version 10.4R4.5; system { host-name **********; domain-name ********; ports { console log-out-on-disconnect; } root-authentication { encrypted-password "$1$SX2L.tyD$/9NeTVZCs3HErxPQcwzsW."; ## SECRET-DATA } name-server { 202.79.32.4; } login { message "This is My Branch"; retry-options { tries-before-disconnect 3; maximum-time 30; } user manisha { uid 2000; class super-user; authentication { encrypted-password "$1$MJpU6BiQ$wVW5jhlWT16P9I9ksp6bL/"; ## SECRET-DATA } } } services { ssh { root-login allow; } telnet; web-management { http; https { system-generated-certificate; interface [ fe-0/0/3.0 fe-0/0/1.0 fe-0/0/2.0 ]; } limits { debug-level 9; } session { idle-timeout 10; session-limit 3; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file traffic-log { user any; archive world-readable; explicit-priority; structured-data { brief; } } } max-configurations-on-flash 10; max-configuration-rollbacks 10; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { fe-0/0/1 { unit 0 { description ***LAN***; family inet { address 10.10.8.1/24; } } } fe-0/0/2 { unit 0 { description ***WAN2***; family inet { address ***.***.***.138/24; } } } fe-0/0/3 { unit 0 { description ****WAN1*****; family inet { address 192.168.83.37/30; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } st0 { unit 0 { description ****Route-based-vpn-WAN2****; family inet { address 10.255.254.80/24; } } unit 1 { description ****Route-based-VPN-WAN1****; family inet { address 10.255.253.80/24; } } } } routing-options { static { route 0.0.0.0/0 { next-hop st0.1; qualified-next-hop st0.0 { preference 10; } } route ***.***.***.128/26 next-hop ***.***.***.129; route 192.168.83.32/30 next-hop 192.168.83.38; } } security { ike { proposal MGN-PROPOSAL-PH-I { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy MGN-POLICY { mode main; proposals MGN-PROPOSAL-PH-I; pre-shared-key ascii-text "$9$dJV24HqmPQFq.IEcyKvJGUHP5z369tuPf"; ## SECRET-DATA } policy MGN-POLICY-Wlink { mode main; proposal-set compatible; pre-shared-key ascii-text "$9$gcoUjk.PQ36q.1RcyKvUjiH5QtuOBRh6/"; ## SECRET-DATA } gateway MGN-GATEWAY { ike-policy MGN-POLICY; address 192.168.83.33; dead-peer-detection { interval 10; threshold 1; } nat-keepalive 10; external-interface fe-0/0/3; } gateway MGN-GATEWAY-Wlink { ike-policy MGN-POLICY-Wlink; address ***.***.***.150; dead-peer-detection { interval 10; threshold 1; } nat-keepalive 10; external-interface fe-0/0/2; } } ipsec { proposal MGN-PROPOSAL-PH-II { authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy MGN-POLICY-PH-II { perfect-forward-secrecy { keys group5; } proposals MGN-PROPOSAL-PH-II; } policy MGN-POLICY-Wlink { perfect-forward-secrecy { keys group5; } proposal-set compatible; } vpn vpn-vpn { bind-interface st0.0; inactive: vpn-monitor { optimized; source-interface fe-0/0/3; destination-ip 0.0.0.0; } ike { gateway MGN-GATEWAY; proxy-identity { local 10.10.8.0/24; remote 0.0.0.0/0; service any; } ipsec-policy MGN-POLICY-PH-II; } } vpn vpn-vpn-Wlink { bind-interface st0.1; ike { gateway MGN-GATEWAY-Wlink; proxy-identity { local 10.10.8.0/24; remote 0.0.0.0/0; service any; } ipsec-policy MGN-POLICY-Wlink; } establish-tunnels immediately; } } nat { inactive: source { rule-set NAT { from zone LAN1; to zone WAN1; rule R1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } screen { ids-option WAN1-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone LAN1 { address-book { address local-address 10.10.8.0/24; } interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone WAN1 { screen WAN1-screen; host-inbound-traffic { system-services { ike; telnet; ssh; ping; https; } } interfaces { fe-0/0/3.0; fe-0/0/2.0; } } security-zone vpn { address-book { address remote-address 0.0.0.0/0; } interfaces { st0.0; st0.1; } } } policies { from-zone LAN1 to-zone WAN1 { policy LAN1-to-WAN1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone LAN1 to-zone vpn { policy LAN1-vpn { match { source-address local-address; destination-address remote-address; application any; } then { permit; } } } from-zone vpn to-zone LAN1 { policy vpn-LAN1 { match { source-address remote-address; destination-address local-address; application any; } then { permit; } } } } flow { tcp-mss { all-tcp { mss 1350; } } } }