## Last changed: 2011-09-20 05:10:28 UTC version 10.4R6.5; system { host-name srx1; root-authentication { encrypted-password "$1$p24Y23Yh/l$9Usadfsdvn8KzeryU6lTauRxlENGx."; ## SECRET-DATA } name-server { 8.8.8.8; } services { ssh; telnet; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 10.1.1.2/24; } } } ge-0/0/1 { unit 0 { family inet { address 172.16.100.1/24; } } } fe-0/0/2 { unit 0; } fe-0/0/3 { unit 0; } fe-0/0/4 { unit 0; } fe-0/0/5 { unit 0; } fe-0/0/6 { unit 0; } fe-0/0/7 { unit 0; } st0 { unit 0 { multipoint; family inet { mtu 1490; next-hop-tunnel 10.11.11.2 ipsec-vpn vpn-srx2; next-hop-tunnel 10.11.11.3 ipsec-vpn vpn-linux; address 10.11.11.1/24; } } } } routing-options { static { route 10.2.2.0/24 next-hop 10.1.1.1; route 172.16.200.0/24 next-hop 10.11.11.2; route 10.3.3.0/24 next-hop 10.1.1.1; route 192.168.200.0/24 next-hop 10.11.11.3; } } protocols { stp; } security { ike { proposal prop-basic { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy pol-basic { mode main; proposals prop-basic; pre-shared-key ascii-text "$9$iqPQ/CuEclFnclKMN-HqmfFn9ApBRh"; ## SECRET-DATA } gateway srx2 { ike-policy pol-basic; address 10.2.2.2; dead-peer-detection { interval 10; threshold 5; } external-interface ge-0/0/0.0; } gateway linux { ike-policy pol-basic; address 10.3.3.2; external-interface ge-0/0/0.0; } } ipsec { proposal prop-basic { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy pol-basic { proposals prop-basic; } vpn vpn-srx2 { bind-interface st0.0; ike { gateway srx2; ipsec-policy pol-basic; } establish-tunnels immediately; } vpn vpn-linux { bind-interface st0.0; ike { gateway linux; proxy-identity { local 172.16.100.0/24; remote 192.168.200.0/24; } ipsec-policy pol-basic; } establish-tunnels immediately; } } zones { security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ike; ping; } } } } } security-zone trust { address-book { address vpn-local 172.16.100.0/24; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone vpn { address-book { address vpn-remote 172.16.200.0/24; address linux-remote 192.168.200.0/24; } interfaces { st0.0; } } } policies { from-zone trust to-zone untrust { policy local-permit-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone vpn { policy local-to-vpn { match { source-address vpn-local; destination-address [ vpn-remote linux-remote ]; application any; } then { permit; } } } from-zone vpn to-zone trust { policy vpn-to-local { match { source-address [ vpn-remote linux-remote ]; destination-address vpn-local; application any; } then { permit; } } } from-zone vpn to-zone vpn { policy vpn-allow-all { match { source-address any; destination-address any; application any; } then { permit; } } } } }