system { host-name srx100-1; time-zone America/New_York; root-authentication { encrypted-password "$1$oUXzXPAp$sVIYk6F.hCXwXVdBobJ9B."; ## SECRET-DATA } name-server { 8.8.8.8; } login { user chaynes { uid 2000; class super-user; authentication { encrypted-password "$1$/37dz2or$0McSMIugTNX4C/IuVE7Qa."; ## SECRET-DATA } } } services { ssh; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 192.5.41.40; } } interfaces { fe-0/0/0 { vlan-tagging; mtu 1400; unit 10 { vlan-id 10; family inet { address 172.16.1.1/24; } } unit 100 { vlan-id 100; family inet { address 172.16.100.2/24; } } } lo0 { unit 0 { family inet { address 10.0.0.2/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 172.16.100.254; route 10.0.0.3/32 next-hop 172.16.100.3; route 10.0.0.4/32 next-hop 172.16.100.4; } router-id 172.16.1.1; } security { pki { ca-profile cc-ca { ca-identity centracomm.net; revocation-check { crl { url http://10.200.15.20/centracomm.crl; refresh-interval 48; } } administrator { email-address "noc@centracomm.net"; } } } group-vpn { member { ike { proposal srv-prop { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-pol { mode main; proposals srv-prop; pre-shared-key ascii-text "$9$VSw2af5Fn9AmfEyleW8ZUD"; ## SECRET-DATA } gateway ike-gateway { ike-policy ike-pol; address 10.0.0.4; local-address 10.0.0.2; } } ipsec { vpn group-vpn { ike-gateway ike-gateway; group-vpn-external-interface lo0.0; group 1; } } } } flow { traceoptions { file gvpn-flow size 5m files 3; flag basic-datapath; packet-filter gvpn { source-prefix 172.16.1.50/32; destination-prefix 172.16.30.0/24; } } } policies { from-zone trust to-zone untrust { policy allow-in { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-group-vpn group-vpn; } } } } } from-zone untrust to-zone trust { policy allow-out { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-group-vpn group-vpn; } } } } } from-zone untrust to-zone untrust { policy allow-any { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } dynamic-policy { enable; } } zones { security-zone trust { address-book { address 172.16.1.0/24 172.16.1.0/24; } interfaces { fe-0/0/0.10 { host-inbound-traffic { system-services { ping; } } } } } security-zone untrust { address-book { address 172.16.0.0/18 172.16.0.0/18; address 172.16.30.0/24 172.16.30.0/24; } host-inbound-traffic { system-services { all; } } interfaces { fe-0/0/0.100 { host-inbound-traffic { system-services { ping; ssh; } } } lo0.0; } } } }