IT技术随笔

定义一个IKE User：
WebUI：

CLI：
set user "ikeuser" ike-id u-fqdn "wzknet@hotmail.com" share-limit 1
set user "ikeuser" type  ike
set user "ikeuser" "enable"

定义用户组：
WebUI：

CLI：
set user-group "ikegroup" user "ikeuser"

定义地址本：

WebUI：

CLI：
set address "Trust" "ftpserver" 10.245.33.10 255.255.255.255

定义Gateway：

点击"Advanced"：

CLI：
set ike gateway "ikegateway" dialup "ikegroup" Aggr outgoing-interface "ethernet1/1" preshare "ikegateway" proposal "pre-g1-des-md5"
unset ike gateway "ikegateway" nat-traversal udp-checksum
set ike gateway "ikegateway" nat-traversal keepalive-frequency 5

对于Only IKE User，经过实验，无论Netscreen-Remote PC客户端是否通过NAT接入互联网，启不启用NAT-Traversal均可成功建立VPN连接。

定义AutoKey IKE：

点击"Advanced"CLI：
set vpn "ikevpn" gateway "ikegateway" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"

定义Policy：

只开放ftp和ping服务。

配置NetScreen-Remote客户端：

ID为E-mail Address格式，输入在定义IKE User时ike Identity：wzknet@hotmail.com。点击Pre-Shared Key，输入在定义Gateway时输入的Preshared Key：ikegateway。

选择"Aggressive Mode"。

跟前面定义ISG-1000 Gateway Phase 1时的值匹配。

跟前面定义ISG-1000 AutoKey IKE Phase 2时的值匹配。

VPN连接：
在Netscreen-Remote 客户端输入下列命令即可触发VPN连接：
ping 10.245.33.10 -t
VPN成功建立连接后在PC右下角Netscreen-Remote托盘图标可见一把小黄色钥匙：

以下是在Netscreen-Remote Log Viewer中看到的日志：

10:13:32.562 My Connections\ikeuser - Initiating IKE Phase 1 (IP ADDR=1.1.1.1)
10:13:32.593 My Connections\ikeuser - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
10:13:32.718 My Connections\ikeuser - RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH)
10:13:32.734 My Connections\ikeuser - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT)
10:13:32.734 My Connections\ikeuser - Established IKE SA
10:13:32.734    MY COOKIE 2a 3 75 71 c0 dd fb 2b
10:13:32.734    HIS COOKIE 9a f f8 3a ec 18 9 70
10:13:32.734 My Connections\ikeuser - Initiating IKE Phase 2 with Client IDs (message id: D92F7F47)
10:13:32.734   Initiator = IP ADDR=10.200.51.202, prot = 0 port = 0
10:13:32.734   Responder = IP ADDR=10.245.33.10, prot = 0 port = 0
10:13:32.734 My Connections\ikeuser - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
10:13:32.828 My Connections\ikeuser - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME)
10:13:32.828 My Connections\ikeuser - SENDING>>>> ISAKMP OAK QM *(HASH)
10:13:32.828 My Connections\ikeuser - Loading IPSec SA (Message ID = D92F7F47 OUTBOUND SPI = 928861FF INBOUND SPI = E08B270C)

PD文档下载链接：http://rapidshare.com/files/94695077/Juniper_NetScreen_ISG-1000_Remote-VPN__65288_Only_IKE_User__65289_configure_guide.pdf

 实验平台：Juniper ISG-1000(5.3.0r10.0+FW+VPN) + Netscreen-Remote 8.0.0 (build 14)