转载请注明:本文出自
配置脚本
root@ITAA# show | no-more
## Last changed: 2002-01-09 05:10:52 UTC
version 12.1X46-D10.2;
system {
host-name ITAA;
root-authentication {
encrypted-password "$1$G5/tL57r$/.BmhuyouGi7l2DlQv.8X0"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 100.1.1.1/24;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 100.1.1.254;
}
}
protocols {
stp;
}
security {
ike {
policy client-***-ike-pol {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$LWxx-w4aUji.vW"; ## SECRET-DATA
}
gateway client-***-gw {
ike-policy client-***-ike-pol;
dynamic {
hostname itaadyn***;
connections-limit 2;
ike-user-type group-ike-id;
}
external-interface fe-0/0/0.0;
xauth access-profile client-***-access-profile;
}
}
ipsec {
policy client-***-ipsec-pol {
proposal-set standard;
}
*** client-*** {
ike {
gateway client-***-gw;
ipsec-policy client-***-ipsec-pol;
}
}
}
dynamic-*** {
access-profile client-***-access-profile;
clients {
all {
remote-protected-resources {
192.168.1.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-*** client-***;
user {
itaa;
}
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
proxy-arp {
interface vlan.0 {
address {
192.168.1.192/30;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy client-***-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-*** client-***;
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
ike;
https;
ping;
}
}
}
}
}
}
}
access {
profile client-***-access-profile {
client itaa {
firewall-user {
password "$9$Y3gaUk.5Qz6Vw.PTQn6lKv"; ## SECRET-DATA
}
}
address-assignment {
pool client-***-pool;
}
}
address-assignment {
pool client-***-pool {
family inet {
network 192.168.1.192/30;
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile client-***-access-profile;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
[edit]
root@ITAA# run show security dynamic-*** client version
Junos Pulse 4.0.2.34169
[edit]
root@ITAA# run show system license usage
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-*** 1 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
[edit]
root@ITAA# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5147891 UP 4562194f6fbb0890 8ed18385b01ec19a Aggressive 100.1.1.254
root@ITAA# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173313 ESP:aes-cbc-128/sha1 5dcb207b 2756/ 500000 - root 51757 100.1.1.254
>268173313 ESP:aes-cbc-128/sha1 6e86077d 2756/ 500000 - root 51757 100.1.1.254
[edit]
root@ITAA# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 1500
Decrypted bytes: 1500
Encrypted packets: 10
Decrypted packets: 10
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0