=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.06 14:15:17 =~=~=~=~=~=~=~=~=~=~=~= show configuration | no-more ## Last commit: 2012-04-06 11:21:20 UTC by root version 10.4R3.4; system { host-name Branch-1; root-authentication { encrypted-password "$1$FwC65bkt$NSyODjrw7ZISa8UVyybMg/"; ## SECRET-DATA } } interfaces { fe-0/0/0 { unit 0 { family inet { address 100.1.1.1/30; } } } fe-0/0/1 { unit 0 { family inet { address 192.168.1.1/24; } } } st0 { unit 0 { family inet { address 172.16.1.3/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 100.1.1.2; route 10.20.30.0/24 reject; } } protocols { ospf { export adv-direct; area 0.0.0.100 { interface st0.0; } } } policy-options { policy-statement adv-direct { from { protocol static; route-filter 10.20.30.0/24 exact; } then accept; } } security { ike { policy phase-1 { proposal-set standard; pre-shared-key ascii-text "$9$bjY4JikP36AGD6Ap0hcbs2"; ## SECRET-DATA } gateway to-HO { ike-policy phase-1; address 200.1.1.1; external-interface fe-0/0/0.0; } } ipsec { policy phase-2 { proposal-set standard; } vpn to-HO { bind-interface st0.0; ike { gateway to-HO; ipsec-policy phase-2; } } } nat { static { rule-set 1 { from zone untrust; rule 1 { match { destination-address 10.20.30.0/24; } then { static-nat prefix 192.168.1.0/24; } } } } } zones { security-zone trust { address-book { address b1 192.168.1.0/24; } interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone untrust { address-book { address ho 10.10.10.0/24; address b2 192.168.2.0/24; } host-inbound-traffic { system-services { ike; ping; } } interfaces { fe-0/0/0.0; st0.0 { host-inbound-traffic { protocols { ospf; } } } } } } policies { from-zone trust to-zone untrust { policy t2u { match { source-address b1; destination-address [ ho b2 ]; application any; } then { permit; } } } from-zone untrust to-zone trust { policy u2t { match { source-address [ ho b2 ]; destination-address b1; application any; } then { permit; } } } } flow { traceoptions { file test; flag basic-datapath; packet-filter 1 { source-prefix 192.168.1.2/32; destination-prefix 10.10.10.2/32; } packet-filter 2 { source-prefix 10.10.10.2/32; destination-prefix 192.168.1.2/32; } packet-filter 3 { source-prefix 192.168.1.2/32; destination-prefix 192.168.2.2/32; } packet-filter 4 { source-prefix 192.168.2.2/32; destination-prefix 192.168.1.2/32; } packet-filter 5 { source-prefix 192.168.2.0/24; destination-prefix 10.20.30.0/24; } packet-filter 6 { source-prefix 10.20.30.0/24; destination-prefix 192.168.2.0/24; } } } } root@Branch-1> root@Branch-1> show configuration | no-more display set | no-more set version 10.4R3.4 set system host-name Branch-1 set system root-authentication encrypted-password "$1$FwC65bkt$NSyODjrw7ZISa8UVyybMg/" set interfaces fe-0/0/0 unit 0 family inet address 100.1.1.1/30 set interfaces fe-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet address 172.16.1.3/24 set routing-options static route 0.0.0.0/0 next-hop 100.1.1.2 set routing-options static route 10.20.30.0/24 reject set protocols ospf export adv-direct set protocols ospf area 0.0.0.100 interface st0.0 set policy-options policy-statement adv-direct from protocol static set policy-options policy-statement adv-direct from route-filter 10.20.30.0/24 exact set policy-options policy-statement adv-direct then accept set security ike policy phase-1 proposal-set standard set security ike policy phase-1 pre-shared-key ascii-text "$9$bjY4JikP36AGD6Ap0hcbs2" set security ike gateway to-HO ike-policy phase-1 set security ike gateway to-HO address 200.1.1.1 set security ike gateway to-HO external-interface fe-0/0/0.0 set security ipsec policy phase-2 proposal-set standard set security ipsec vpn to-HO bind-interface st0.0 set security ipsec vpn to-HO ike gateway to-HO set security ipsec vpn to-HO ike ipsec-policy phase-2 set security nat static rule-set 1 from zone untrust set security nat static rule-set 1 rule 1 match destination-address 