set version 10.4R4.5
set system host-name JUN-SRX240-1
set system time-zone Asia/Saigon
set system root-authentication encrypted-password "$1$DevAO8ml$043jvPVXbABbb9Sx/uaPB/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text

set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface vlan.20
set system services web-management https interface vlan.30
set system services web-management https interface vlan.100
set system services web-management https interface pp0.0

set system services dhcp router 192.168.1.1
set system services dhcp pool 172.16.20.0/24 address-range low 172.16.20.150
set system services dhcp pool 172.16.20.0/24 address-range high 172.16.20.200
set system services dhcp pool 172.16.20.0/24 name-server 8.8.8.8
set system services dhcp pool 172.16.20.0/24 router 172.16.20.1
set system services dhcp pool 172.16.20.0/24 propagate-settings vlan.20
set system services dhcp pool 172.16.30.0/24 address-range low 172.16.30.150
set system services dhcp pool 172.16.30.0/24 address-range high 172.16.30.200
set system services dhcp pool 172.16.30.0/24 name-server 8.8.8.8
set system services dhcp pool 172.16.30.0/24 router 172.16.30.1
set system services dhcp pool 172.16.30.0/24 propagate-settings vlan.30
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 49
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 67.18.187.111
set chassis aggregated-devices ethernet device-count 2
set interfaces traceoptions file interfaces.txt
set interfaces traceoptions file size 1m
set interfaces traceoptions file files 5
set interfaces traceoptions flag change-events
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members mgmt
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members server
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members wireless
set interfaces ge-0/0/2 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 unit 0 family ethernet-switching
deactivate interfaces ge-0/0/2 unit 0
set interfaces ge-0/0/3 gigether-options 802.3ad ae0
set interfaces ge-0/0/3 unit 0 family ethernet-switching
deactivate interfaces ge-0/0/3 unit 0
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members server
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members server
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members server
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members server
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members mgmt
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members mgmt
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members mgmt
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members mgmt
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members wireless
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members wireless
set interfaces ge-0/0/14 unit 0 family ethernet-switching
set interfaces ge-0/0/15 unit 0
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members server
set interfaces ae0 unit 0 family ethernet-switching vlan members wireless
set interfaces ae0 unit 0 family ethernet-switching vlan members mgmt
set interfaces pp0 unit 0 ppp-options pap access-profile ppp
set interfaces pp0 unit 0 ppp-options pap local-name cty-avnet74
set interfaces pp0 unit 0 ppp-options pap local-password "$9$.PQntpByrvfTSeMXbwHqmfFn"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 30
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces vlan unit 0 family inet address 172.16.1.122/24
set interfaces vlan unit 20 family inet address 172.16.20.1/24
set interfaces vlan unit 30 family inet address 172.16.30.1/24
set interfaces vlan unit 100 family inet address 172.16.100.1/24
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 10.10.10.0/24 next-hop 172.16.20.1
set protocols stp

set security ike proposal ike-dyn-prop1 authentication-method pre-shared-keys
set security ike proposal ike-dyn-prop1 dh-group group2
set security ike proposal ike-dyn-prop1 authentication-algorithm md5
set security ike proposal ike-dyn-prop1 encryption-algorithm 3des-cbc
set security ike policy ike-dyn-pol1 mode aggressive
set security ike policy ike-dyn-pol1 proposals ike-dyn-prop1
set security ike policy ike-dyn-pol1 pre-shared-key ascii-text "$9$Hq.569pRhrfThrKM7NGUj"
set security ike gateway gw-dyn-1 ike-policy ike-dyn-pol1
set security ike gateway gw-dyn-1 dynamic hostname sic.local
set security ike gateway gw-dyn-1 dynamic connections-limit 2
set security ike gateway gw-dyn-1 external-interface pp0.0
set security ike gateway gw-dyn-1 xauth access-profile dyn-vpn-prof1

set security ipsec proposal dyn-prop-ph2 protocol esp
set security ipsec proposal dyn-prop-ph2 authentication-algorithm hmac-sha1-96
set security ipsec proposal dyn-prop-ph2 encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-dyn-pol perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dyn-pol proposals dyn-prop-ph2
set security ipsec vpn vpn-dyn ike gateway gw-dyn-1
set security ipsec vpn vpn-dyn ike ipsec-policy ipsec-dyn-pol

