Netscreen and Juniper SRX run OSPF 01/19 Update SLTechnology News&Howtos

Netscreen and Juniper SRX run OSPF

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Topology:

Netscreen Configuration:

Set zone name y1

Set interface "tunnel.1" zone "Y1"

Set interface "loopback.1" zone "Home"

Set interface "loopback.2" zone "Home"

Set interface "loopback.3" zone "Home"

Set interface ethernet3 ip 200.1.1.2/24

Set interface loopback.1 ip 192.168.1.1/24

Set interface loopback.2 ip 192.168.2.1/24

Set interface loopback.3 ip 192.168.3.1/24

Set interface tunnel.1 ip 172.16.1.1/24

Set interface ethernet3 manage

Set interface loopback.1 manage

Set interface loopback.2 manage

Set interface loopback.3 manage

Set address "Home"192.168.1.0" 192.168.1.0 255.255.255.0

Set address "Home"192.168.2.0" 192.168.2.0 255.255.255.0

Set address "Home"192.168.3.0" 192.168.3.0 255.255.255.0

Set address "Y1"192.168.4.0" 192.168.4.0 255.255.255.0

Set address "Y1"192.168.5.0" 192.168.5.0 255.255.255.0

Set address "Y1"192.168.6.0" 192.168.6.0 255.255.255.0

Set address "Y1"192.168.8.0" 192.168.0255.255.255.0

Set group address "Home"zongbu"

Set group address "Home"zongbu" add "192.168.1.0"

Set group address "Home"zongbu" add "192.168.2.0"

Set group address "Home"zongbu" add "192.168.3.0"

Set group address "Y1"y1-add"

Set group address "Y1"y1-add" add "192.168.4.0"

Set group address "Y1"y1-add" add "192.168.5.0"

Set group address "Y1"y1-add" add "192.168.6.0"

Set group address "Y1"y1-add" add "192.168.8.0"

Set ike gateway "to-y1" address 200.1.2.2 Main outgoing-interface "ethernet3" preshare "Gxl2rRLGNckqmts4QACGowXnN2nJ8eFsew==" sec-level standard

Set * "Y1" gateway "to-y1" no-replay tunnel idletime 0 sec-level standard

Set * "Y1" id 0x1 bind interface tunnel.1

Set * "Y1" proxy-id local-ip 0.0.0.0 proxy-id local-ip 0 remote-ip 0.0.0.0 Universe 0 "ANY"

Set policy id 6 from "Y1" to "Home"y1-add"zongbu"ANY" permit

Set policy id 5 from "Home" to "y1"zongbu"y1-add"ANY" permit

Set vrouter trust-vr protocol ospf

Set vrouter trust-vr protocol ospf enable

Set vrouter trust-vr protocol ar 0

Set router-id 1.1.1.1

Set route 0.0.0.0/0 interface ethernet3 gateway 200.1.1.1

Set interface loopback.1 protocol ospf area 0.0.0.0

Set interface loopback.1 protocol ospf enable

Set interface loopback.2 protocol ospf area 0.0.0.0

Set interface loopback.2 protocol ospf enable

Set interface loopback.3 protocol ospf area 0.0.0.0

Set interface loopback.3 protocol ospf enable

Set interface tunnel.1 protocol ospf area 0.0.0.0

Set interface tunnel.1 protocol ospf ignore-mtu the most important command in this lab. If you don't knock, the ospf neighbor is stuck in the exstart state.

Set interface tunnel.1 protocol ospf enable

ISP Configurationg:

Int e0/0

Ip add 200.1.1.1 255.255.255.0

No sh

Int e0/1

Ip add 200.1.2.1 255.255.255.0

No sh

Juniper SRX Configuration:

Version 12.1X44.4

System {

Root-authentication {

Encrypted-password "$1 $Iq3z9EVf$2Qjh4Bi1SYKIqfaawy9QW/"; # # SECRET-DATA

}

User juniper {

Uid 2001

Class super-user

}

Services {

Ssh

Web-management {

Http {

Interface ge-0/0/0.0

}

Syslog {

User * {

Any emergency

}

File messages {

Any any

Authorization info

}

File interactive-commands {

Interactive-commands any

}

License {

Autoupdate {

Url https://ae1.juniper.net/junos/key_retrieval;

