建立Tunnel

set security zones security-zone untrust interfaces st0.1

IPSec 两个阶段

Phase1:

set security ike proposal to_head authentication-method pre-shared-keys

set security ike proposal to_head dh-group group2

set security ike proposal to_head authentication-algorithm md5

set security ike proposal to_head encryption-algorithm 3des-cbc

set security ike policy to_head mode main

set security ike policy to_head proposals to_head

set security ike policy to_head pre-shared-key ascii-text "abc2010"

set security ike gateway to_head ike-policy to_head

set security ike gateway to_head address 10.100.100.100

set security ike gateway to_head external-interface fe-0/0/0.0

set security ike gateway to_head version v1-only

Phase2:

set security ipsec proposal to_head protocol esp

set security ipsec proposal to_head authentication-algorithm hmac-md5-96

set security ipsec proposal to_head encryption-algorithm 3des-cbc

set security ipsec policy to_head perfect-forward-secrecy keys group2

set security ipsec policy to_head proposals to_head

set security ipsec *** to_head bind-interface st0.1

set security ipsec *** to_head ***-monitor source-interface vlan.1

set security ipsec *** to_head ***-monitor destination-ip 10.200.100.100

set security ipsec *** to_head ike gateway to_head

set security ipsec *** to_head ike ipsec-policy to_head

set security ipsec *** to_head establish-tunnels on-traffic

set security ipsec *** to_head establish-tunnels immediately

策略:

set security policies from-zone trust to-zone untrust policy 1 match source-address any

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit

set security policies from-zone untrust to-zone trust policy 2 match source-address any

set security policies from-zone untrust to-zone trust policy 2 match destination-address any

set security policies from-zone untrust to-zone trust policy 2 match application any

set security policies from-zone untrust to-zone trust policy 2 then permit

路由:

set routing-options static route 192.168.0.0/16 next-hop st0.1

set routing-options static route 10.0.0.0/8 next-hop st0.1