juniper@BR-SRX210> show configuration |no-more ## Last commit: 2013-12-02 20:20:44 UTC by juniper version 12.1X45.5; system { host-name BR-SRX210; root-authentication { encrypted-password "$1$2ozVFyuQ$yRHhl2ZYciq8QvBuqnWt01"; ## SECRET-DATA } login { user juniper { uid 2000; class super-user; authentication { encrypted-password "$1$kMo3FrnE$1AsieNYSOqW6GLYj9BZhJ1"; ## SECRET-DATA } } } services { ftp; ssh; telnet; xnm-clear-text; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; } interfaces { fe-0/0/3 { unit 0 { description family inet { address 192.168.2.1/24;## internal zone } } } fe-0/0/7 { description unit 0 { family inet { address 10.10.9.44/29; ## ADSL LINK } } } st0 { unit 0 { description multipoint; family inet { address 192.168.1.2/24; ## vpn tunnel } } } } routing-options { traceoptions { file routing-log; } static { route 10.10.10.224/29 next-hop 10.10.9.41; route 10.10.9.40/29 next-hop 192.168.2.1; } forwarding-table { export loadbalancing; } } protocols { ospf { traceoptions { file ospf-log; } area 0.0.0.0 { interface st0.0 { interface-type p2mp; neighbor 192.168.1.1; } interface fe-0/0/3.0 { passive; } } } stp; } policy-options { policy-statement loadbalancing { term 1 { then { load-balance per-packet; } } } } security { pki { ca-profile RootCA { ca-identity test; revocation-check { disable; } } } ike { traceoptions { file ike-log; flag all; } proposal ike-proposal { authentication-method rsa-signatures; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; } policy ike-policy1 { mode main; proposals ike-proposal; certificate { local-certificate local1; } } gateway spoke-to-hub-gw { ike-policy ike-policy2; address 10.10.10.230; local-identity distinguished-name; remote-identity distinguished-name; external-interface fe-0/0/7.0; } } ipsec { proposal ipsec-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm des-cbc; } policy vpn-policy { perfect-forward-secrecy { keys group14; } } vpn spoke-to-hub-vpn { bind-interface st0.0; ike { gateway spoke-to-hub-gw; ipsec-policy vpn-policy; } establish-tunnels immediately; } } nat { source { rule-set internal-to-untrust { from zone internal; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone internal to-zone vpn { policy internal-to-vpn { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone vpn to-zone internal { policy vpn-to-internal { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone internal to-zone untrust { policy vpn-to-internal { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone internal { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.0; } } security-zone vpn { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/7.0; } } } }