쫑콩아빠의 지금 이 순간...

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone untrust
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Host1
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Host1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 bind-interface st0.0
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone VPN
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match application any
set security policies from-zone trust to-zone VPN policy VPN-OUT then permit
set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match application any
set security policies from-zone VPN to-zone trust policy VPN-IN then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services ping
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set interfaces st0 unit 0 family inet address 10.100.200.2/24
set routing-options static route 10.100.11.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

Configuration for SRX

root# show |no-more 
system {
     root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.2.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}

security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text “$ABC123"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        
    }
    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
    }
    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
               
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }

}

VPN Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :   ------------------------------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****


Verification of VPN connection
SRX:

root> show security ike sa                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
778322  UP     8858011cc0881359  e5ecd6302f0306b0  Main           100.1.1.1       

root> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  fb0a0946 28765/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  11f6197b 28765/unlim   -   root 500   100.1.1.1       

root> show security ipsec sa detail                            
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy Name:vpn-tr-untr

    Direction: inbound, SPI: 22abf60, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: ccb96ffb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics | no-more    
ESP Statistics:
  Encrypted bytes:          1842192
  Decrypted bytes:          1210704
  Encrypted packets:          12144
  Decrypted packets:          12144
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

[SSL VPN] Configuration

AxGate# show running-config 
aos v2.1-x86(2.5-r28000)
!
hostname AxGate
!
username change password duration 60
username axroot privilege 15 password 5 8.ktW$kkQKSeYoc1JbA0nWqfQhiLhGIYulzXSPkjZ86cLUZ96
!
clock timezone KST 9 
!
config sync manual 
config sync group ip service time target
config sync signature
config sync parameters
config sync aip
config sync arp-sniff
config sync policy userauth security nat
config sync admin network
config sync l2-tunnel
!
config full-sync exclude ha
config full-sync exclude hostname
config full-sync exclude full-sync
config full-sync exclude sync
config full-sync exclude vrrp
!
healthcheck threshold 600
!
security zone dmz
security zone ssl
security zone trust
security zone untrust
security zone any
!
logging
 console kernel off
 memory system severity informational
 memory audit
 memory session
 memory application
 memory ipsec
 memory anti-ddos
 memory ips
 memory anti-spam
 memory anti-virus
 memory sslvpn
 memory userauth
 file option size 50 alert 7 purge 5
 file system audit session application ipsec anti-ddos ips anti-spam anti-virus sslvpn userauth
!
statistics log at 01:00:00
!
report
 option top count 10
 language html korean
!
arp max-entries 8192
!
ip domain-lookup timeout 1 retry 1
!
ip dhcp server lease-check icmp svpn0
!
ip dhcp pool ssl
 network 50.0.0.0 255.255.255.0
 range 50.0.0.10 50.0.0.50
 classless-routes 7.7.1.10/32 50.0.0.1
 lease 1 0 0
!
ipv6 neighbor max-entries 1024
!
ip igmp max-memberships 20
!
interface lo
 ip address 127.0.0.1/8
!
interface eth0-0
 ip address 10.10.11.116/24
 security-zone untrust
 no shutdown
!
interface eth0-1
 ip address 7.7.2.1/24
 security-zone trust
 no shutdown
!
interface eth0-2
 shutdown
!
interface eth0-3
 shutdown
!
interface eth0-4
 shutdown
!         
interface eth0-5
 shutdown
!
interface eth0-6
 shutdown
!
interface eth0-7
 shutdown
!
interface eth0-8
 shutdown
!
interface eth0-9
 shutdown
!
interface bond0
 bonding mode balance-rr
 bonding link-check miimon 1
 shutdown
!
interface svpn0
 mtu 1426
 sslvpn heartbeat interval 500 threshold 10
 sslvpn proto tcp port 7900 queue 16384
 sslvpn key 1q2w3e
 sslvpn algorithm aes128 aes128
 sslvpn source eth0-0
 ip address 50.0.0.1/24
 security-zone ssl
 no shutdown
!
ip route 0.0.0.0/0 10.10.11.1
ip route 7.7.1.0/24 10.10.11.118
!
security parameters
 no offloading
 control-no3way-timeout
 session-timeout generic 1800
 session-timeout icmp 10
 session-timeout tcp 3600
 session-timeout udp 60
 state-timeout tcp syn-sent 120
 state-timeout tcp syn-recv 60
 state-timeout tcp no3way-est 60
 state-timeout tcp fin-wait 120
 state-timeout tcp close-wait 60
 state-timeout tcp last-ack 30
 state-timeout tcp time-wait 120
 state-timeout tcp reset 3
 session-limit 4500002
 logging firewall
 logging ha session-synced
 logging security-policy expired
 logging nat-policy expired
 logging ipsec
 logging ips
 logging anti-ddos
 logging anti-spam
 logging anti-virus
 logging application
 logging sslvpn
 logging userauth
 accounting firewall
 accounting ips
 accounting anti-ddos
 accounting anti-spam
 accounting anti-virus
 accounting ipsec
 accounting application
 top-statistics update-time 10
 top-statistics topn-count 10
 qos priority queue length 10
 qos priority queue restore-time 10000
 qos priority queue host-lifetime 60
 nat entry-limit 5000
 reference update-time 600
 use-abbreviated-shell
!
security signature timeout connection 10 transaction 60
security signature retry connection 3
security signature code 20
!
ddns
 update-period 600
!
service group acmsoda
 proto tcp sport any dport eq 6969
!
service group ats
 proto tcp sport any dport eq 2201
!
service group avt-profile
 proto tcp sport any dport eq 5004
!
service group bgp
 proto tcp sport any dport eq 179
!
service group blp2