10.20.30.0/24 set security nat static rule-set 1 rule 1 then static-nat prefix 192.168.1.0/24 set security zones security-zone trust address-book address b1 192.168.1.0/24 set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust address-book address ho 10.10.10.0/24 set security zones security-zone untrust address-book address b2 192.168.2.0/24 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces fe-0/0/0.0 set security zones security-zone untrust interfaces st0.0 host-inbound-traffic protocols ospf set security policies from-zone trust to-zone untrust policy t2u match source-address b1 set security policies from-zone trust to-zone untrust policy t2u match destination-address ho set security policies from-zone trust to-zone untrust policy t2u match destination-address b2 set security policies from-zone trust to-zone untrust policy t2u match application any set security policies from-zone trust to-zone untrust policy t2u then permit set security policies from-zone untrust to-zone trust policy u2t match source-address ho set security policies from-zone untrust to-zone trust policy u2t match source-address b2 set security policies from-zone untrust to-zone trust policy u2t match destination-address b1 set security policies from-zone untrust to-zone trust policy u2t match application any set security policies from-zone untrust to-zone trust policy u2t then permit set security flow traceoptions file test set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter 1 source-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 1 destination-prefix 10.10.10.2/32 set security flow traceoptions packet-filter 2 source-prefix 10.10.10.2/32 set security flow traceoptions packet-filter 2 destination-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 3 source-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 3 destination-prefix 192.168.2.2/32 set security flow traceoptions packet-filter 4 source-prefix 192.168.2.2/32 set security flow traceoptions packet-filter 4 destination-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 5 source-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 5 destination-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 6 source-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 6 destination-prefix 192.168.2.0/24 root@Branch-1> show route | no-more inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:02:51 > to 100.1.1.2 via fe-0/0/0.0 10.10.10.0/24 *[OSPF/150] 00:02:18, metric 0, tag 0 > via st0.0 10.20.30.0/24 *[Static/5] 00:03:29 Reject 100.1.1.0/30 *[Direct/0] 00:02:51 > via fe-0/0/0.0 100.1.1.1/32 *[Local/0] 00:02:55 Local via fe-0/0/0.0 172.16.1.0/24 *[Direct/0] 00:03:11 > via st0.0 [OSPF/10] 00:03:06, metric 1 > via st0.0 172.16.1.3/32 *[Local/0] 00:03:11 Local via st0.0 192.168.1.0/24 *[Direct/0] 00:02:51 > via fe-0/0/1.0 192.168.1.1/32 *[Local/0] 00:02:55 Local via fe-0/0/1.0 192.168.2.0/24 *[OSPF/150] 00:02:18, metric 0, tag 0 > via st0.0 224.0.0.5/32 *[OSPF/10] 00:03:29, metric 1 MultiRecv root@Branch-1> [edit] root@Branch-2# run show configuration | n display set | no-more set version 11.2R1.10 set system host-name Branch-2 set system root-authentication encrypted-password "$1$LOTv554v$0Lknh21S5CApxQdQWCSDs/" set system services ssh set interfaces ge-0/0/0 unit 0 family inet address 150.1.1.1/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set interfaces st0 unit 0 family inet address 172.16.1.4/24 set routing-options static route 0.0.0.0/0 next-hop 150.1.1.2 set protocols ospf export adv-direct set protocols ospf area 0.0.0.100 interface st0.0 set policy-options policy-statement adv-direct from protocol direct set policy-options policy-statement adv-direct from interface ge-0/0/1.0 set policy-options policy-statement adv-direct then accept set security ike policy phase-1 proposal-set standard set security ike policy phase-1 pre-shared-key ascii-text "$9$WPNXNVgoGqmTwYmTz3tpWLx" set security ike gateway to-Ho ike-policy phase-1 set security ike gateway to-Ho address 200.1.1.1 set security ike gateway to-Ho external-interface ge-0/0/0.0 set security ipsec policy phase-2 proposal-set standard set security ipsec vpn to-Ho bind-interface st0.0 set security ipsec vpn to-Ho ike gateway to-Ho set security ipsec vpn to-Ho ike ipsec-policy phase-2 set security flow traceoptions file test set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter 1 source-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 1 destination-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 2 source-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 2 destination-prefix 10.20.30.0/24 set security policies from-zone trust to-zone untrust policy t2u match source-address b2 set security policies from-zone trust to-zone untrust policy t2u match destination-address b1 set security policies from-zone trust to-zone untrust policy t2u match destination-address ho set security policies from-zone trust to-zone untrust policy t2u match application any set security policies from-zone trust to-zone untrust policy t2u then permit set security policies from-zone untrust to-zone trust policy u2t match source-address ho set security policies from-zone untrust to-zone trust policy u2t match source-address b1 set security policies from-zone untrust to-zone trust policy u2t match destination-address b2 set security policies from-zone untrust to-zone trust policy u2t match application any set security policies from-zone untrust to-zone trust policy u2t then permit set security zones security-zone trust address-book address b2 192.168.2.0/24 set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust address-book address b1 10.20.30.0/24 set security zones security-zone untrust address-book address ho 192.168.1.0/24 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces st0.0 host-inbound-traffic protocols ospf [edit] root@Branch-2# run show configuration | no-more ## Last commit: 2012-04-06 07:55:29 UTC by root version 11.2R1.10; system { host-name Branch-2; root-authentication { encrypted-password "$1$LOTv554v$0Lknh21S5CApxQdQWCSDs/"; ## SECRET-DATA } services { ssh; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 150.1.1.1/30; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.2.1/24; } } } st0 { unit 0 { family inet { address 172.16.1.4/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 150.1.1.2; } } protocols { ospf { export adv-direct; area 0.0.0.100 { interface st0.0; } } } policy-options { policy-statement adv-direct { from { protocol direct; interface ge-0/0/1.0; } then accept; } } security { ike { policy phase-1 { proposal-set standard; pre-shared-key ascii-text "$9$WPNXNVgoGqmTwYmTz3tpWLx"; ## SECRET-DATA } gateway to-Ho { ike-policy phase-1; address 200.1.1.1; external-interface ge-0/0/0.0; } } ipsec { policy phase-2 { proposal-set standard; } vpn to-Ho { bind-interface st0.0; ike { gateway to-Ho; ipsec-policy phase-2; } } } flow { traceoptions { file test; flag basic-datapath; packet-filter 1 { source-prefix 10.20.30.0/24; destination-prefix 192.168.2.0/24; } packet-filter 2 { source-prefix 192.168.2.0/24; destination-prefix 10.20.30.0/24; } } } policies { from-zone trust to-zone untrust { policy t2u { match { source-address b2; destination-address [ b1 ho ]; application any; } then { permit; } } } from-zone untrust to-zone trust { policy u2t { match { source-address [ ho b1 ]; destination-address b2; application any; } then { permit; } } } } zones { security-zone trust { address-book { address b2 192.168.2.0/24; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone untrust { address-book { address b1 10.20.30.0/24; address ho 192.168.1.0/24; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ike; ping; } } } st0.0 { host-inbound-traffic { protocols { ospf; } } } } } } } [edit] root@Branch-2# run show route | no-more inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:46:19 > to 150.1.1.2 via ge-0/0/0.0 