet mtu 1500
set interfaces st0 unit 4 family inet mtu 1500
set interfaces st0 unit 5 family inet mtu 1500
set interfaces st0 unit 6 family inet mtu 1500
set interfaces st0 unit 7 family inet mtu 1500
set interfaces st0 unit 8 family inet mtu 1500
set interfaces st0 unit 9 family inet mtu 1500
set interfaces st0 unit 11 family inet mtu 1500
set interfaces st0 unit 12 family inet mtu 1500
set interfaces st0 unit 13 family inet mtu 1500
set interfaces st0 unit 14 family inet mtu 1500
set interfaces st0 unit 15 family inet mtu 1500
set interfaces st0 unit 16 family inet mtu 1500
set interfaces st0 unit 17 family inet mtu 1500
set interfaces st0 unit 18 family inet mtu 1500
set interfaces st0 unit 19 family inet mtu 1500
set interfaces vlan unit 0 family inet filter input SSG_vpn
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options interface-routes rib-group inet group1
set routing-options static route 0.0.0.0/0 next-hop 192.168.188.178
set routing-options rib-groups group1 import-rib inet.0
set routing-options rib-groups group1 import-rib SSG-1.inet.0
set routing-options rib-groups group1 import-rib SSG-2.inet.0
set routing-options rib-groups group1 import-rib SSG-3.inet.0
set protocols stp
set security ike proposal ssg-ike-proposal authentication-method pre-shared-keys
set security ike proposal ssg-ike-proposal dh-group group2
set security ike proposal ssg-ike-proposal authentication-algorithm md5
set security ike proposal ssg-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal ssg-ike-proposal lifetime-seconds 28800
set security ike policy ike_pol_srx210-to-ssg5 mode main
set security ike policy ike_pol_srx210-to-ssg5 proposals ssg-ike-proposal
set security ike policy ike_pol_srx210-to-ssg5 pre-shared-key ascii-text "$9$U9i.5n6AOIcCtORcSW8-VwYgJTQn"
set security ike gateway gw_srx210-to-ssg5 ike-policy ike_pol_srx210-to-ssg5
set security ike gateway gw_srx210-to-ssg5 address 192.168.188.11
set security ike gateway gw_srx210-to-ssg5 dead-peer-detection
set security ike gateway gw_srx210-to-ssg5 no-nat-traversal
set security ike gateway gw_srx210-to-ssg5 external-interface fe-0/0/0.0
set security ike gateway gw_srx210-to-ssg5 version v1-only
set security ike gateway gw_srx210-to-netscreen ike-policy ike_pol_srx210-to-ssg5
set security ike gateway gw_srx210-to-netscreen address 192.168.188.12
set security ike gateway gw_srx210-to-netscreen dead-peer-detection
set security ike gateway gw_srx210-to-netscreen no-nat-traversal
set security ike gateway gw_srx210-to-netscreen external-interface fe-0/0/0.0
set security ike gateway gw_srx210-to-netscreen version v1-only
set security ipsec proposal ssg-ipsec-proposal protocol esp
set security ipsec proposal ssg-ipsec-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ssg-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal ssg-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec_pol_srx210-to-ssg5 proposals ssg-ipsec-proposal
set security ipsec vpn srx1-to-ssg2 bind-interface st0.1
set security ipsec vpn srx1-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg2 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx1-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx1-to-ssg4 bind-interface st0.2
set security ipsec vpn srx1-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg4 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx1-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx1-to-ssg6 bind-interface st0.3
set security ipsec vpn srx1-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx1-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg6 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx1-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx1-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg2 bind-interface st0.4
set security ipsec vpn srx3-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg2 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx3-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg4 bind-interface st0.5
