[j-nsp] Anyone know how to run IPSec on an M40?

Thanh_Mai at 3com.com Thanh_Mai at 3com.com
Fri Oct 1 17:31:09 EDT 2004





Many Thanks to Harry Reynolds and Daniel Verlouw for the assistance in
getting this to work:

LAN1(10.101.175.0/24)---Juniper----212.0.12.0/30----Cisco---LAN2(10.6.0.0
/27)

    fe-3/1/0 {
        unit 0 {
            family inet {
                filter {
                    input Encrypt-Policy;
                }
                address 10.101.175.246/24;
            }
        }
    }
  t1-4/0/0:11 {
        unit 0 {
            family inet {
                address 212.0.12.1/30;
            }
        }
    }
es-4/2/0 {
        unit 0 {
            tunnel {
                source 212.0.12.1;
                destination 212.0.12.2;
            }
            family inet {
                ipsec-sa Current;
                filter {
                    input Decrypt-Policy;
                }
            }
        }
    }

security {
    ipsec {
        proposal Current {
            protocol ah;
            authentication-algorithm hmac-md5-96;
        }
        policy all {
            proposals Current;
        }
        security-association Current {
            mode tunnel;
            dynamic {
                ipsec-policy all;
            }
        }
    }
    ike {
        proposal default {
            authentication-method pre-shared-keys;
            dh-group group1;
            authentication-algorithm sha1;
            encryption-algorithm des-cbc;
            lifetime-seconds 86400;
        }
        policy 212.0.12.2 {
            proposals default;
            pre-shared-key ascii-text "$9$wosaUq.5F6AfT";
        }
    }
}

firewall {
    filter Encrypt-Policy {
        term Direct {
            from {
                source-address {
                    10.101.175.0/24;
                }
                destination-address {
                    10.6.0.0/24;
                }
            }
            then ipsec-sa Current;
        }
        term Default {
            then accept;
        }
    }
    filter Decrypt-Policy {
        term Direct {
            from {
                source-address {
                    10.6.0.0/24;
                }
                destination-address {
                    10.101.175.0/24;
                }
            }
            then accept;
        }
    }
}




More information about the juniper-nsp mailing list