 proto tcp sport any dport eq 8195
!
service group bootpc
 proto udp sport any dport eq 68
!
service group bootps
 proto udp sport any dport eq 67
!
service group dcube(default)
 proto esp
 proto udp sport any dport eq 7900
!
service group dhcpv6-server
 proto tcp sport any dport eq 547
!
service group dns
 proto tcp sport any dport eq 53
 proto udp sport any dport eq 53
!
service group fodms
 proto udp sport any dport eq 7200
!
service group ftp
 proto tcp sport any dport eq 21
!
service group ftps
 proto tcp sport any dport eq 990
!
service group h263-video
 proto tcp sport any dport eq 2979
!
service group h323gatedisc
 proto tcp sport any dport eq 1718
!
service group h323gatestat
 proto tcp sport any dport eq 1719
!
service group h323hostcall
 proto tcp sport any dport eq 1720
!         
service group h323hostcallsc
 proto tcp sport any dport eq 1300
!
service group hostmon
 proto udp sport any dport eq 5355
!
service group hpvipgrp
 proto tcp sport any dport eq 5223
!
service group http
 proto tcp sport any dport eq 80
!
service group https
 proto tcp sport any dport eq 443
!
service group ike
 proto udp sport any dport eq 500
!
service group imap
 proto tcp sport any dport eq 143
 proto tcp sport any dport eq 993
!
service group imaps
 proto tcp sport any dport eq 993
!
service group kerberos
 proto tcp sport any dport eq 88
!
service group kerberos_v5
 proto tcp sport any dport eq 464
!
service group l2tp
 proto udp sport any dport eq 1701
!
service group ldap
 proto tcp sport any dport eq 389
!
service group ldaps
 proto tcp sport any dport eq 636
!
service group mdns
 proto udp sport any dport eq 5353
!
service group mevent
 proto tcp sport any dport eq 7900
!         
service group microsoft-ds
 proto tcp sport any dport eq 445
!
service group mindprintf
 proto tcp sport any dport eq 8033
!
service group mms
 proto tcp sport any dport eq 1755
 proto udp sport any dport eq 1755
!
service group ms-sql
 proto udp sport any dport eq 1434
 proto tcp sport any dport eq 1433
!
service group ms-sql-m
 proto udp sport any dport eq 1434
!
service group ms-sql-s
 proto tcp sport any dport eq 1433
!
service group mysql
 proto tcp sport any dport eq 3306
!         
service group netbios
 proto udp sport any dport multi 137 138 139
!
service group netbios-dgm
 proto udp sport any dport eq 138
!
service group netbios-ns
 proto udp sport any dport eq 137
!
service group netbios-ssn
 proto udp sport any dport eq 139
!
service group ntp
 proto udp sport any dport eq 123
!
service group oracle
 proto tcp sport any dport eq 1521
!
service group oracle-em2
 proto tcp sport any dport eq 1754
!
service group oracle-vp1
 proto tcp sport any dport eq 1809
!
service group oracle-vp2
 proto tcp sport any dport eq 1808
!
service group pharos
 proto tcp sport any dport eq 4443
!
service group pop3
 proto tcp sport any dport eq 110
 proto tcp sport any dport eq 995
!
service group pptp
 proto udp sport any dport eq 1723
!
service group proshare-mc-2
 proto tcp sport any dport eq 1674
!
service group radius-account
 proto tcp sport any dport eq 1813
!
service group radius-auth
 proto tcp sport any dport eq 1812
!         
service group regacy_radius
 proto tcp sport any dport multi 1645 1646
!
service group rsync
 proto tcp sport any dport eq 873
!
service group rtsp
 proto tcp sport any dport eq 554
!
service group sabams
 proto tcp sport any dport eq 2760
!
service group sftp
 proto tcp sport any dport eq 115
!
service group smtp
 proto tcp sport any dport eq 25
!
service group smtps
 proto tcp sport any dport eq 465
!
service group snapp
 proto tcp sport any dport eq 2333
!
service group snmp
 proto udp sport any dport eq 161
!
service group snmptrap
 proto udp sport any dport eq 162
!
service group ssdp
 proto udp sport any dport eq 1900
!
service group ssh
 proto tcp sport any dport eq 22
!
service group stun
 proto udp sport any dport eq 3478
!
service group syslog
 proto udp sport any dport eq 514
!
service group tcslap
 proto tcp sport any dport eq 2869
!
service group telnet
 proto tcp sport any dport eq 23
!
service group teradataordbms
 proto tcp sport any dport eq 8002
!
service group teredo
 proto udp sport any dport eq 3544
!
service group tftp-mcast
 proto tcp sport any dport eq 1758
!
service group unicall
 proto tcp sport any dport eq 4343
!
service group vcom-tunnel
 proto tcp sport any dport eq 8001
!
service group webcache
 proto tcp sport any dport eq 8080
!
service group www
 proto tcp sport any dport eq 80
 proto tcp sport any dport eq 443
!
service group www-ldap-gw
 proto tcp sport any dport eq 1760
!
service group x11-ssh-offset
 proto tcp sport any dport eq 6010
!
service group xmpp-client
 proto tcp sport any dport eq 5222
!
password policy admin
 length 9 16
 character-count upper 1 lower 1 digit 1 special 1
 impossible sequential-count asc 3 same 3 qwerty-right 3
 impossible contain-word id password 6
!
password policy user
 length 9 16
 character-count english 1 digit 1 special 1
!
userauth http port 10444 secure-port 10443
userauth http-install port 4443
userauth factor ip
userauth expire-timeout 24 expire-update delete-timeout 65535 connection-timeout 1
userauth max-connections 1000
userauth server priority local
userauth username mskang password 5 bJoq0$vdlEf8FVv1CqhdC3eFev.L0z0f/dAVUgCrhy3tyrFG7
userauth username test01 password 5 bJo35$EflVN/ufphqDzV8ZS498mrMv93yI9GSE2Vy6AjBJTd5
userauth username test02 password 5 4DmRC$d9M.Cb93m.JZWBFX6mcfuB9wEMJAbFCZiY/w0TzcD8C
userauth group special
userauth group special username mskang
userauth group special username test01
userauth group special username test02
!
application http option url-cache 10000
!
ip userauth policy from ssl to trust 1
 source any
 destination any
 action authenticate
 enable
!
ip userauth policy from ssl to untrust 1
 source any
 destination any
 action authenticate
 enable
!
security policy index 3
!
ip security policy from ssl to trust 10 id 1
 source any
 destination any
 action pass log
 enable
!
ip security policy from ssl to untrust 10 id 3
 source any
 destination any
 tcp-mss 1300
 action pass log
 enable
!
vrrp vmac disable
!
line vty
 exec-timeout 10 0
 telnet port 2333
 ssh port 2222
 http secure-port 4433
 login server request-condition auth-fail
 login server priority local
 login server privilege default monitor
!
end

AxGate#    

# Setting up a Policy-Based VPN Tunnel

1. Bind interfaces to zones and assign them IP addresses:
set interface ethernet1 zone trust
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 1.1.1.1/24
2. Set the addresses for the end entities beyond the two ends of the VPN tunnel:
set address trust host1 10.1.1.5/32
set address untrust host2 10.2.2.5/32
3. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the default proposals, you do not need to
define Phase 1 and Phase 2 proposals.
4. Define the remote gateway:
set ike gateway gw1 address 2.2.2.2 main outgoing-interface ethernet3 preshare
netscreen proposal pre-g2-3des-sha
5. Define the VPN tunnel as AutoKey IKE:
set vpn vpn1 gateway gw1 proposal g2-esp-des-md5
6. Set a default route (both the Trust and Untrust zones are in the trust-vr routing domain):
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
7. Set outbound and inbound policies:
set policy from trust to untrust host1 host2 any tunnel vpn vpn1
set policy from untrust to trust host2 host1 any tunnel vpn vpn1
The procedure for setting up a VPN tunnel for a dialup user with IKE also constitutes up to seven steps.
1. Bind interfaces to zones and assign them IP addresses.
2. Define the protected address that you want the dialup user to be able to access through the tunnel. (See the
set address command.)
3. Define the user as an IKE user. (See the set user command.)
4. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (Note: If you use the default
proposals, you do not need to define a Phase 1 or Phase 2 proposal.)
5. Define the VPN tunnel as AutoKey IKE. (See the set vpn command.)
6. Set a default route (both the Trust and Untrust zones are in the trust-vr routing domain).
7. Define an incoming policy, with Dial-Up VPN as the source address and the VPN tunnel you configured in
step 5.

Juniper FW/VPN 운영자 교육 매뉴얼입니다.