version 11.4R2.14; system { host-name r2; } interfaces { fe-0/0/0 { unit 0 { family inet { address A.A.A.A/26; } } } fe-0/0/7 { unit 0 { family inet { address B.B.B.1/24; } } } st0 { unit 0 { multipoint; family inet { next-hop-tunnel 10.10.10.1 ipsec-vpn ipsec-vpn-1-cfgr; next-hop-tunnel 10.10.10.3 ipsec-vpn ipsec-vpn-2-cfgr; address 10.10.10.2/24; } } unit 1 { point-to-point; family inet { next-hop-tunnel 10.10.10.4 ipsec-vpn ipsec-vpn-remote-cfgr; } } } } routing-options { static { route 0.0.0.0/0 next-hop A.A.A.1; route B.B.1.0/24 next-hop 10.10.10.1; route B.B.3.0/24 next-hop 10.10.10.3; route Z.Z.Z.Z/32 next-hop st0.1; } } security { ike { traceoptions { file size 1m; flag ike; flag next-hop-tunnels; flag all; } proposal ike-proposal-cfgr { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ike-policy-remote-cfgr { mode main; proposals ike-proposal-cfgr; pre-shared-key ascii-text "********"; } gateway ike-gate-remote-cfgr { ike-policy ike-policy-remote-cfgr; address Y.Y.Y.Y; external-interface fe-0/0/0.0; } } ipsec { traceoptions { flag all; } proposal ipsec-proposal-remote-cfgr { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 86400; lifetime-kilobytes 28800; } policy ipsec-policy-remote-cfgr { proposals ipsec-proposal-remote-cfgr; } vpn ipsec-vpn-remote-cfgr { bind-interface st0.1; vpn-monitor { optimized; } ike { gateway ike-gate-remote-cfgr; proxy-identity { local B.B.B.B/24; remote Z.Z.Z.Z/32; service junos-ssh; } ipsec-policy ipsec-policy-remote-cfgr; } establish-tunnels immediately; } } alg { traceoptions { file alg.log size 100000 files 2; } dns disable; msrpc disable; rsh disable; sql disable; } flow { tcp-mss { all-tcp { mss 1400; } ipsec-vpn { mss 1350; } } tcp-session { no-syn-check; no-syn-check-in-tunnel; no-sequence-check; } } policies { from-zone guest to-zone remote { policy local-to-spokes { match { source-address net-cfgr_B-B-B-B--24; destination-address net-cfgr_Z-Z-Z-Z--32; application junos-ssh; } then { permit; } } } from-zone remote to-zone guest { policy spokes-to-local { match { source-address net-cfgr_Z-Z-Z-Z--32; destination-address net-cfgr_B-B-B-B--24; application junos-ssh; } then { permit; } } } } zones { security-zone remote { address-book { address net-cfgr_Z-Z-Z-Z--32 Z.Z.Z.Z/32; } interfaces { st0.1; } } security-zone guest { address-book { address net-cfgr_B-B-B-B--24 B.B.B.B/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/7.0; } } } }