set security ipsec vpn srx3-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg4 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx3-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx3-to-ssg6 bind-interface st0.6
set security ipsec vpn srx3-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx3-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg6 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx3-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx3-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg2 bind-interface st0.7
set security ipsec vpn srx5-to-ssg2 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg2 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg2 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg2 ike proxy-identity remote 192.168.2.0/24
set security ipsec vpn srx5-to-ssg2 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg2 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg2 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg4 bind-interface st0.8
set security ipsec vpn srx5-to-ssg4 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg4 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg4 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg4 ike proxy-identity remote 192.168.4.0/24
set security ipsec vpn srx5-to-ssg4 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg4 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg4 establish-tunnels immediately
set security ipsec vpn srx5-to-ssg6 bind-interface st0.9
set security ipsec vpn srx5-to-ssg6 vpn-monitor optimized
set security ipsec vpn srx5-to-ssg6 ike gateway gw_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg6 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-ssg6 ike proxy-identity remote 192.168.6.0/24
set security ipsec vpn srx5-to-ssg6 ike proxy-identity service any
set security ipsec vpn srx5-to-ssg6 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-ssg6 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen7 bind-interface st0.11
set security ipsec vpn srx1-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx1-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen8 bind-interface st0.12
set security ipsec vpn srx1-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx1-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx1-to-netscreen9 bind-interface st0.13
set security ipsec vpn srx1-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx1-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity local 192.168.1.0/24
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx1-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx1-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx1-to-netscreen9 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen7 bind-interface st0.14
set security ipsec vpn srx3-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx3-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen8 bind-interface st0.15
set security ipsec vpn srx3-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx3-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx3-to-netscreen9 bind-interface st0.16
set security ipsec vpn srx3-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx3-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity local 192.168.3.0/24
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx3-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx3-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx3-to-netscreen9 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen7 bind-interface st0.17
set security ipsec vpn srx5-to-netscreen7 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen7 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity remote 192.168.7.0/24
set security ipsec vpn srx5-to-netscreen7 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen7 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen7 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen8 bind-interface st0.18
set security ipsec vpn srx5-to-netscreen8 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen8 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn srx5-to-netscreen8 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen8 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen8 establish-tunnels immediately
set security ipsec vpn srx5-to-netscreen9 bind-interface st0.19
set security ipsec vpn srx5-to-netscreen9 vpn-monitor optimized
set security ipsec vpn srx5-to-netscreen9 ike gateway gw_srx210-to-netscreen
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity local 192.168.5.0/24
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity remote 192.168.9.0/24
set security ipsec vpn srx5-to-netscreen9 ike proxy-identity service any
set security ipsec vpn srx5-to-netscreen9 ike ipsec-policy ipsec_pol_srx210-to-ssg5
set security ipsec vpn srx5-to-netscreen9 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match source-address addr_192_168_1_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_1 policy VPN-SRX1-TO-SSG then permit
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match source-address addr_192_168_3_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_2 policy VPN-SRX3-TO-SSG then permit
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match source-address addr_192_168_5_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_2_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_4_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_6_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_7_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_8_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match destination-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG match application any
set security policies from-zone trust to-zone untrust_vpn_3 policy VPN-SRX5-TO-SSG then permit
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match destination-address addr_192_168_1_0_24
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 match application any
set security policies from-zone untrust_vpn_1 to-zone trust policy VPN-SSG-TO-SRX1 then permit
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match destination-address addr_192_168_3_0_24
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 match application any
set security policies from-zone untrust_vpn_2 to-zone trust policy VPN-SSG-TO-SRX3 then permit
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_2_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_4_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_6_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_7_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_8_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match source-address addr_192_168_9_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match destination-address addr_192_168_5_0_24
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 match application any
set security policies from-zone untrust_vpn_3 to-zone trust policy VPN-SSG-TO-SRX5 then permit
set security zones security-zone trust address-book address addr_192_168_1_0_24 192.168.1.0/24
set security zones security-zone trust address-book address addr_192_168_3_0_24 192.168.3.0/24
set security zones security-zone trust address-book address addr_192_168_5_0_24 192.168.5.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/6.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_1 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_1 interfaces st0.1
set security zones security-zone untrust_vpn_1 interfaces st0.2
set security zones security-zone untrust_vpn_1 interfaces st0.3
set security zones security-zone untrust_vpn_1 interfaces st0.11
set security zones security-zone untrust_vpn_1 interfaces st0.12
set security zones security-zone untrust_vpn_1 interfaces st0.13
