导出 (0) 打印
全部展开

Juniper ISG 模板

更新时间: 2015年4月

下方的模板适用于 Juniper ISG 系列设备。有关所有可用的设备模板的列表,请参见关于用于虚拟网络连接的 VPN 设备。有关针对你的环境配置设备模板的信息,请参阅About configuring VPN device templates

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper ISG 1000 Integrated Security Gateway running ScreenOS 6.3.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# !!! 1. Policy-based VPN configuration is not supported.
# !!! 2. Only 1 subnet is allowed for your on-premise network.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike p1-proposal <RP_IkeProposal> preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> proposal <RP_IkeProposal>
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set ike p2-proposal <RP_IPSecProposal> no-pfs esp aes256 sha-1 seconds 3600
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 proposal <RP_IPSecProposal>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> proxy-id local-ip <SP_OnPremiseNetworkCIDR> remote-ip <SP_AzureNetworkCIDR> "ANY"
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper ISG 1000 Integrated Security Gateway running ScreenOS 6.3.
# It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

另请参阅

显示:
© 2015 Microsoft