## Last changed: 2014-09-17 10:25:38 GMT+5 version 12.1X44.3; system { host-name Stepnex; time-zone GMT+5; root-authentication { encrypted-password "$1$54sRlLqr$Gt854diNOJXSsaNesnAim1"; } name-server { 8.8.8.8; 8.8.4.4; 208.67.222.222; 208.67.220.220; } name-resolution { no-resolve-on-input; } login { user admin { uid 2000; class super-user; authentication { encrypted-password "$1$zO8PGVoR$t91HhopFkjGyk.I6hAeR40"; } } } services { ssh; telnet; web-management { management-url https://203.215.166.85; http { interface [ fe-0/0/1.0 fe-0/0/7.0 ]; } https { system-generated-certificate; interface [ fe-0/0/0.0 fe-0/0/1.0 ]; } session { idle-timeout 60; } } } max-configurations-on-flash 5; max-configuration-rollbacks 5; ntp { server us.ntp.pool.org; } } interfaces { fe-0/0/0 { unit 0 { family inet { address 203.215.166.85/29; } } } fe-0/0/1 { unit 0 { family inet { address 172.16.10.2/24; } } } fe-0/0/7 { unit 0 { family inet { address 192.168.68.254/24; } } } st0 { unit 2 { family inet; } } } routing-options { static { route 202.69.15.161/32 next-hop st0.2; route 0.0.0.0/0 next-hop 203.215.166.81; } } protocols { stp; } security { ike { proposal ike-proposal-telenor { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ike-policy-telenor { mode main; proposals ike-proposal-telenor; pre-shared-key ascii-text "$9$aYJi.5QFCAulKv87N2gzFnC0B1RSMXNFnCt"; } gateway ike-gate-telenor { ike-policy ike-policy-telenor; address 202.69.12.201; external-interface fe-0/0/0; } } ipsec { proposal ipsec-proposal-telenor { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } policy ipsec-policy-telenor { proposals ipsec-proposal-telenor; } vpn ipsec-vpn-telenor { bind-interface st0.2; vpn-monitor { optimized; source-interface fe-0/0/0; destination-ip 202.69.15.161; } ike { gateway ike-gate-telenor; proxy-identity { local 172.16.10.8/32; remote 202.69.15.161/32; service any; } ipsec-policy ipsec-policy-telenor; } establish-tunnels immediately; } } flow { tcp-session { no-syn-check-in-tunnel; } } nat { source { rule-set telenor-no-nat { from zone trust; to zone TelenorVPN; rule no-nat { match { source-address 172.16.10.8/32; destination-address 202.69.15.161/32; } then { source-nat { off; } } } } rule-set srcnat { from zone trust; to zone untrust; rule src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone TelenorVPN { policy trust-TelenorVPN-telenor { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone TelenorVPN to-zone trust { policy TelenorVPN-trust-telenor { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy AllowAll_untrust_trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy AllowAll_untrust_trust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; } } } fe-0/0/7.0 { host-inbound-traffic { system-services { ping; http; https; ssh; telnet; } } } } } security-zone untrust { host-inbound-traffic { system-services { ike; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { ping; https; ssh; } } } } } security-zone TelenorVPN { interfaces { st0.2; } } } }