实验环境:
公司游戏上线,需要搭建一条×××通道供认证与计费系统对不同地区内部通信,还有日常维护服务器也是通过×××连接.从此达到一个安全加密的环境
解决方案:采用Juniper netscreen SSG140-SB自动×××功能来解决这个问题,由于要架设很多点,设置几乎都一样,就以上海机房与长春机房做个范例
步骤如下
:
1.
定义Trust与Untrust接口
IP
地址。
2.
为本地及远程端生成通讯ip地址段。
3.
定义远程网关
4.
创建“自动密钥
IKE ×××
”。
5.
设置到外部路由器的缺省路由。
6.
配置策略。
实验图
WebUI (
上海IDC
)
1.
接口
Network > Interfaces > ethernet0/0
à
Edit
输入以下内容后单击
OK
:
Zone Name: Trust
Static IP:
(选择)
Address/Netmask: 10.1.1.1/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1
à
Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 1.1.1.1/24
Interface Mode:Route
2.
地址
Policy > Policy Elements > Addresses > List > New
输入以下内容后单击
OK
:
Address Name:SH-IDC
IP Address/Domain Name:
IP/Netmask: (
选择
) 10.1.1.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New:
输入以下内容后单击
OK
:
Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: (
选择
), 10.2.2.0/24
Zone: Untrust
3. ×××
×××s > AutoKey Advanced > Gateway > New:
输入以下内容后单击
OK
:
Gateway Name: CC-IDC
Version
:(选择)
IKEv1
Remote Gateway Type:
Static IP Address: (
选择
), IP Address/Hostname: 2.2.2.254
点
Advanced—>
Preshared Key:shanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
|
Security Level
à
Predefined
à
Standard
Mode (Initiator)
Main (ID Protection) Aggressive
| |||||||||||||||
Return
×××s > AutoKey IKE > New:
输入以下内容,然后单击
OK
:
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: (
选择
), CC-IDC
点
Advanced—>
Security Level
|
Predefined
|
Standard Compatible Basic
|
Return
4.
路由
Network > Routing > Routing Entries > trust-vr New:
输入以下内容,然后单击
OK
:
Network Address/Netmask: 0.0.0.0/0
Gateway: (
选择
)
Interface: ethernet0/1
Gateway IP Address: 1.1.1.254
5.
策略
Policies > (From: Trust, To: Untrust) New:
输入以下内容,然后单击
OK
:
Name:
Source Address:
Address Book Entry: (
选择
), SH-IDC
Destination Address:
Address Book Entry: (
选择
), CC-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: (
选择打勾
)
Position at Top: (
选择
)
WebUI (
长春IDC
)
1.
接口
Network > Interfaces > ethernet0/0
à
Edit
输入以下内容后单击
OK
:
Zone Name: Trust
Static IP:
(选择)
Address/Netmask: 10.2.2.2/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1
à
Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 2.2.2.2/24
Interface Mode:Route
2.
地址
Policy > Policy Elements > Addresses > List > New
输入以下内容后单击
OK
:
Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: (
选择
) 10.2.2.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New:
输入以下内容后单击
OK
:
Address Name: SH-IDC
IP Address/Domain Name:
IP/Netmask: (
选择
), 10.1.1.0/24
Zone: Untrust
3. ×××
×××s > AutoKey Advanced > Gateway > New:
输入以下内容后单击
OK
:
Gateway Name: SH-IDC
Version
:(选择)
IKEv1
Remote Gateway Type:
Static IP Address: (
选择
), IP Address/Hostname:1.1.1.254
点
Advanced—>
Preshared Key:shanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
|
Security Level
à
Predefined
à
Standard
Mode (Initiator)
Main (ID Protection) Aggressive
| |||||||||||||||
Return
×××s > AutoKey IKE > New:
输入以下内容,然后单击
OK
:
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: (
选择
), SH-IDC
点
Advanced—>
Security Level
|
Predefined
|
Standard Compatible Basic
|
Return
4.
路由
Network > Routing > Routing Entries > trust-vr New:
输入以下内容,然后单击
OK
:
Network Address/Netmask: 0.0.0.0/0
Gateway: (
选择
)
Interface: ethernet0/1
Gateway IP Address: 2.2.2.254
5.
策略
Policies > (From: Trust, To: Untrust) New:
输入以下内容,然后单击
OK
:
Name:
Source Address:
Address Book Entry: (
选择
), CC-IDC
Destination Address:
Address Book Entry: (
选择
), SH-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: (
选择打勾
)
Position at Top: (
选择
)
转载于:https://blog.51cto.com/xiaoqu/533417
扫一扫
6897
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
