ipsec-netscreen的比较

ConfiguringanIPsecLAN−to−LANTunnelBetweentheCiscoPIXFirewallandaNetScreenFirewallDocumentID:45423IntroductionPrerequisitesRequirementsComponentsUsedConventionsConfigureNetworkDiagramConfigurationsVerifyVerificationCommandsVerificationOutputTroubleshootTroubleshootingCommandsSampleDebugOutputNetProDiscussionForums−FeaturedConversationsRelatedInformationIntroductionThisdocumentdescribesthenecessaryprocedureusedtocreateanIPsecLAN−to−LANtunnelbetweenaCiscoPIXFirewallandaNetScreenFirewallwiththelatestsoftware.ThereisaprivatenetworkbehindeachdevicethatcommunicatestotheotherfirewallthroughtheIPsectunnel.PrerequisitesRequirementsEnsurethatyoumeettheserequirementsbeforeyouattemptthisconfiguration:TheNetScreenFirewallisconfiguredwiththeIPaddressesonthetrust/untrustinterfaces.•ConnectivityisestablishedtotheInternet.•ComponentsUsedTheinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:PIXFirewallSoftwareVersion6.3(1)•NetScreenLatestRevision•Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.Cisco−ConfiguringanIPsecLAN−to−LANTunnelBetweentheCiscoPIXFirewallandaNetScreenFirewallConventionsRefertotheCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.ConfigureInthissection,youarepresentedwiththeinformationtoconfigurethefeaturesdescribedinthisdocument.Note:UsetheCommandLookupTool(registeredcustomersonly)toobtainmoreinformationonthecommandsusedinthissection.NetworkDiagramThisdocumentusesthisnetworksetup:ConfigurationsThisdocumentusestheseconfigurations:PIXFirewall•NetScreenFirewall•ConfigurethePIXFirewallPIXFirewallPIXVersion6.3(1)interfaceethernet010basetinterfaceethernet1100fullnameifethernet0outsidesecurity0nameifethernet1insidesecurity100enablepassword8Ry2YjIyt7RRXU24encryptedpasswd2KFQnbNIdI.2KYOUencryptedhostnamepixfirewalldomain−namecisco.comfixupprotocolftp21fixupprotocolh323h2251720fixupprotocolh323ras1718−1719fixupprotocolhttp80fixupprotocolils389fixupprotocolrsh514fixupprotocolrtsp554fixupprotocolsip5060fixupprotocolsipudp5060fixupprotocolskinny2000fixupprotocolsmtp25fixupprotocolsqlnet1521Cisco−ConfiguringanIPsecLAN−to−LANTunnelBetweentheCiscoPIXFirewallandaNetScreenFirewallnames!−−−Accesscontrollist(ACL)forinterestingtraffictobeencryptedand!−−−tobypasstheNetworkAddressTranslation(NAT)process.access−listnonatpermitip10.0.25.0255.255.255.010.0.3.0255.255.255.0pagerlines24loggingonloggingtimestamploggingbuffereddebuggingicmppermitanyinsidemtuoutside1500mtuinside1500!−−−IPaddressesontheinterfaces.ipaddressoutside172.18.124.96255.255.255.0ipaddressinside10.0.25.254255.255.255.0ipauditinfoactionalarmipauditattackactionalarmpdmlogginginformational100pdmhistoryenablearptimeout14400global(outside)1interface!−−−BypassofNATforIPsecinterestinginsidenetworktraffic.nat(inside)0access−listnonatnat(inside)10.0.0.00.0.0.000!−−−DefaultgatewaytotheInternet.routeoutside0.0.0.00.0.0.0172.18.124.11timeoutxlate0:05:00timeoutconn1:00:00half−closed0:10:00udp0:02:00rpc0:10:00h2251:00:00timeouth3230:05:00mgcp0:05:00sip0:30:00sip_media0:02:00timeoutuauth0:05:00absoluteaaa−serverTACACS+protocoltacacs+aaa−serverRADIUSprotocolradiusaaa−serverLOCALprotocollocalhttp10.0.0.0255.0.0.0insidenosnmp−serverlocationnosnmp−servercontactsnmp−servercommunitypublicnosnmp−serverenabletrapsfloodguardenable!−−−ThiscommandavoidsappliedACLsorconduitsonencryptedpackets.sysoptconnectionpermit−ipsec!−−−ConfigurationofIPsecPhase2.cryptoipsectransform−setmytransesp−3desesp−sha−hmaccryptomapmymap10ipsec−isakmpcryptomapmymap10matchaddressnonatcryptomapmymap10setpfsgroup2cryptomapmymap10setpeer172.18.173.85cryptomapmymap10settransform−setmytranscryptomapmymapinterfaceoutside!−−−ConfigurationofIPsecPhase1.isakmpenableoutsideCisco−ConfiguringanIPsecLAN−to−LANTunnelBetweentheCiscoPIXFirewallandaNetScreenFirewall!−−−InternetKeyExchange(IKE)pre−sharedkey!−−−thatthepeersusetoauthenticate.isakmpkeytestmeaddress172.18.173.85netmask255.255.255.255isakmpidentityaddressisakmppolicy10authenticationpre−shareisakmppolicy10encryption3desisakmppolicy10hashshaisakmppolicy10group2isakmppolicy10lifetime86400telnettimeout5sshtimeout5consoletimeout0dhcpdlease3600dhcpdping_timeout750terminalwidth80ConfiguretheNetScreenFirewallCompletethesestepsinordertoconfiguretheNetScreenFirewall.SelectListsAddress,gototheTrustedtab,andclickNewAddress.1.AddtheNetScreeninternalnetworkthatisencryptedonthetunnelandclickOK.Note:EnsurethattheTrustoptionisselected.Thisexampleusesnetwork10.0.3.0withamaskof255.255.255.0.2.SelectListsAddress,gototheUntrustedtab,andclickNewAddress.3.AddtheremotenetworkthatNetScreenFirewalluseswhenitencryptspacketsandclickOK.4.Cisco−ConfiguringanIPsecLAN−to−LANTunnelBetweentheCiscoPIXFirewallandaNetScreenFirewallNote:DonotuseaddressgroupswhenyouconfigureaVPNtoanonNetScreengateway.VPNinteroperabilityfailsifyouuseaddressgroups.ThenonNetScreensecuritygatewaydoesnotknowhowtoin