拓扑:
10年积累的网站制作、成都网站制作经验,可以快速应对客户对网站的新想法和需求。提供各种问题对应的解决方案。让选择我们的客户得到更好、更有力的网络服务。我虽然不认识你,你也不认识我。但先网站制作后付款的网站建设流程,更有拜城免费网站建设让你可以放心的选择与我们合作。
Netscreen Configuration:
set zone name y1
set interface "tunnel.1" zone "y1"
set interface "loopback.1" zone "Home"
set interface "loopback.2" zone "Home"
set interface "loopback.3" zone "Home"
set interface ethernet3 ip 200.1.1.2/24
set interface loopback.1 ip 192.168.1.1/24
set interface loopback.2 ip 192.168.2.1/24
set interface loopback.3 ip 192.168.3.1/24
set interface tunnel.1 ip 172.16.1.1/24
set interface ethernet3 manage
set interface loopback.1 manage
set interface loopback.2 manage
set interface loopback.3 manage
set address "Home" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "Home" "192.168.2.0" 192.168.2.0 255.255.255.0
set address "Home" "192.168.3.0" 192.168.3.0 255.255.255.0
set address "y1" "192.168.4.0" 192.168.4.0 255.255.255.0
set address "y1" "192.168.5.0" 192.168.5.0 255.255.255.0
set address "y1" "192.168.6.0" 192.168.6.0 255.255.255.0
set address "y1" "192.168.8.0" 192.168.8.0 255.255.255.0
set group address "Home" "zongbu"
set group address "Home" "zongbu" add "192.168.1.0"
set group address "Home" "zongbu" add "192.168.2.0"
set group address "Home" "zongbu" add "192.168.3.0"
set group address "y1" "y1-add"
set group address "y1" "y1-add" add "192.168.4.0"
set group address "y1" "y1-add" add "192.168.5.0"
set group address "y1" "y1-add" add "192.168.6.0"
set group address "y1" "y1-add" add "192.168.8.0"
set ike gateway "to-y1" address 200.1.2.2 Main outgoing-interface "ethernet3" preshare "Gxl2rRLGNckqmts4QACGowXnN2nJ8eFsew==" sec-level standard
set *** "y1" gateway "to-y1" no-replay tunnel idletime 0 sec-level standard
set *** "y1" id 0x1 bind interface tunnel.1
set *** "y1" proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 "ANY"
set policy id 6 from "y1" to "Home" "y1-add" "zongbu" "ANY" permit
set policy id 5 from "Home" to "y1" "zongbu" "y1-add" "ANY" permit
set vrouter trust-vr protocol ospf
set vrouter trust-vr protocol ospf enable
set vrouter trust-vr protocol ar 0
set router-id 1.1.1.1
set route 0.0.0.0/0 interface ethernet3 gateway 200.1.1.1
set interface loopback.1 protocol ospf area 0.0.0.0
set interface loopback.1 protocol ospf enable
set interface loopback.2 protocol ospf area 0.0.0.0
set interface loopback.2 protocol ospf enable
set interface loopback.3 protocol ospf area 0.0.0.0
set interface loopback.3 protocol ospf enable
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf ignore-mtu 本实验最重要的命令,不敲则ospf邻居卡在exstart状态
set interface tunnel.1 protocol ospf enable
ISP Configurationg:
int e0/0
ip add 200.1.1.1 255.255.255.0
no sh
int e0/1
ip add 200.1.2.1 255.255.255.0
no sh
Juniper SRX Configuration:
version 12.1X44.4;
system {
root-authentication {
encrypted-password "$1$Iq3z9EVf$2Qjh4Bi1SYKIqfaawy9QW/"; ## SECRET-DATA
}
login {
user juniper {
uid 2001;
class super-user;
}
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 200.1.2.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.8.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 172.16.1.2/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 200.1.2.1;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface st0.0;
}
}
}
security {
ike {
policy l2l-p1-gateway {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$s24oGPfz6CuaZz6"; ## SECRET-DATA
}
gateway l2l-p1-gateway {
ike-policy l2l-p1-gateway;
address 200.1.1.2;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy l2l-p2-policy {
proposal-set standard;
}
*** route-*** {
bind-interface st0.0;
ike {
gateway l2l-p1-gateway;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy l2l-p2-policy;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone svti {
policy permit-trust-svti {
match {
source-address y1;
destination-address zongbu;
application any;
}
then {
permit;
}
}
}
from-zone svti to-zone trust {
policy permit-svti-trust {
match {
source-address zongbu;
destination-address y1;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
telnet;
ssh;
ike;
}
}
}
}
}
security-zone trust {
address-book {
address 192.168.8.0 192.168.8.0/24;
address 192.168.4.0 192.168.4.0/24;
address 192.168.5.0 192.168.5.0/24;
address 192.168.6.0 192.168.6.0/24;
address-set y1 {
address 192.168.8.0;
address 192.168.4.0;
address 192.168.5.0;
address 192.168.6.0;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
}
}
}
security-zone svti {
address-book {
address 192.168.1.0 192.168.1.0/24;
address 192.168.2.0 192.168.2.0/24;
address 192.168.3.0 192.168.3.0/24;
address-set zongbu {
address 192.168.1.0;
address 192.168.2.0;
address 192.168.3.0;
}
}
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
interfaces {
st0.0;
}
}
security-zone UN;
}
}
[edit]
R2 configuration:
int e0/0
ip add 192.168.8.2 255.255.255.0
no sh
ip os 110 ar 0
int l0
ip add 192.168.4.1 255.255.255.0
ip os 110 ar 0
int l1
ip add 192.168.5.1 255.255.255.0
ip os 110 ar 0
int l2
ip add 192.168.6.1 255.255.255.0
ip os 110 ar 0
效果图:
注意一点就OK
