HILLSTONE&JUNIPER SRX FW IPSEC VPN 山石/ JUNIPER防火墙IPSEC VPN

山石防火墙配置：

hsfwa# show configuration
 
zone “untrust”
  type wan
exit
zone “ipsecvpn”
  vrouter “trust-vr”
exit
hostname “hsfwa”
 
isakmp proposal “psk-md5-3des-g2”
  hash md5
exit     
 
isakmp peer “srx5400”
  mode aggressive
  isakmp-proposal “psk-md5-3des-g2”
  pre-share 123456
  peer 20.5.5.1
  nat-traversal
  accept-all-peer-id
  interface ethernet0/1
exit
 
ipsec proposal “esp-md5-3des-g2”
  hash md5
  encryption 3des
  group 2
  lifetime 86400
exit     
 
tunnel ipsec “srx5400” auto
  isakmp-peer “srx5400”
  ipsec-proposal “esp-md5-3des-g2”
  auto-connect
  id local 10.1.1.0/24 remote 172.16.5.0/24 service “any”
exit
interface ethernet0/0
  zone  “trust”
  ip address 10.1.1.254 255.255.255.0
  manage ssh
  manage ping
exit
interface ethernet0/1
  zone  “untrust”
  ip address 20.0.0.1 255.255.255.0
  manage ping
exit
interface tunnel70
  zone  “ipsecvpn”
  manage ping
  tunnel ipsec “srx5400”
  reverse-route prefer
exit
ip vrouter “trust-vr”
  snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” trans-to eif-ip mode dynamicport
  ip route 0.0.0.0/0 20.0.0.100
  ip route 172.16.5.0/24 “tunnel70”
exit
rule id 71
  action permit
  src-zone “trust”
  dst-zone “ipsecvpn”
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit
rule id 72
  action permit
  src-zone “ipsecvpn”
  dst-zone “trust”
  src-addr “Any”
  dst-ip 10.1.1.0/24
  service “Any”
exit
rule id 1
  action permit
  src-zone “trust”
  dst-zone “untrust”
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit
 
End

juniper srx 防火墙配置:

root@srx5400> show configuration

system {
    host-name srx5400;
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.5.254/24;
            }
        }
    }
    ge-0/0/1 {                         
        unit 0 {
            family inet {
                address 20.5.5.1/24;
            }
        }
    }
   
}
routing-options {                      
    static {
        route 0.0.0.0/0 next-hop 20.5.5.100;
    }
}
security {
    ike {
        proposal ikepro {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy poike {
            mode aggressive;
            proposals ikepro;
            pre-shared-key ascii-text “123456”; ## SECRET-DATA
        }
        gateway hs {
            ike-policy poike;           
            address 20.0.0.1;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        proposal ipsecpro {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ipsecpolicy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsecpro;
        }
        vpn ipsecvpn {
            ike {
                gateway hs;
                ipsec-policy ipsecpolicy;
            }
            establish-tunnels immediately;
        }
    }                                  
    nat {
        source {
            rule-set snat {
                from zone trust;
                to zone untrust;
                rule pat {
                    match {
                        source-address 172.16.5.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy t2u {
                match {
                    source-address localuser;
                    destination-address remotevpnuser;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ipsecvpn;
                            pair-policy u2t;
                        }
                    }
                }
            }
            policy trust-to-untrust {
                match {
                    source-address localuser;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }                              
        from-zone untrust to-zone trust {
            policy u2t {
                match {
                    source-address remotevpnuser;
                    destination-address localuser;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ipsecvpn;
                            pair-policy t2u;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address localuser 172.16.5.0/24;
            }                          
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }

        }
        security-zone untrust {
            address-book {
                address remotevpnuser 10.1.1.0/24;
            }
            screen untrust-screen;
            host-inbound-traffic {     
                system-services {
                    ping;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}