juniper srx 与cisco ASA ipsec vpn对接(策略模式)_juniper srx

ike {

    proposal ike-prop {

        authentication-method pre-shared-keys;

        dh-group group2;

        authentication-algorithm md5;

        encryption-algorithm 3des-cbc;

    }

    policy L2L {

        mode main;

        proposals ike-prop;

        pre-shared-key ascii-text freeit123

    }

    gateway GW {                       

        ike-policy L2L;

        address 202.100.1.1;

        external-interface ge-0/0/1.0;

    }

}

ipsec {

    proposal ipsec-prop {

        protocol esp;

        authentication-algorithm hmac-md5-96;

        encryption-algorithm 3des-cbc;

    }

    policy L2L-IPSEC {

        proposals ipsec-prop;

    }

    vpn MAP {

        ike {

            gateway GW;

            ipsec-policy L2L-IPSEC;

        }

        establish-tunnels on-traffic;

    }

}

address-book {                         

    dmz {

        address DMZ 172.16.2.22/32;

        attach {

            zone dmz;

        }

    }

    untrust {

        address cisco 10.1.1.0/24;

        attach {

            zone untrust;

        }

    }

 

policies {

    from-zone trust to-zone trust {

        policy default-permit {        

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                permit;

            }

        }

    }

    from-zone untrust to-zone trust {

        policy default-deny {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                deny;

            }

        }

    }

    from-zone trust to-zone untrust {  

        policy trust-untrust-policy {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                permit;

            }

        }

    }

    from-zone untrust to-zone dmz {

        policy untrust-dmz-policy {

            match {

                source-address cisco;

                destination-address DMZ;

                application any;

            }

            then {

                permit {

                    tunnel {

                        ipsec-vpn MAP;

                        pair-policy dmz-untrust-policy;

                    }

                }

            }

        }

        policy default-deny {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                deny;

            }

        }

    }

    from-zone dmz to-zone untrust {

        policy dmz-untrust-policy {

            match {

                source-address DMZ;

                destination-address cisco;

                application any;

            }

            then {                     

                permit {

                    tunnel {

                        ipsec-vpn MAP;

                        pair-policy untrust-dmz-policy;

                    }

                }

            }

        }

        policy default-deny {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                deny;

            }

        }

    }

}

zones {

    security-zone trust {

        tcp-rst;                       

        host-inbound-traffic {

            system-services {

                ssh;

                ping;

                https;

            }

        }

        interfaces {

            ge-0/0/0.0 {

                host-inbound-traffic {

                    system-services {

                        http;

                        https;

                        ssh;

                        telnet;

                        dhcp;

                    }

                }

            }

        }

    }

    security-zone untrust {

        screen untrust-screen;         

        host-inbound-traffic {

            system-services {

                ssh;

                https;

                ping;

                ike;

            }

        }

        interfaces {

            ge-0/0/1.0;

        }

    }

    security-zone dmz {

        interfaces {

            ge-0/0/2.0 {

                host-inbound-traffic {

                    system-services {

                        ping;

                        ssh;

                    }

                }

            }

        }                              

    }

}

----------------------------------------

crypto keyring L2L-keyring

  pre-shared-key address 192.168.114.190 key freeit123

!

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp profile L2L

   keyring L2L-keyring

   match identity address 192.168.114.190 255.255.255.255

!

!

crypto ipsec transform-set L2L-IPSEC esp-3des esp-md5-hmac

!

crypto map MAP 10 ipsec-isakmp

 set peer 192.168.114.190

 set transform-set L2L-IPSEC

 set isakmp-profile L2L

 match address 100

!

!

!

!

interface Loopback1

 ip address 10.1.1.1 255.255.255.0

!        

interface FastEthernet0/0

 ip address 202.100.1.1 255.255.255.0

 duplex auto

 speed auto

 crypto map MAP

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 202.100.1.2

!

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 10.1.1.0 0.0.0.255 host 172.16.2.22

---------------------------------------------------