Table of Contents
Advertisement
ISG 2000
1. Create a tunnel interface and bind it to the Untrust zone. It is unnecessary for
the tunnel interface to have a unique IP address, so you define it as
"unnumbered" and borrow the IP address from ethernet1/1.
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet1/1
2. Create addresses for the local and remote networks for later use in policies.
set address trust local 10.1.1.0/24
set address untrust peer1 10.2.2.0/24
3. Define the following settings for dynamic IKE gateway "gw1":
Define the peer's IKE ID. This is a string that the peer sends during Phase 1
negotiations to identify itself.
Define the preshared key that both IKE peers use when generating keying
material.
Specify the outgoing interface from which the ISG 2000 sends IKE traffic
when performing Phase 1 and 2 negotiations.
Define the security level for Phase 1 proposals as "Compatible". This set
includes the following four Phase 1 proposals, each of which has a lifetime
of 28,800 seconds (or 8 hours). When the lifetime expires, the ISG 2000
renegotiates Phase 1 with its peer.
pre-g2-3des-sha
pre-g2-3des-md5
pre-g2-des-sha
pre-g2-des-md5
set ike gateway peer1 dynamic peer1@jnpr.net aggressive outgoing-interface
ethernet1/1 preshare Iwb715iSF sec-level compatible
4. Define the following settings for IPSec VPN tunnel "vpn1":
Define the security level for Phase 2 negotiations as "Compatible". This set
includes the following four Phase 2 proposals, each of which has a lifetime
of 3600 seconds (or 1 hour). When the lifetime expires, the ISG 2000
renegotiates Phase 2—and possibly Phase 1 also—with its peer.
nopfs-esp-3des-sha
nopfs-esp-3des-md5
nopfs-esp-des-sha
nopfs-esp-des-md5
set vpn vpn1 gateway peer1 tunnel sec-level compatible
Bind the IKE gateway "gw1" to the VPN tunnel.
set vpn vpn1 bind interface tunnel.1
Set the proxy ID, which specifies the local and remote IP addresses and the
service that you want to pass through the tunnel. Setting the proxy ID as
0.0.0.0-0.0.0.0-ANY imposes no restrictions, allowing you to control the
traffic flow at the policy level.
set vpn vpn1 proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 any
Chapter 1: Configuring
17
IPSec VPN
Advertisement
Table of Contents
Related Manuals for Juniper ISG 2000
Related Products for Juniper ISG 2000
- Juniper IDP 8200
- Juniper IDP 250
- Juniper IDP 800
- Juniper IGP - CONFIGURATION GUIDE V11.1.X
- Juniper IP - CONFIGURATION GUIDE V11.1.X
- Juniper IPV6 - CONFIGURATION GUIDE V11.1.X
- Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP-IPV6-IGP CONFIGURATION GUIDE 2010-10-31
- Juniper NETWORK AND SECURITY MANAGER NSMXPRESS SERIES II - REV1