}

Interfaces {

Ge-0/0/0 {

Unit 0 {

Family inet {

Address 200.1.2.2/24

}

Ge-0/0/1 {

Unit 0 {

Family inet {

Address 192.168.8.1/24

}

St0 {

Unit 0 {

Family inet {

Address 172.16.1.2/24

}

Routing-options {

Static {

Route 0.0.0.0/0 next-hop 200.1.2.1

}

Protocols {

Ospf {

Area 0.0.0.0 {

Interface ge-0/0/1.0

Interface st0.0

}

Security {

Ike {

Policy l2l-p1-gateway {

Mode main

Proposal-set standard

Pre-shared-key ascii-text "$9 $s24oGPfz6CuaZz6"; # # SECRET-DATA

}

Gateway l2l-p1-gateway {

Ike-policy l2l-p1-gateway

Address 200.1.1.2

External-interface ge-0/0/0.0

}

Ipsec {

Policy l2l-p2-policy {

Proposal-set standard

}

* * route-*** {

Bind-interface st0.0

Ike {

Gateway l2l-p1-gateway

Proxy-identity {

Local 0.0.0.0/0

Remote 0.0.0.0/0

Service any

}

Ipsec-policy l2l-p2-policy

}

Screen {

Ids-option untrust-screen {

Icmp {

Ping-death

}

Ip {

Source-route-option

Tear-drop

}

Tcp {

Syn-flood {

Alarm-threshold 1024

Attack-threshold 200

Source-threshold 1024

Destination-threshold 2048

Queue-size 2000; # # Warning: 'queue-size' is deprecated

Timeout 20

}

Land

}

Policies {

From-zone trust to-zone svti {

Policy permit-trust-svti {

Match {

Source-address y1

Destination-address zongbu

Application any

}

Then {

Permit

}

From-zone svti to-zone trust {

Policy permit-svti-trust {

Match {

Source-address zongbu

Destination-address y1

Application any

}

Then {

Permit

}

Zones {

Security-zone untrust {

Host-inbound-traffic {

System-services {

Ike

}

Interfaces {

Ge-0/0/0.0 {

Host-inbound-traffic {

System-services {

Ping

Telnet

Ssh

Ike

}

Security-zone trust {

Address-book {

Address 192.168.8.0 192.168.8.0/24

Address 192.168.4.0 192.168.4.0/24

Address 192.168.5.0 192.168.5.0/24

Address 192.168.6.0 192.168.6.0/24

Address-set y1 {

Address 192.168.8.0

Address 192.168.4.0

Address 192.168.5.0

Address 192.168.6.0

}

Interfaces {

Ge-0/0/1.0 {

Host-inbound-traffic {

System-services {

Ping

}

Protocols {

Ospf

}

Security-zone svti {

Address-book {

Address 192.168.1.0 192.168.1.0/24

Address 192.168.2.0 192.168.2.0/24

Address 192.168.3.0 192.168.3.0/24

Address-set zongbu {

Address 192.168.1.0

Address 192.168.2.0

Address 192.168.3.0

}

Host-inbound-traffic {

System-services {

Ping

}

Protocols {

Ospf

}

Interfaces {

St0.0

}

Security-zone UN

}

[edit]

R2 configuration:

Int e0/0

Ip add 192.168.8.2 255.255.255.0

No sh

Ip os 110 ar 0

Int l0

Ip add 192.168.4.1 255.255.255.0

Ip os 110 ar 0

Int l1

Ip add 192.168.5.1 255.255.255.0

Ip os 110 ar 0

Int l2

Ip add 192.168.6.1 255.255.255.0

Ip os 110 ar 0

Effect picture:

Just be careful, OK.

The TUN.1 port of netscreen must ignore the mtu command: ns5gt- > set int tun.1 protocol ospf ignore-mtu, otherwise it will be stuck in the exstart state.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.