10.20.30.0/24 *[OSPF/150] 00:02:49, metric 0, tag 0 > via st0.0 150.1.1.0/30 *[Direct/0] 01:46:19 > via ge-0/0/0.0 150.1.1.1/32 *[Local/0] 01:57:58 Local via ge-0/0/0.0 172.16.1.0/24 *[Direct/0] 01:57:57 > via st0.0 [OSPF/10] 01:57:53, metric 1 > via st0.0 172.16.1.4/32 *[Local/0] 01:57:57 Local via st0.0 192.168.1.0/24 *[OSPF/150] 00:37:00, metric 0, tag 0 > via st0.0 192.168.2.0/24 *[Direct/0] 01:42:52 > via ge-0/0/1.0 192.168.2.1/32 *[Local/0] 01:57:57 Local via ge-0/0/1.0 224.0.0.5/32 *[OSPF/10] 01:57:58, metric 1 MultiRecv [edit] root@Branch-2# [edit] root@HO# run show configuration | no-more display set | no-more set version 11.4R1.6 set system host-name HO set system root-authentication encrypted-password "$1$DZrBpmkR$31pSDJqb89QwiK.eTfobb0" set interfaces ge-0/0/0 unit 0 family inet address 200.1.1.1/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet address 172.16.1.2/24 set routing-options static route 0.0.0.0/0 next-hop 200.1.1.2 set routing-options rib-groups myrib import-rib B1.inet.0 set routing-options rib-groups myrib import-rib inet.0 set protocols ospf export to-rest set protocols ospf area 0.0.0.100 interface st0.1 set policy-options policy-statement adv-direct term 1 from protocol static set policy-options policy-statement adv-direct term 1 from route-filter 10.10.10.0/24 exact set policy-options policy-statement adv-direct term 1 then accept set policy-options policy-statement adv-direct term 2 from protocol direct set policy-options policy-statement adv-direct term 2 from interface ge-0/0/1.0 set policy-options policy-statement adv-direct term 2 then accept set policy-options policy-statement ho-direct from instance master set policy-options policy-statement ho-direct from protocol direct set policy-options policy-statement ho-direct from interface ge-0/0/1.0 set policy-options policy-statement ho-direct then accept set policy-options policy-statement to-b1 from instance B1 set policy-options policy-statement to-b1 from protocol static set policy-options policy-statement to-b1 from route-filter 10.10.10.0/24 exact set policy-options policy-statement to-b1 then accept set policy-options policy-statement to-b1-2 from protocol ospf set policy-options policy-statement to-b1-2 from route-filter 192.168.2.0/24 exact set policy-options policy-statement to-b1-2 then accept set policy-options policy-statement to-rest term 1 from protocol direct set policy-options policy-statement to-rest term 1 from interface ge-0/0/1.0 set policy-options policy-statement to-rest term 1 then accept set policy-options policy-statement to-rest term 2 from route-filter 10.20.30.0/24 exact set policy-options policy-statement to-rest term 2 then accept set security ike policy phase-1 proposal-set standard set security ike policy phase-1 pre-shared-key ascii-text "$9$ecwML7wYojHm-VHmfT/9evW" set security ike gateway branch-1 ike-policy phase-1 set security ike gateway branch-1 address 100.1.1.1 set security ike gateway branch-1 external-interface ge-0/0/0.0 set security ike gateway branch-2 ike-policy phase-1 set security ike gateway branch-2 address 150.1.1.1 set security ike gateway branch-2 external-interface ge-0/0/0.0 set security ipsec policy phase-2 proposal-set standard set security ipsec vpn to-b1 bind-interface st0.0 set security ipsec vpn to-b1 ike gateway branch-1 set security ipsec vpn to-b1 ike ipsec-policy phase-2 set security ipsec vpn to-b2 bind-interface st0.1 set security ipsec vpn to-b2 ike gateway branch-2 set security ipsec vpn to-b2 ike ipsec-policy phase-2 set security flow traceoptions file test set security flow traceoptions flag basic-datapath set security flow traceoptions flag all set security flow traceoptions packet-filter 1 source-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 1 destination-prefix 10.20.30.2/32 set security flow traceoptions packet-filter 2 source-prefix 10.20.30.2/32 set security flow traceoptions packet-filter 2 destination-prefix 192.168.1.2/32 set security flow traceoptions packet-filter 3 source-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 3 destination-prefix 10.10.10.0/24 set security flow traceoptions packet-filter 4 source-prefix 10.10.10.0/24 set security flow traceoptions packet-filter 4 destination-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 5 source-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 5 destination-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 6 source-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 6 destination-prefix 10.20.30.0/24 set security flow traceoptions packet-filter 7 source-prefix 192.168.1.0/24 set security flow traceoptions packet-filter 7 destination-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 8 source-prefix 192.168.2.0/24 set security flow traceoptions packet-filter 8 destination-prefix 192.168.1.0/24 set security nat static rule-set 1 from zone b1 set security nat static rule-set 1 rule 1 match destination-address 10.10.10.0/24 set security nat static rule-set 1 rule 1 then static-nat prefix 192.168.1.0/24 set security nat static rule-set 1 rule 1 then static-nat prefix routing-instance default set security policies from-zone trust to-zone untrust policy t2u match source-address ho set security policies from-zone trust to-zone untrust policy t2u match destination-address b1 set security policies from-zone trust to-zone untrust policy t2u match destination-address b2 set security policies from-zone trust to-zone untrust policy t2u match application any set security policies from-zone trust to-zone untrust policy t2u then permit set security policies from-zone untrust to-zone trust policy u2t match source-address b1 set security policies from-zone untrust to-zone trust policy u2t match source-address b2 set security policies from-zone untrust to-zone trust policy u2t match destination-address ho set security policies from-zone untrust to-zone trust policy u2t match application any set security policies from-zone untrust to-zone trust policy u2t then permit set security policies from-zone untrust to-zone untrust policy u2u match source-address any set security policies from-zone untrust to-zone untrust policy u2u match destination-address any set security policies from-zone untrust to-zone untrust policy u2u match application any set security policies from-zone untrust to-zone untrust policy u2u then permit set security policies from-zone trust to-zone b1 policy ho-b1 match source-address ho set security policies from-zone trust to-zone b1 policy ho-b1 match destination-address b1 set security policies from-zone trust to-zone b1 policy ho-b1 match application any set security policies from-zone trust to-zone b1 policy ho-b1 then permit set security policies from-zone trust to-zone b2 policy ho-rest match source-address ho set security policies from-zone trust to-zone b2 policy ho-rest match destination-address b2 set security policies from-zone trust to-zone b2 policy ho-rest match application any set security policies from-zone trust to-zone b2 policy ho-rest then permit set security policies from-zone b1 to-zone trust policy b1-ho match source-address b1 set security policies from-zone b1 to-zone trust policy b1-ho match destination-address ho set security policies from-zone b1 to-zone trust policy b1-ho match application any set security policies from-zone b1 to-zone trust policy b1-ho then permit set security policies from-zone b2 to-zone trust policy rest-ho match source-address b2 set security policies from-zone b2 to-zone trust policy rest-ho match destination-address ho set security policies from-zone b2 to-zone trust policy rest-ho match application any set security policies from-zone b2 to-zone trust policy rest-ho then permit set security policies from-zone b1 to-zone b2 policy b1-b2 match source-address b1 set security policies from-zone b1 to-zone b2 policy b1-b2 match destination-address b2 set security policies from-zone b1 to-zone b2 policy b1-b2 match application any set security policies from-zone b1 to-zone b2 policy b1-b2 then permit set security policies from-zone b2 to-zone b1 policy b2-b1 match source-address b2 set security policies from-zone b2 to-zone b1 policy b2-b1 match destination-address b1 set security policies from-zone b2 to-zone b1 policy b2-b1 match application any set security policies from-zone b2 to-zone b1 policy b2-b1 then permit set security zones security-zone trust address-book address ho 192.168.1.0/24 set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust address-book address b1 10.20.30.0/24 set security zones security-zone untrust address-book address b2 192.168.2.0/24 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone b1 address-book address b1 10.20.30.0/24 set security zones security-zone b1 interfaces st0.0 host-inbound-traffic protocols ospf set security zones security-zone b2 address-book address b2 192.168.2.0/24 set security zones security-zone b2 interfaces st0.1 host-inbound-traffic protocols ospf set routing-instances B1 instance-type virtual-router set routing-instances B1 interface st0.0 set routing-instances B1 routing-options static route 10.10.10.0/24 reject set routing-instances B1 routing-options instance-import ho-direct set routing-instances B1 protocols ospf rib-group myrib set routing-instances B1 protocols ospf export to-b1 set routing-instances B1 protocols ospf export to-b1-2 set routing-instances B1 protocols ospf area 0.0.0.100 interface st0.0 [edit] root@HO# run show configuration | no-more ## Last commit: 2012-04-06 16:32:33 UTC by root version 11.4R1.6; system { host-name HO; root-authentication { encrypted-password "$1$DZrBpmkR$31pSDJqb89QwiK.eTfobb0"; ## SECRET-DATA } } interfaces { ge-0/0/0 { unit 0 { family inet { address 200.1.1.1/30; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.1/24; } } } st0 { unit 0 { family inet { address 172.16.1.1/24; } } unit 1 { family inet { address 172.16.1.2/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 200.1.1.2; } rib-groups { myrib { import-rib [ B1.inet.0 inet.0 ]; } } } protocols { ospf { export to-rest; area 0.0.0.100 { interface st0.1; } } } policy-options { policy-statement adv-direct { term 1 { from { protocol static; route-filter 10.10.10.0/24 exact; } then accept; } term 2 { from { protocol direct; interface ge-0/0/1.0; } then accept; } } policy-statement ho-direct { from { instance master; protocol direct; interface ge-0/0/1.0; } then accept; } policy-statement to-b1 { from { instance B1; protocol static; route-filter 10.10.10.0/24 exact; } then accept; } policy-statement to-b1-2 { from { protocol ospf; route-filter 192.168.2.0/24 exact; } then accept; } policy-statement to-rest { term 1 { from { protocol direct; interface ge-0/0/1.0; } then accept; } term 2 { from { route-filter 10.20.30.0/24 exact; } then accept; } } } security { ike { policy phase-1 { proposal-set standard; pre-shared-key ascii-text "$9$ecwML7wYojHm-VHmfT/9evW"; ## SECRET-DATA } gateway branch-1 { ike-policy phase-1; address 100.1.1.1; external-interface ge-0/0/0.0; } gateway branch-2 { ike-policy phase-1; address 150.1.1.1; external-interface ge-0/0/0.0; } } ipsec { policy phase-2 { proposal-set standard; } vpn to-b1 { bind-interface st0.0; ike { gateway branch-1; ipsec-policy phase-2; } } vpn to-b2 { bind-interface st0.1; ike { gateway branch-2; ipsec-policy phase-2; } } } flow { traceoptions { file test; flag basic-datapath; flag all; packet-filter 1 { source-prefix 192.168.1.2/32; destination-prefix 10.20.30.2/32; } packet-filter 2 { source-prefix 10.20.30.2/32; destination-prefix 192.168.1.2/32; } packet-filter 3 { source-prefix 10.20.30.0/24; destination-prefix 10.10.10.0/24; } packet-filter 4 { source-prefix 10.10.10.0/24; destination-prefix 10.20.30.0/24; } packet-filter 5 { source-prefix 10.20.30.0/24; destination-prefix 192.168.2.0/24; } packet-filter 6 { source-prefix 