version 10.4R6.5; interfaces { ge-0/0/0 { unit 0 { family inet; } } ge-0/0/1 { description "ISP1 link"; unit 0 { description "ISP1 WAN"; family inet { address 10.10.10.1/30; } } } ge-0/0/2 { description "ISP2 Link"; unit 0 { description "ISP2 WAN "; family inet { address 20.20.20.2/29; } } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { gigether-options { 802.3ad ae0; } } ge-0/0/7 { gigether-options { 802.3ad ae0; } } ae0 { description " Router to L3 switch "; aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { active; periodic fast; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } st0 { unit 0 { family inet; } unit 1 { family inet; } } vlan { unit 0 { family inet; } unit 10 { family inet; } unit 20 { family inet { address 192.168.1.230/25; } } unit 30 { family inet { address 192.168.2.60/26; } } unit 70 { family inet { address 192.168.6.1/24; } } unit 100 { family inet { filter { input ISPRoute; } address 172.16.5.230/16; } } } } routing-options { interface-routes { rib-group inet RouteCLub; } static { route 0.0.0.0/0 next-hop [ 20.20.20.2 10.10.10.1]; route 172.16.0.0/21 { next-hop st0.0; qualified-next-hop st0.1 { preference 10; } } } rib-groups { RouteCLub { import-rib [ inet.0 ISP1_ISP.inet.0 ISP2_ISP.inet.0 ]; } } } protocols { stp; } security { ike { proposal Phase-one-AA { description "Phase one proposal for London Data"; authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; } policy AA-IKE-Policy { mode main; proposals Phase-one-AA; pre-shared-key ascii-text 'key'## SECRET-DATA } gateway ISP1-AA-GW { ike-policy AA-IKE-Policy; address XX.XX.XX.XX; dead-peer-detection { interval 10; threshold 3; } external-interface ge-0/0/2; } } ipsec { proposal Phase-two-AA { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; } policy AA-Ipsec-Policy { perfect-forward-secrecy { keys group5; } proposals Phase-two-AA; } vpn ISP1-AA-VPN { bind-interface st0.0; ike { gateway ISP1-AA-GW; proxy-identity { local 192.168.0.0/22; remote 172.16.0.0/21; service any; } ipsec-policy AA-Ipsec-Policy; } establish-tunnels immediately; } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule VPN_ISP2 { match { source-address 0.0.0.0/0; destination-address 172.16.0.0/21; } then { source-nat { off; } } } rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } static { rule-set VC { from zone trust; rule R1 { match { destination-address XX.XX.XX.XX/32; } then { static-nat prefix 192.168.2.62/32; } } } proxy-arp { interface ge-0/0/2.0 { address { XX.XX.XX.XX/32; XX.XX.XX.XX/32; } } } } zones { security-zone trust { address-book { address proxy-VC-unit 192.168.2.62/32; address VC_Unit XX.XX.XX.XX/32; address Local_LAN 192.168.0.0/22; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.100; vlan.10; vlan.20; vlan.30; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } ge-0/0/1.0 { host-inbound-traffic { system-services { ping; https; ike; } } } ge-0/0/2.0 { host-inbound-traffic { system-services { ping; ike; https; } } } } } security-zone VPN { address-book { address Remote-AA-LAN 172.16.0.0/21; } interfaces { st0.0; st0.1; } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } policy Policy_VC_Exter { match { source-address VC_Unit; destination-address any; application any; } then { permit; } } } from-zone trust to-zone VPN { policy AA-Trust-VPN-Policy { match { source-address Local_LAN; destination-address Remote-AA-LAN; application any; } then { permit; } } } from-zone VPN to-zone trust { policy AA-VPN-Trust-Policy { match { source-address Remote-AA-LAN; destination-address Local_LAN; application any; } then { permit; } } } } flow { tcp-mss { ipsec-vpn; } } firewall { filter ISPRoute { term TERM1 { from { source-address { 192.168.1.0/25; 192.168.2.0/26; 192.168.2.128/26; } } then { routing-instance ISP1_ISP; } } term TERM2 { then { routing-instance ISP2_ISP; } } } } routing-instances { ISP2_ISP { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 10.10.10.2; qualified-next-hop 20.20.20.2{ preference 100; } } } } } ISP1_ISP { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 20.20.20.2; qualified-next-hop 10.10.10.1{ preference 100; } } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }