ge-0/0/1 { description "ISP1 link"; unit 0 { description "ISP1"; family inet { address 10.10.10.1/30; } } } ge-0/0/2 { description "ISP2 Link"; unit 0 { description "ISP2 "; family inet { address 20.20.20.1/29; } } } } ae0 { description " Router to L3 switch "; aggregated-ether-options { minimum-links 1; link-speed 1g; lacp { active; periodic fast; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } vlan { unit 0 { family inet; } unit 10 { family inet; } unit 20 { family inet { address 192.168.1.230/25; } } } routing-options { interface-routes { rib-group inet RouteCLub; } static { route 0.0.0.0/0 next-hop [ 20.20.20.2 10.10.10.2]; route 192.168.2.0/24 next-hop 172.16.5.253; route 192.168.1.0/24 next-hop 172.16.5.253; } rib-groups { RouteCLub { import-rib [ inet.0 ISP2.inet.0 ISP1.inet.0 ]; } } } security { ike { proposal Proposal-one-AAA { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-policy-LD-AAA { mode main; proposals Phase-one-LN; pre-shared-key ascii-text "key"; ## SECRET-DATA } gateway ike-gw-LN-AAA { ike-policy ike-policy-LD-AAA; address 3.3.3.3; external-interface ge-0/0/2; } } ipsec { proposal Phase-two-ZZZ { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; } policy Ipsec-LN-DC-AAA { perfect-forward-secrecy { keys group5; } proposals Phase-two-ZZZ; } vpn To_ZZZ_DC_AAA { ike { gateway ike-gw-LN-AAA; ipsec-policy Ipsec-LN-DC-AAA; } establish-tunnels immediately; } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } rule VPN { match { source-address 192.168.0.0/22; destination-address 10.0.16.0/21; } then { source-nat { off; } } } } } zones { security-zone trust { address-book { address Local_LAN 192.168.0.0/22; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.100; vlan.10; vlan.20; } } security-zone untrust { address-book { address Remote_LAN 10.0.16.0/21; } screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } ge-0/0/1.0 { host-inbound-traffic { system-services { ping; https; ike; } } } ge-0/0/2.0 { host-inbound-traffic { system-services { ping; ike; https; all; } } } } } } policies { from-zone trust to-zone untrust { policy Policy_LD_AAA_VPN { match { source-address Local_LAN; destination-address Remote_LAN; application any; } then { permit { tunnel { ipsec-vpn To_ZZZ_DC_AAA; pair-policy Policy_LD_AAA_Extenal_VPN; } } log { session-init; session-close; } } } policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } from-zone untrust to-zone trust { policy Policy_LD_AAA_Extenal_VPN { match { source-address Remote_LAN; destination-address Local_LAN; application any; } then { permit { tunnel { ipsec-vpn To_ZZZ_DC_AAA; pair-policy Policy_LD_AAA_VPN; } } log { session-init; session-close; } } } firewall { filter ISPRoute { term TERM1 { from { source-address { 192.168.1.0/25; 192.168.2.0/26; 192.168.2.128/26; } } then { routing-instance ISP2; } } term TERM2 { then { routing-instance ISP1; } } } } routing-instances { ISP1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 10.10.10.2; qualified-next-hop 20.20.20.2{ preference 100; } } } } } ISP2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 20.20.20.2; qualified-next-hop 10.10.10.2{ preference 100; } } } } } }