## Last changed: 2011-09-20 06:28:39 UTC version 10.4R6.5; system { host-name srx2; no-redirects; root-authentication { encrypted-password "$1$p24YsdYh/l$9Usdvn8KzysdU6lTauRxlENGx."; ## SECRET-DATA } name-server { 8.8.8.8; } services { ssh; telnet; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 10.2.2.2/24; } } } ge-0/0/1 { unit 0 { family inet { address 172.16.200.1/24; } } } fe-0/0/2 { unit 0; } fe-0/0/3 { unit 0; } fe-0/0/4 { unit 0; } fe-0/0/5 { unit 0; } fe-0/0/6 { unit 0; } fe-0/0/7 { unit 0; } st0 { unit 0 { family inet { mtu 1490; address 10.11.11.2/24; } } } } routing-options { static { route 10.1.1.0/24 next-hop 10.2.2.1; route 172.16.100.0/24 next-hop 10.11.11.1; route 192.168.200.0/24 next-hop 10.11.11.1; } } protocols { stp; } security { ike { proposal prop-basic { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy pol-basic { mode main; proposals prop-basic; pre-shared-key ascii-text "$9$RGQcrvxNboJDWLJDikTQEcylWL7-VY4a"; ## SECRET-DATA } gateway srx1 { ike-policy pol-basic; address 10.1.1.2; dead-peer-detection { interval 10; threshold 5; } external-interface ge-0/0/0.0; } } ipsec { proposal prop-basic { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy pol-basic { proposals prop-basic; } vpn p2p-srx1 { bind-interface st0.0; ike { gateway srx1; ipsec-policy pol-basic; } establish-tunnels immediately; } } zones { security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; traceroute; ike; ssh; } } } } } security-zone vpn { address-book { address clients_100 172.16.100.0/24; address linux_remote 192.168.200.0/24; } interfaces { st0.0; } } security-zone trust { address-book { address clients_200 172.16.200.0/24; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } } policies { from-zone trust to-zone vpn { policy vpn-permit { match { source-address clients_200; destination-address [ clients_100 linux_remote ]; application any; } then { permit; } } } from-zone vpn to-zone trust { policy vpn-permit-in { match { source-address clients_100; destination-address clients_200; application any; } then { permit; } } } } }