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_2 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_2 interfaces st0.4
set security zones security-zone untrust_vpn_2 interfaces st0.5
set security zones security-zone untrust_vpn_2 interfaces st0.6
set security zones security-zone untrust_vpn_2 interfaces st0.14
set security zones security-zone untrust_vpn_2 interfaces st0.15
set security zones security-zone untrust_vpn_2 interfaces st0.16
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_2_0_24 192.168.2.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_4_0_24 192.168.4.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_6_0_24 192.168.6.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_7_0_24 192.168.7.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_8_0_24 192.168.8.0/24
set security zones security-zone untrust_vpn_3 address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone untrust_vpn_3 interfaces st0.7
set security zones security-zone untrust_vpn_3 interfaces st0.8
set security zones security-zone untrust_vpn_3 interfaces st0.9
set security zones security-zone untrust_vpn_3 interfaces st0.17
set security zones security-zone untrust_vpn_3 interfaces st0.18
set security zones security-zone untrust_vpn_3 interfaces st0.19
set firewall family inet filter SSG_vpn term 1 from source-address 192.168.1.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 1 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 1 then routing-instance SSG-1
set firewall family inet filter SSG_vpn term 2 from source-address 192.168.3.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 2 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 2 then routing-instance SSG-2
set firewall family inet filter SSG_vpn term 3 from source-address 192.168.5.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.2.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.4.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.6.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.7.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.8.0/24
set firewall family inet filter SSG_vpn term 3 from destination-address 192.168.9.0/24
set firewall family inet filter SSG_vpn term 3 then routing-instance SSG-3
set firewall family inet filter SSG_vpn term 4 then accept
set routing-instances SSG-1 instance-type virtual-router
set routing-instances SSG-1 interface st0.1
set routing-instances SSG-1 interface st0.2
set routing-instances SSG-1 interface st0.3
set routing-instances SSG-1 interface st0.11
set routing-instances SSG-1 interface st0.12
set routing-instances SSG-1 interface st0.13
set routing-instances SSG-1 routing-options static route 192.168.2.0/24 next-hop st0.1
set routing-instances SSG-1 routing-options static route 192.168.4.0/24 next-hop st0.2
set routing-instances SSG-1 routing-options static route 192.168.6.0/24 next-hop st0.3
set routing-instances SSG-1 routing-options static route 192.168.7.0/24 next-hop st0.11
set routing-instances SSG-1 routing-options static route 192.168.8.0/24 next-hop st0.12
set routing-instances SSG-1 routing-options static route 192.168.9.0/24 next-hop st0.13
set routing-instances SSG-2 instance-type virtual-router
set routing-instances SSG-2 interface st0.4
set routing-instances SSG-2 interface st0.5
set routing-instances SSG-2 interface st0.6
set routing-instances SSG-2 interface st0.14
set routing-instances SSG-2 interface st0.15
set routing-instances SSG-2 interface st0.16
set routing-instances SSG-2 routing-options static route 192.168.2.0/24 next-hop st0.4
set routing-instances SSG-2 routing-options static route 192.168.4.0/24 next-hop st0.5
set routing-instances SSG-2 routing-options static route 192.168.6.0/24 next-hop st0.6
set routing-instances SSG-2 routing-options static route 192.168.7.0/24 next-hop st0.14
set routing-instances SSG-2 routing-options static route 192.168.8.0/24 next-hop st0.15