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set wireless_to_internet from zone wireless
set security nat source rule-set wireless_to_internet to zone untrust
set security nat source rule-set wireless_to_internet rule to_internet match source-address 0.0.0.0/0
set security nat source rule-set wireless_to_internet rule to_internet match destination-address 0.0.0.0/0
set security nat source rule-set wireless_to_internet rule to_internet then source-nat interface
set security nat source rule-set mgmt-to-NTP-server from zone mgmt
set security nat source rule-set mgmt-to-NTP-server to zone untrust
set security nat source rule-set mgmt-to-NTP-server rule to-internet match source-address 0.0.0.0/0
set security nat source rule-set mgmt-to-NTP-server rule to-internet match destination-address 0.0.0.0/0
set security nat source rule-set mgmt-to-NTP-server rule to-internet then source-nat interface
set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to interface pp0.0
set security nat source rule-set trust-untrust rule Egress-Int match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule Egress-Int match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule Egress-Int then source-nat interface

set security nat proxy-arp interface vlan.20 address 172.16.20.20/32 to 172.16.20.40/32

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces vlan.20
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pp0.0
set security zones security-zone wireless host-inbound-traffic system-services all
set security zones security-zone wireless host-inbound-traffic protocols all
set security zones security-zone wireless interfaces vlan.30
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces vlan.100 host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces vlan.100 host-inbound-traffic protocols all
set security zones security-zone dyn-vpn

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone untrust policy allow_all match source-address any
set security policies from-zone trust to-zone untrust policy allow_all match destination-address any
set security policies from-zone trust to-zone untrust policy allow_all match application any
set security policies from-zone trust to-zone untrust policy allow_all then permit

set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit tunnel ipsec-vpn vpn-dyn

set security policies from-zone wireless to-zone untrust policy wireless_to_internet match source-address any
set security policies from-zone wireless to-zone untrust policy wireless_to_internet match destination-address any
set security policies from-zone wireless to-zone untrust policy wireless_to_internet match application any
set security policies from-zone wireless to-zone untrust policy wireless_to_internet then permit

set security policies from-zone trust to-zone mgmt policy Allow_HTTP match source-address any
set security policies from-zone trust to-zone mgmt policy Allow_HTTP match destination-address any
set security policies from-zone trust to-zone mgmt policy Allow_HTTP match application any
set security policies from-zone trust to-zone mgmt policy Allow_HTTP then permit

set security policies from-zone mgmt to-zone trust policy Allow_HTTP match source-address any
set security policies from-zone mgmt to-zone trust policy Allow_HTTP match destination-address any
set security policies from-zone mgmt to-zone trust policy Allow_HTTP match application any
set security policies from-zone mgmt to-zone trust policy Allow_HTTP then permit

set security policies from-zone mgmt to-zone untrust policy mgmt-to-NTP-server match source-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-to-NTP-server match destination-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-to-NTP-server match application junos-ntp
set security policies from-zone mgmt to-zone untrust policy mgmt-to-NTP-server then permit

set security policies from-zone trust to-zone wireless policy trust_to_wireless match source-address any
set security policies from-zone trust to-zone wireless policy trust_to_wireless match destination-address any
set security policies from-zone trust to-zone wireless policy trust_to_wireless match application any
set security policies from-zone trust to-zone wireless policy trust_to_wireless then permit

set security flow traceoptions file flow-debug
set security flow traceoptions flag basic-datapath

set security dynamic-vpn access-profile dyn-vpn-prof1
set security dynamic-vpn clients client-config remote-protected-resources 172.16.20.0/24
set security dynamic-vpn clients client-config remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients client-config ipsec-vpn vpn-dyn
set security dynamic-vpn clients client-config user vpn1

set access profile ppp authentication-order password
set access profile dyn-vpn-prof1 client vpn1 firewall-user password "$9$K7fWNbwYojHmg4aGjHTQBIEcyKLxd"
set access profile dyn-vpn-prof1 address-assignment pool pool1
set access address-assignment pool pool1 family inet network 172.16.20.0/24
set access address-assignment pool pool1 family inet range range1 low 172.16.20.20
set access address-assignment pool pool1 family inet range range1 high 172.16.20.40
set access address-assignment pool pool1 family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dyn-vpn-prof1

set vlans mgmt vlan-id 100
set vlans mgmt interface ge-0/0/14.0
set vlans mgmt l3-interface vlan.100
set vlans server vlan-id 20
set vlans server interface ge-0/0/4.0
set vlans server interface ge-0/0/5.0
set vlans server interface ge-0/0/6.0
set vlans server interface ge-0/0/7.0
set vlans server l3-interface vlan.20
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set vlans wireless vlan-id 30
set vlans wireless interface ge-0/0/12.0
set vlans wireless interface ge-0/0/13.0
set vlans wireless l3-interface vlan.30