192.168.2.0/24; destination-prefix 10.20.30.0/24; } packet-filter 7 { source-prefix 192.168.1.0/24; destination-prefix 192.168.2.0/24; } packet-filter 8 { source-prefix 192.168.2.0/24; destination-prefix 192.168.1.0/24; } } } nat { static { rule-set 1 { from zone b1; rule 1 { match { destination-address 10.10.10.0/24; } then { static-nat prefix 192.168.1.0/24 routing-instance default; } } } } } policies { from-zone trust to-zone untrust { policy t2u { match { source-address ho; destination-address [ b1 b2 ]; application any; } then { permit; } } } from-zone untrust to-zone trust { policy u2t { match { source-address [ b1 b2 ]; destination-address ho; application any; } then { permit; } } } from-zone untrust to-zone untrust { policy u2u { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone b1 { policy ho-b1 { match { source-address ho; destination-address b1; application any; } then { permit; } } } from-zone trust to-zone b2 { policy ho-rest { match { source-address ho; destination-address b2; application any; } then { permit; } } } from-zone b1 to-zone trust { policy b1-ho { match { source-address b1; destination-address ho; application any; } then { permit; } } } from-zone b2 to-zone trust { policy rest-ho { match { source-address b2; destination-address ho; application any; } then { permit; } } } from-zone b1 to-zone b2 { policy b1-b2 { match { source-address b1; destination-address b2; application any; } then { permit; } } } from-zone b2 to-zone b1 { policy b2-b1 { match { source-address b2; destination-address b1; application any; } then { permit; } } } } zones { security-zone trust { address-book { address ho 192.168.1.0/24; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone untrust { address-book { address b1 10.20.30.0/24; address b2 192.168.2.0/24; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ike; ping; } } } } } security-zone b1 { address-book { address b1 10.20.30.0/24; } interfaces { st0.0 { host-inbound-traffic { protocols { ospf; } } } } } security-zone b2 { address-book { address b2 192.168.2.0/24; } interfaces { st0.1 { host-inbound-traffic { protocols { ospf; } } } } } } } routing-instances { B1 { instance-type virtual-router; interface st0.0; routing-options { static { route 10.10.10.0/24 reject; } instance-import ho-direct; } protocols { ospf { rib-group myrib; export [ to-b1 to-b1-2 ]; area 0.0.0.100 { interface st0.0; } } } } } [edit] root@HO# run show route | no-more inet.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:47:11 > to 200.1.1.2 via ge-0/0/0.0 10.20.30.0/24 *[OSPF/150] 00:03:41, metric 0, tag 0 > via st0.0 172.16.1.0/24 *[Direct/0] 02:04:52 > via st0.1 [OSPF/10] 01:10:59, metric 1 > via st0.1 [OSPF/10] 00:31:37, metric 1 > via st0.0 172.16.1.2/32 *[Local/0] 02:04:52 Local via st0.1 192.168.1.0/24 *[Direct/0] 01:41:16 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 02:04:52 Local via ge-0/0/1.0 192.168.2.0/24 *[OSPF/150] 01:43:44, metric 0, tag 0 > via st0.1 200.1.1.0/30 *[Direct/0] 01:47:12 > via ge-0/0/0.0 200.1.1.1/32 *[Local/0] 02:04:52 Local via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 02:04:54, metric 1 MultiRecv B1.inet.0: 12 destinations, 14 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:53:03 > to 200.1.1.2 via ge-0/0/0.0 10.10.10.0/24 *[Static/5] 01:05:11 Reject 10.20.30.0/24 *[OSPF/150] 00:03:41, metric 0, tag 0 > via st0.0 172.16.1.0/24 *[Direct/0] 01:10:59 > via st0.0 [Direct/0] 00:53:03 > via st0.1 [OSPF/10] 00:31:37, metric 1 > via st0.0 172.16.1.1/32 *[Local/0] 01:10:59 Local via st0.0 172.16.1.2/32 *[Local/0] 00:53:03 Local via st0.1 192.168.1.0/24 *[Direct/0] 00:53:03 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 00:53:03 Local via ge-0/0/1.0 192.168.2.0/24 *[OSPF/150] 00:53:03, metric 0, tag 0 > via st0.1 200.1.1.0/30 *[Direct/0] 00:53:03 > via ge-0/0/0.0 200.1.1.1/32 *[Local/0] 00:53:03 Local via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 01:10:59, metric 1 MultiRecv [edit]