root@FW02> show configuration version 12.1R4.7; groups { node0 { system { host-name FW01; } interfaces { fxp0 { unit 0 { family inet { address 192.168.10.1/29; } } } } } node1 { system { host-name FW02; } interfaces { fxp0 { unit 0 { family inet { address 192.168.10.9/29; } } } } } } apply-groups "${node}"; system { time-zone GMT+3; root-authentication { encrypted-password "$1$zbBnYv1k$h/kNYPLR.KT8FjHX.IE/W/"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface [ reth0.0 reth1.0 reth2.0 vlan.200 ]; } https { system-generated-certificate; interface [ reth0.0 reth2.0 vlan.200 reth1.0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 3; redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-0/0/5 weight 255; ge-5/0/5 weight 255; ge-0/0/6 weight 255; ge-5/0/6 weight 255; } } redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 2 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-0/0/15 weight 255; ge-5/0/15 weight 255; } } } } interfaces { ge-0/0/5 { gigether-options { redundant-parent reth1; } } ge-0/0/6 { gigether-options { redundant-parent reth0; } } ge-0/0/15 { gigether-options { redundant-parent reth2; } } ge-5/0/5 { gigether-options { redundant-parent reth1; } } ge-5/0/6 { gigether-options { redundant-parent reth0; } } ge-5/0/15 { gigether-options { redundant-parent reth2; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-5/0/2; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.30.30.1/24; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.40.40.1/24; } } } reth2 { redundant-ether-options { redundancy-group 2; } unit 0 { family inet { address 10.200.200.254/24; } } } vlan { unit 200 { family inet; } } } routing-options { static { route 0.0.0.0/0 next-hop 10.40.40.253; } } protocols { ospf { area 0.0.0.0 { interface reth0.0; interface reth2.0; } area 0.0.0.1 { interface reth1.0; } } stp; } security { ike { policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; pre-shared-key ascii-text "$9$pztt01ErlKXNbFneW8LN-ikq"; ## SECRET-DATA } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 2; ike-user-type group-ike-id; } external-interface reth1; xauth access-profile dyn-vpn-access-profile; } } ipsec { policy ipsec-dyn-vpn-policy { proposal-set standard; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } } address-book { global { address localserverad 10.200.200.0/24; } } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 10.200.200.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { user1; user2; } } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone DMZ to-zone untrust { policy DMZ-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone DMZ to-zone trust { policy DMZ-TRUST-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone DMZ { policy UN_DMZ { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } } default-policy { permit-all; } policy-rematch; } zones { security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth1.0 { host-inbound-traffic { system-services { all; ike; https; ping; ssh; } protocols { all; } } } } } security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.0 { host-inbound-traffic { system-services { ping; ssh; http; https; telnet; all; dhcp; } protocols { ospf; } } } } } security-zone DMZ { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth2.0 { host-inbound-traffic { system-services { all; ssh; ping; traceroute; dns; } } } } } } } access { profile dyn-vpn-access-profile { client user1 { firewall-user { password "$9$ikmT36ABRS1Rb24oGU"; ## SECRET-DATA } } client user2 { firewall-user { password "$9$D7iqfz3901hO1dsg4ZG"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.200.200.0/24; range dvpn-range { low 10.200.200.80; high 10.200.200.100; } xauth-attributes { primary-dns 10.200.200.22/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } vlans { vlan-200 { vlan-id 200; l3-interface vlan.200; } }