Created
June 25, 2011 14:05
-
-
Save shamun/1046520 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Generated Configuration (Route-based): | |
| ## Configure interface IP and route for tunnel traffic | |
| set interfaces st0.0 family inet address 10.2.2.2/24 | |
| set routing-options static route 192.168.1.0/24 next-hop st0.0 | |
| set routing-options static route 192.168.3.0/24 next-hop st0.0 | |
| set routing-options static route 192.168.4.0/24 next-hop st0.0 | |
| ## Configure security zones, assign interfaces to the zones & host-inbound services for each zone | |
| set security zones security-zone vpn interfaces st0.0 | |
| #set security zones security-zone trust host-inbound-traffic system-services all | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| ## Configure address book entries for each zone | |
| set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24 | |
| ## Configure IKE policy for main mode | |
| set security ike policy ike-policy-cfgr mode main | |
| set security ike policy ike-policy-cfgr proposal-set standard | |
| set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou" | |
| ## Configure IKE gateway with peer IP address, IKE policy and outgoing interface | |
| set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr | |
| set security ike gateway ike-gate-cfgr address 98.0.0.1 | |
| set security ike gateway ike-gate-cfgr external-interface ge-0/0/0 | |
| ## Configure IPsec policy | |
| set security ipsec policy ipsec-policy-cfgr proposal-set standard | |
| set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr | |
| set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr | |
| set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 | |
| #set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized | |
| ## Configure security policies for tunnel traffic in outbound direction | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit | |
| ## Configure security policies for tunnel traffic in inbound direction | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment