Bu sayfa faydalı mıydı?
Bu içerik hakkındaki geri bildiriminiz önemli. Ne düşündüğünüzü bilmemize izin verin.
İlave geri bildirim?
1500 karakter kaldı
Dışarıya aktar (0) Yazdır
Tümünü Genişlet
EN
Bu içerik dilinizde bulunmamaktadır ancak İngilizce sürümüne buradan bakabilirsiniz.

Juniper ISG samples

Updated: July 13, 2015

The samples below are for devices in the Juniper ISG device family. Use the samples as a guideline. For VPN device support, please contact your device manufacturer.

For a list of all available device samples, see About VPN Devices and Gateways for Virtual Network Connectivity. For information about configuring a device sample for your environment, see About configuring VPN device samples.

# Microsoft Corporation
# Microsoft Azure Virtual Network

# This configuration sample applies to Juniper ISG 1000 Integrated Security Gateway running ScreenOS 6.3.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# !!! 1. Policy-based VPN configuration is not supported.
# !!! 2. Only 1 subnet is allowed for your on-premise network.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike p1-proposal <RP_IkeProposal> preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> proposal <RP_IkeProposal>
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set ike p2-proposal <RP_IPSecProposal> no-pfs esp aes256 sha-1 seconds 3600
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 proposal <RP_IPSecProposal>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> proxy-id local-ip <SP_OnPremiseNetworkCIDR> remote-ip <SP_AzureNetworkCIDR> "ANY"
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

# Microsoft Corporation
# Microsoft Azure Virtual Network

# This configuration sample applies to Juniper ISG 1000 Integrated Security Gateway running ScreenOS 6.3.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

See Also

Other Resources

VPN Gateway Documentation

Show:
© 2015 Microsoft