=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.12.19 11:57:19 =~=~=~=~=~=~=~=~=~=~=~= set version 10.0R1.8 set system root-authentication encrypted-password "$1$f6Bb4s6z$IwNOQNgqOVsE4sTEqXQPd/" set system name-server 4.2.2.2 set system login user admin uid 2000 set system login user admin class super-user set system login user admin authentication encrypted-password "$1$zIZ..Tt5$KTn2Ku2Q5cKg7QAZEfs7H0" set system services ssh set system services web-management http interface ge-0/0/0.0 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.2/24 set interfaces lo0 unit 0 family inet address 127.0.0.1/32 set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 set security ike proposal pre-g2-3des-sha authentication-method pre-shared-keys set security ike proposal pre-g2-3des-sha dh-group group2 set security ike proposal pre-g2-3des-sha authentication-algorithm sha1 set security ike proposal pre-g2-3des-sha encryption-algorithm 3des-cbc set security ike proposal pre-g2-3des-sha lifetime-seconds 28800 set security ike policy dialup-policy1 mode aggressive set security ike policy dialup-policy1 proposals pre-g2-3des-sha set security ike policy dialup-policy1 pre-shared-key ascii-text "$9$Tz/Cp0BESru07-bs4o/CAtIEM8X" set security ike gateway dialup-ike ike-policy dialup-policy1 set security ike gateway dialup-ike dynamic user-at-hostname "test2@abc.com" set security ike gateway dialup-ike dynamic connections-limit 10 set security ike gateway dialup-ike dynamic ike-user-type shared-ike-id set security ike gateway dialup-ike external-interface ge-0/0/1.0 set security ike gateway dialup-ike xauth access-profile xuth-users set security ipsec proposal g2-esp-des-md5 authentication-algorithm hmac-md5-96 set security ipsec proposal g2-esp-des-md5 encryption-algorithm des-cbc set security ipsec proposal g2-esp-des-md5 lifetime-seconds 3600 set security ipsec policy dialup-policy2 perfect-forward-secrecy keys group2 set security ipsec policy dialup-policy2 proposals g2-esp-des-md5 set security ipsec vpn dialup-vpn ike gateway dialup-ike set security ipsec vpn dialup-vpn ike ipsec-policy dialup-policy2 set security nat source rule-set internat from zone trust set security nat source rule-set internat to zone untrust set security nat source rule-set internat rule r1 match source-address 192.168.1.0/24 set security nat source rule-set internat rule r1 then source-nat interface set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security zones security-zone trust tcp-rst set security zones security-zone trust address-book address local-net 192.168.1.0/24 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services http set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy dialup-unt-tr match source-address any set security policies from-zone untrust to-zone trust policy dialup-unt-tr match destination-address local-net set security policies from-zone untrust to-zone trust policy dialup-unt-tr match application any set security policies from-zone untrust to-zone trust policy dialup-unt-tr then permit tunnel ipsec-vpn dialup-vpn set security policies from-zone untrust to-zone trust policy default-deny match source-address any set security policies from-zone untrust to-zone trust policy default-deny match destination-address any set security policies from-zone untrust to-zone trust policy default-deny match application any set security policies from-zone untrust to-zone trust policy default-deny then deny set security flow tcp-mss ipsec-vpn mss 1350 set access profile xuth-users authentication-order password set access profile xuth-users client "test1@abc.com" firewall-user password "$9$1h9ISevMX-b28Xx-Vb2gTzF/p0" set access profile xuth-users client "test2@abc.com" firewall-user password "$9$wgsoGDjqfQnHq.fTQn6reK8Nd" set access profile xuth-users client "test3@abc.com" firewall-user password "$9$30S/nA0B1hrK8RhcreK8LGDjq5Q"