## Last changed: 2011-05-12 19:36:08 UTC version 10.2R3.10; groups { node0 { system { host-name SRX1; } interfaces { fxp0 { unit 0 { family inet { address 10.1.100.1/24; } } } } } node1 { system { host-name SRX2; } interfaces { fxp0 { unit 0 { family inet { address 10.1.100.2/24; } } } } } } apply-groups "${node}"; system { host-name SRX1; root-authentication { encrypted-password "pwd"; } services { ssh { root-login allow; } web-management { https { system-generated-certificate; interface reth0.0; } } } processes { general-authentication-service { traceoptions { file AUTH.log; flag radius; flag local-authentication; } } } } chassis { cluster { control-link-recovery; reth-count 3; redundancy-group 0 { node 0 priority 254; node 1 priority 1; } redundancy-group 1 { node 0 priority 254; node 1 priority 1; preempt; } } } interfaces { fe-0/0/2 { fastether-options { redundant-parent reth0; } } fe-0/0/4 { fastether-options { redundant-parent reth1; } } fe-2/0/2 { fastether-options { redundant-parent reth0; } } fe-2/0/4 { fastether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { fe-0/0/5; } } } fab1 { fabric-options { member-interfaces { fe-2/0/5; } } } fxp0 { unit 0 { family inet { address 10.1.100.3/24 { master-only; } } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { filter { output Radius.log; } address 5.0.1.1/24; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 5.0.20.1/24; } } } st0 { unit 0 { family inet { address 5.0.13.1/24; } } } } forwarding-options { packet-capture { file filename STATIC-RETH1-log; } } routing-options { static { route 10.1.100.0/24 next-hop 5.0.1.254; route 5.0.30.0/24 next-hop st0.0; route 10.1.101.0/24 next-hop 5.0.1.254; route 5.0.60.0/24 next-hop 5.0.1.3; route 6.0.1.1/32 next-hop st0.0; } } security { ssh-known-hosts { host 10.1.101.1; } ike { traceoptions { file I; flag ike; flag all; } proposal DVPN-IKE-PRO { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } proposal VPN-CIS-IKE-PROP { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy DVPN-IKE-POL { mode aggressive; proposals DVPN-IKE-PRO; pre-shared-key ascii-text "pwd"; } policy VPN-CIS-IKE-POL { mode main; proposals VPN-CIS-IKE-PROP; pre-shared-key ascii-text "pwd"; } gateway DVPN-GW { ike-policy DVPN-IKE-POL; dynamic hostname DVPN-HOST; external-interface reth0.0; xauth access-profile DVPN-RAD-PRO; } gateway VPN-CIS-GW { ike-policy VPN-CIS-IKE-POL; address 5.0.1.3; local-identity inet 5.0.13.1; external-interface st0.0; } } ipsec { traceoptions { flag packet-processing; } proposal DVPN-IPS-PRO { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } proposal VPN-CIS-IPS-PROP { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 84400; } policy DVPN-IPS-POL { perfect-forward-secrecy { keys group2; } proposals DVPN-IPS-PRO; } policy VPN-CIS-IPS-POL { proposals VPN-CIS-IPS-PROP; } vpn DVPN-VPN { ike { gateway DVPN-GW; ipsec-policy DVPN-IPS-POL; } } vpn VPN-CIS-VPN { bind-interface st0.0; ike { gateway VPN-CIS-GW; proxy-identity { local 6.0.2.1/32; remote 6.0.1.1/32; } ipsec-policy VPN-CIS-IPS-POL; } } } nat { traceoptions { file N; flag all; } static { rule-set STNAT-UNT-TR { from interface st0.0; rule STNAT-UNT-TR-RULE { match { destination-address 6.0.2.1/32; } then { static-nat prefix 5.0.20.2/32; } } } rule-set STNAT-TR-UNT { from interface reth1.0; rule ST-TR-UNT-RULE { match { destination-address 5.0.80.2/32; } then { static-nat prefix 6.0.1.1/32; } } } } } zones { security-zone trust { address-book { address 6.0.1.1/32 6.0.1.1/32; address 6.0.2.1/32 6.0.2.1/32; address 5.0.20.2/32 5.0.20.2/32; } interfaces { reth1.0 { host-inbound-traffic { system-services { ssh; ike; ping; } } } } } security-zone untrust { address-book { address 6.0.1.1/32 6.0.1.1/32; address 6.0.2.1/32 6.0.2.1/32; address 5.0.20.2/32 5.0.20.2/32; } host-inbound-traffic { system-services { https; } } interfaces { reth0.0 { host-inbound-traffic { system-services { ping; ssh; ike; https; } } } st0.0 { host-inbound-traffic { system-services { ike; } } } } } } policies { from-zone untrust to-zone trust { policy VPN-CIS-SEC-POL-U_T { match { source-address 6.0.1.1/32; destination-address 5.0.20.2/32; application any; } then { permit; } } policy DVPN-SEC-POL { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn DVPN-VPN; } } } } } from-zone trust to-zone untrust { policy VPN-CIS-SEC-POL-T_U { match { source-address 5.0.20.2/32; destination-address 6.0.1.1/32; application any; } then { permit; } } } } traceoptions { file IPSEC.log; } flow { traceoptions { file F; flag packet-drops; flag basic-datapath; flag all; } } dynamic-vpn { access-profile DVPN-PROF; clients { DVPN-CLIENT1 { remote-protected-resources { 5.0.20.0/24; } ipsec-vpn DVPN-VPN; user { DVPN-USER1; } } } } } firewall { filter Radius.log { term capture { from { destination-port radius; } then { sample; accept; } } term all-else-accept { then accept; } } filter reth1.0-STNAT.log { term capture { from { interface reth1.0; } then { sample; accept; } } term all-else { then accept; } } } access { profile DVPN-PROF { client DVPN-USER1 { firewall-user { password "pwd"; } } } profile DVPN-RAD-PRO { authentication-order radius; radius-server { 10.1.101.3 { port 1812; secret "pwd"; } } } firewall-authentication { web-authentication { default-profile DVPN-RAD-PRO; } } } applications { application esp1 protocol esp; application ah protocol ah; application-set esp { application ah; application esp1; } }