设备为ssg5与srx100，会以ssg5的命令作为srx的命令参照

Ssg5作为中心，srx100作为分支，因为考虑到分支可能无法通过固定IP接入，因此将建立aggr模式的基于路由的ipsecvpn，并通过local-id对分支设备进行验证。

Ssg5会将0/0,和0/1口都划归为外网口互为冗余

SRX100会将0/0和0/1口都划归为外网口互为冗余

Ssg5的配置：

配置设备管理用户名密码及http端口： set admin name set admin password admin set admin port 8080

设置bgroup0（内网口）为可信任： set interface

设置bgroup3（外网口）为不可信任： set interface

设置虚拟设备接口tunnel9为可信任： set interface

将0/0和0/1物理口划到bgroup3组： set interface bgroup3 port ethernet0/0 set interface bgroup3 port ethernet0/1

将0/2-0/6物理口划到bgroup0组： set interface bgroup0 port ethernet0/2

set interface bgroup0 port ethernet0/3 set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6

配置内外网接口IP、网关并配置nat

set interface bgroup0 ip 10.0.0.1/24 set interface bgroup0 nat

set interface bgroup3 ip1.1.1.2/24 set interface bgroup3 route

set interface bgroup3 gateway 1.1.1.1

配置虚拟接口tunnel9的IP地址与内网地址相同： set interface tunnel.9 ip unnumbered interface bgroup0

在内网接口启用dns转发： set interface bgroup0 proxy dns setdns proxy

setdns proxy enable

配置内外网口可管理：

set interface bgroup0 ip manageable set interface bgroup3 ip manageable set interface bgroup3 manage ping set interface bgroup3 manage telnet set interface bgroup3 manage web 在内网口开启dhcp：

set interface bgroup0 dhcp server service set interface bgroup0 dhcp server auto

set interface bgroup0 dhcp server option gateway 10.0.0.1

set interface bgroup0 dhcp server option netmask 255.255.255.0 set interface bgroup0 dhcp server option center

set interface bgroup0 dhcp server option dns1 10.0.0.1

set interface bgroup0 dhcp server ip10.0.0.21 to 10.0.0.181 unset interface bgroup0 dhcp server config next-server-ip

配置主机名： set hostname 10 配置DNS：

setdns host dns1 219.141.136.10

首先配置第一阶段，设置其本地标识名称为“2SRX”，并限制分支接入的名称为2center，协

…… 此处隐藏2208字 ……

set security policies from-zone trust to-zone trust policy t-t match source-address any destination-address any application any

set security policies from-zone trust to-zone trust policy t-t then permit

配置安全策略允许trust区域访问untrust区域：

set security policies from-zone trust to-zone untrust policy t-u match source-address any destination-address any application any

set security policies from-zone trust to-zone untrust policy t-u then permit

创建虚拟接口st0.9并设置其属于trust区域： set interfaces st0 unit 9 family inet

set security zones security-zone trust interfaces st0.9