root# show | no-more ## Last changed: 2015-05-18 12:50:07 UTC version 12.1X47-D20.7; system { root-authentication { encrypted-password "$1$u9icECto$pEq9Q7knaz.BysjLGNpD0."; ## SECRET-DATA } services { ssh; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0; } ge-0/0/1 { unit 0 { family inet { address 172.25.61.152/24; } } } st0 { unit 0 { family inet { address 10.0.0.4/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 172.25.61.2; } } security { ike { traceoptions { file IKE.log; flag all; } proposal ike_Prop { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; } policy ike_Pol { mode main; proposals ike_Prop; pre-shared-key ascii-text "$9$BIh1SeLX-w2aNdHqPfzFSrleLx"; ## SECRET-DATA } gateway ikeGW_Real { ike-policy ike_Pol; address 172.25.61.149; dead-peer-detection; external-interface ge-0/0/1.0; } } ipsec { traceoptions { flag all; } proposal ipsec_Prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; } policy ipsec_Pol { perfect-forward-secrecy { keys group2; } proposals ipsec_Prop; } vpn toReal { bind-interface st0.0; ike { gateway ikeGW_Real; ipsec-policy ipsec_Pol; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } } zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } } } [edit]