ike {
proposal pre-g2-aes128-sha1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy RemoteIKE {
mode main;
proposals pre-g2-aes128-sha1;
pre-shared-key ascii-text "*****************"; ## SECRET-DATA
}
ike-policy RemoteIKE;
address 36.*.*.89;
version v1-only;
}
proposal esp-3des-sha1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
perfect-forward-secrecy {
keys group2;
}
proposals esp-3des-sha1;
}
bind-interface st0.2;
vpn-monitor {
optimized;
}
ike {
gateway RemoteGW;
ipsec-policy g2-esp-3des-sha1;
}
establish-tunnels on-traffic;
}
static {
route 0.0.0.0/0 next-hop 122.*.*.185;
route 172.24.60.0/24 next-hop st0.2;
}
source {
pool ManCo {
routing-instance {
ManCo;
}
address {
172.18.12.0/24;
}
port no-translation;
}
rule-set ShangHai-ManCo {
from zone ManIN;
to zone ManCo×××;
rule ShangHai {
match {
source-address 172.16.0.0/24;
destination-address 172.24.60.0/24;
}
then {
source-nat {
pool {
ManCo;
}
}
}
} 172.16.0.0/24
}
}
static {
rule-set 5rt {
from zone ManIN;
rule 5rt-r {
match {
destination-address 172.18.60.0/24;
}
then {
static-nat {
prefix {
172.24.60.0/24;
}
} 172.16.0.0/24
}
}
}
}
}
静态NAT的变换是一一对应,访问172.18.60.1就变172.24.60.1,访问172.18.60.2就变172.24.60.2,这和源地址NAT最大不同, 172.16.0.1的源地址访问同一个172.24.60.1,一次session访问变成172.18.12.1,2次session的时候就变成172.18.12.2了。