version 12.1X44-D35.5; system { host-name sml-c-r1; root-authentication { encrypted-password "$1$UkmfO.Kd$XLr555MP5Sg4.2LGHLeF"; ## SECRET-DATA } services { ssh; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; } interfaces { fe-0/0/0 { description ISP1; unit 0 { encapsulation ppp-over-ether; } } gr-0/0/0 { unit 0 { description SML1-YAR1; tunnel { source sml_ISP1_addr; destination yar_ISP1.1_addr; } family inet { address 172.16.3.1/30; } } unit 1 { description SML2-YAR1; tunnel { source sml_ISP2.1_addr; destination yar_ISP1.2_addr; } family inet { address 172.16.3.5/30; } } unit 2 { description SML1-VJZ1; tunnel { source sml_ISP1_addr; destination vjz_ISP1.1_addr; } family inet { address 172.16.2.1/30; } } unit 3 { description SML2-VJZ1; tunnel { source sml_ISP2.1_addr; destination vjz_ISP1.2_addr; } family inet { address 172.16.2.5/30; } } unit 4 { description SML1-ROS1; tunnel { source sml_ISP1_addr; destination ros_ISP1.1_addr; } family inet { address 172.16.4.1/30; } } unit 5 { description SML2-ROS1; tunnel { source sml_ISP2.1_addr; destination ros_ISP1.2_addr; } family inet { address 172.16.4.5/30; } } } fe-0/0/1 { description ISP2; unit 0 { family inet { address sml_ISP2.1_addr/28 { primary; preferred; } address sml_ISP2.2_addr/28; } } } fe-0/0/7 { description OPT_SNB; unit 0 { family inet { address 172.16.8.1/30; } } } lo0 { unit 0 { family inet { address 10.68.200.1/32; } } } pp0 { unit 0 { ppp-options { pap { local-name pppoename; no-rfc2486; local-password "$9$cZblMXg4ZGjH8XgaUimP69Au"; ## SECRET-DATA passive; } } pppoe-options { underlying-interface fe-0/0/0.0; auto-reconnect 1; } family inet { negotiate-address; } } } st0 { unit 0 { multipoint; family inet { address 172.16.68.1/24; } } } } routing-options { static { route 0.0.0.0/0 { next-hop ISP2_gw_addr; inactive: qualified-next-hop pp0.0 { metric 10; } } route yar_ISP1.1_addr/32 next-hop pp0.0; route vjz_ISP1.1_addr/32 next-hop pp0.0; route ros_ISP1.1_addr/32 next-hop pp0.0; } router-id 172.16.68.1; } protocols { ospf { area 0.0.0.0 { interface st0.0 { interface-type p2mp; metric 15; hello-interval 5; dead-interval 20; dynamic-neighbors; } interface gr-0/0/0.0 { metric 5; hello-interval 5; dead-interval 20; } interface gr-0/0/0.1 { metric 10; hello-interval 5; dead-interval 20; } interface lo0.0 { passive; } interface gr-0/0/0.2 { metric 5; hello-interval 5; dead-interval 20; } interface gr-0/0/0.3 { metric 10; hello-interval 5; dead-interval 20; } interface gr-0/0/0.4 { metric 5; hello-interval 5; dead-interval 20; } interface gr-0/0/0.5 { metric 10; hello-interval 5; dead-interval 20; } interface fe-0/0/7.0 { metric 5; priority 255; hello-interval 5; dead-interval 20; } } } } security { ike { policy ike_pol_1 { mode aggressive; proposal-set basic; pre-shared-key ascii-text "$9$5T6COBRSlvJG"; ## SECRET-DATA } gateway SML-GUS-R1 { ike-policy ike_pol_1; dynamic hostname SML-GUS-R1; external-interface fe-0/0/1.0; local-address sml_ISP2.2_addr; } gateway SML-YAR-R1 { ike-policy ike_pol_1; dynamic hostname SML-YAR-R1; external-interface fe-0/0/1.0; local-address sml_ISP2.2_addr; } gateway SML-VJZ-R1 { ike-policy ike_pol_1; dynamic hostname SML-VJZ-R1; external-interface fe-0/0/1.0; local-address sml_ISP2.2_addr; } gateway SML-ROS-R1 { ike-policy ike_pol_1; dynamic hostname SML-ROS-R1; external-interface fe-0/0/1.0; local-address sml_ISP2.2_addr; } gateway SML-SNB-R1 { ike-policy ike_pol_1; dynamic hostname SML-SNB-R1; external-interface fe-0/0/1.0; local-address sml_ISP2.2_addr; } } ipsec { proposal ipsec_proposal_1 { protocol esp; authentication-algorithm hmac-sha1-96; } policy ipsec_pol_1 { proposals ipsec_proposal_1; } vpn SML2-GUS2 { bind-interface st0.0; ike { gateway SML-GUS-R1; no-anti-replay; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec_pol_1; } establish-tunnels immediately; } vpn SML2-YAR2 { bind-interface st0.0; ike { gateway SML-YAR-R1; no-anti-replay; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec_pol_1; } establish-tunnels immediately; } vpn SML2-VJZ2 { bind-interface st0.0; ike { gateway SML-VJZ-R1; no-anti-replay; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec_pol_1; } establish-tunnels immediately; } vpn SML2-ROS2 { bind-interface st0.0; ike { gateway SML-ROS-R1; no-anti-replay; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec_pol_1; } establish-tunnels immediately; } vpn SML2-SNB2 { bind-interface st0.0; ike { gateway SML-SNB-R1; no-anti-replay; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec_pol_1; } establish-tunnels immediately; } } flow { tcp-mss { all-tcp { mss 1350; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/0.0; pp0.0; fe-0/0/1.0; st0.0; gr-0/0/0.0; gr-0/0/0.1; lo0.0; gr-0/0/0.2; gr-0/0/0.3; gr-0/0/0.4; gr-0/0/0.5; fe-0/0/7.0; } } } }