set routing-instances SSG-2 routing-options static route 192.168.9.0/24 next-hop st0.16
set routing-instances SSG-3 instance-type virtual-router
set routing-instances SSG-3 interface st0.7
set routing-instances SSG-3 interface st0.8
set routing-instances SSG-3 interface st0.9
set routing-instances SSG-3 interface st0.17
set routing-instances SSG-3 interface st0.18
set routing-instances SSG-3 interface st0.19
set routing-instances SSG-3 routing-options static route 192.168.2.0/24 next-hop st0.7
set routing-instances SSG-3 routing-options static route 192.168.4.0/24 next-hop st0.8
set routing-instances SSG-3 routing-options static route 192.168.6.0/24 next-hop st0.9
set routing-instances SSG-3 routing-options static route 192.168.7.0/24 next-hop st0.17
set routing-instances SSG-3 routing-options static route 192.168.8.0/24 next-hop st0.18
set routing-instances SSG-3 routing-options static route 192.168.9.0/24 next-hop st0.19
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

-
圖片
如何測試網路連線--網路斷線了怎麼辦? 如何測試網路連線 -- 網路不通了 DIY 自行檢測網路連線 當我們打開電腦,卻發現無法上網了,這時候我們該怎麼辦呢 ? 如果在公司的話,我們可以請電腦人員來處理,而若是在家裡,我們就必須 DIY 先自行檢查一遍,如果檢查後仍然不能上網的話,我們也只能請朋友或是廠商來維修了。 而我們又要如何 DIY 先自行檢查呢 ? 請您依照下列步驟來進行: 第一步:進入 DOS 命令列模式。 按 " 視窗鍵 +R 鍵 " ,開啟執行視窗並輸入 " cmd " 後按 enter 鍵來進入 DOS 命令列模式。 第二步:檢查 ip 是否正常。 請輸入 " ipconfig " 來 檢查有無取得正常 IP 或是 IP 設定是否正確。 若電腦要上網,則每台電腦 一 定都要配有一個 IP 位址才行,本例的 IP 位址為 192.168.1.11 。 而 IP 位址分成 公共 IP 與 私有 IP 兩種, 只有公共 IP 才能上網 ( 網際網路 ) ,私有 IP 是無法直接上網的,私有 IP 只能在區域網路中使用 。而因為公共 IP 太少,所以要搭配私有 IP 來上網才行,這樣就可以達到以 100 台電腦,或是以 10000 台電腦,使用私有 IP 經過網路設備的轉換而達成只需使用 1 個公共 IP 就能讓大家一起上網的目的了。 私有 IP 無法直接連接網際網路,需要使用 網絡地址轉換( Network Address Translator , NAT ) 或者 代理伺服器   ( proxy server ) 來實現。與公網 IP 相比,私有 IP 是免費的,同時節省了 IP 位址資源,適合在區域網使用。私有 IP 常被用於家庭,學校和企業的區域網。 私有 IP 的範圍: 192.168.XX. XX 172.16. XX.XX – - 172.31. XX.XX 10. XX.XX.XX 我們只要看到 IP 位址開頭為上述範圍的 IP ,就表示您的 IP 為私有 IP 。 還有一種 ip 位址為 169.254. X.X , 這種
閱讀完整內容

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

-
圖片
ASUS 筆記電腦更新 BIOS 失敗無法開機 —用 CH341A 編程 器重刷 BIOS 教學! 前一陣子買了一台新的筆記電腦 (∩_∩) ,因此讓跟了我多年的 ASUS A42JA 筆電因此就被束之高閣沒有再被使用了 ヽ (´ ー ` )┌ ,後來想說反正放著不用也是浪費,乾脆就整理一下拿到拍賣網站給便宜賣掉算了 (¬ ‿ ¬) ,於是便動手開始移除個人的資料, 把 WINDOWS 7 系統還原到出廠狀態,順便一起更新 BIOS 的版本 ,而更新的過程很順利,在寫入 100% 後便自行重開機,重開機後小弟發現電源燈與硬碟燈皆恆亮,且螢幕沒有畫面,但小弟當然得等著它繼續開機更新 BIOS ,可是 2 分鐘 .. , 5 分鐘過了 .. ,情況還是一樣,此時心中不禁起了疑惑   (• ิ _• ิ )? ,不會吧 ! 會不會更新失敗了 ? 難道這麼倒楣的事都讓小弟我給碰上了 ? 一直等到十分鐘過後,小弟我終於失去耐性了,便下定決心長按電源鍵來讓筆記電腦強行關機   ( ╯‵ □′) ╯ ︵ ╧═╧ ,然後再開機,結果依然還是沒有畫面,電源燈與硬碟燈都恆亮的情況,小弟仍不死心的又重試了幾次,問題最後終於明朗化了,他媽的 BIOS 真的更新失敗了,對小弟來說一直是傳說中的問題竟被我給遇上了 !!!   。゜゜ (´ O `) ゜゜。 因為這台 ASUS A42JA 筆電已購置多年,早就過保固了,因此小弟先上網 GOOGLE 下,發現這類問題 ASUS 原廠通常是換主機板(這是在論壇上討論的內容),且一片要價 $5000 元   ( ⊙ _ ⊙ ) ,所以送回原廠維修的方案小弟就不考慮了(超出了筆電的價值沒有維修的必要),小弟接著再努力的 GOOGLE 幾下,終於發現 BIOS 更新失敗後似乎可以自行使用燒錄器來重刷 BIOS  (¬_¬;) ,於是這便成為小弟唯一可行的解決方案了。 從網路上找到的刷 BIOS 案例中,發現大多是使用 ”CH341A 編程器 ( 燒錄器 ) ” 來進行燒錄作業,其基本作法是用烙鐵將主機板上的 BIOS 晶片( 芯片 ) 拆下,再用 CH341A 燒錄器將原廠下載的 BIOS 檔案燒入芯片中,最後再將 BIOS 芯片焊接回筆電主機板上。而因為小弟也是電子相關科系出身,也曾拿烙鐵來焊接電子零件,所以
閱讀完整內容

INTEL XTU使用教學以及對筆電應具備的XTU設定概念

-
圖片
INTEL XTU 使用教學以及對筆電應具備的 XTU 設定概念 這篇文章除了教您如何使用 Intel XTU 之外,還告訴您許多 XTU 設定上的觀念,以及如何使用 XTU 來優化您的筆電等,在文中還有新、舊版本的 Intel XTU 開機自啟動相關的設定方法提供給大家來參考看看。 本篇文章主要是從初學者的角度出發來撰寫的,所以內容較為初淺,且繁雜,尚請各位大大多多體諒 ! 內容多為網路上蒐集而來,由小弟加以整理並加入個人的看法,若有校稿不力或是觀念錯誤的地方,尚請各位大大不吝指正,小弟必盡速更正 ! 在此先萬分感謝各位大大的愛護與支持,感謝您 !   內文開始   Intel 原廠網站是這樣說明的: Intel® 極致調整公用程式( Intel ® Extreme Tuning Utility - Intel® XTU )是一種簡易的 Windows 效能調整應用程式,可讓新手和經驗豐富的愛好者超頻、監控和壓力系統。軟體介面有一系列強大的功能,在大部分玩家平臺中都很常見。這種介面在新的 Intel® 處理器和主機板上也有特殊功能。 PS:上面這段話的意思是 -- Intel XTU 是 Intel 所推出的 一種簡易的 Windows 效能調整應用程式,透過對 CPU 電壓與功耗限制等的調整,可讓新手和經驗豐富的愛好者來對 Intel CPU 進行 超頻 、 監控 和 做壓力測試 。以小弟的電腦來說, CPU 經過 XTU 適當的調教之後,可以憑空增加約 30% 左右的效能,這可是得多花好幾千塊錢買更好的電腦才辦的到的事哦 ! 適用於下列產品。     Intel® Core™ i3-7350K 處理器 ( 4M 快取記憶體, 4.20 GHz)     Intel® Core™ i3-8350K 處理器( 8M 快取記憶體, 4.00 GHz )     Intel® Core™ i3-9350K 處理器( 8M 快取記憶體,最高 4.60 GHz )     Intel® Core™ i3-9350KF 處理器( 8M 快取記憶體,最高 4.60 GHz )     Intel® Core™ i5-3570K 處理器 ( 6M 快取記憶體,最高 3.80 GHz)     I
閱讀完整內容