本页内容
最低安全关联配置
以下部分显示了为 IPsec 服务设置安全关联 (SA) 所需的最低配置:
最低手动 SA 配置
要定义手动 SA 配置,您必须在 [edit services ipsec-vpn rule rule-name term term-name then manual] 层次结构级别至少包含以下语句:
[edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key); } encryption { algorithm algorithm; key (ascii-text key | hexadecimal key); } protocol (ah | esp | bundle); spi spi-value; }
最低动态 SA 配置
要定义动态 SA 配置,您必须在 [edit services ipsec-vpn] 层次结构级别至少包含以下语句:
[edit services ipsec-vpn] ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256); authentication-method pre-shared-keys; dh-group (group1 | group2 | group5 |group14 | group15 | group16 | group19 | group20 | group24); encryption-algorithm algorithm; } policy policy-name { proposals [ ike-proposal-names ]; pre-shared-key (ascii-text key | hexadecimal key); version (1 | 2); mode (aggressive | main); } } ipsec { policy policy-name { proposals [ ipsec-proposal-names ]; } proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96); encryption-algorithm algorithm; protocol (ah | esp | bundle); } }
注意:
从 Junos OS 11.4 版开始,所有 M Series、MX 系列和 T Series 路由器默认支持 IKEv1 和 IKEv2。
version层次结构级别的语句[edit services ipsec-vpn ike policy name]允许您配置要支持的特定 IKE 版本。mode仅当version选项设置为 1时,才需要层次结构级别的语句[edit services ipsec-vpn ike policy name]。
还必须在[edit services ipsec-vpn rule rule-name term term-name then dynamic]层次结构级别包含ipsec-policy语句。