version 12.1R5.5; groups { node0 { system { host-name *********; } interfaces { fxp0 { unit 0 { family inet { address 10.60.128.5/23; } } } } } node1 { system { host-name *********; } interfaces { fxp0 { unit 0 { family inet { address 10.60.128.6/23; } } } } } } apply-groups "${node}"; system { host-name *********; domain-name ********; time-zone Europe/London; root-authentication { encrypted-password "*************************"; ## SECRET-DATA } name-server { 10.60.100.4; 10.60.100.3; } login { message "****************************************************************************************************************************\n ****************************************************************************************************************************"; } services { ssh; xnm-clear-text; web-management { http { interface [ st0.0 reth0.0 ]; } https { system-generated-certificate; interface [ vlan.0 ge-0/0/3.0 ge-0/0/4.0 reth1.0 reth0.0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } host 10.60.100.64 { any notice; source-address 10.60.224.1; } host 10.68.100.81 { any notice; source-address 10.60.224.1; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 10.60.30.201; server 10.63.50.1; } } chassis { cluster { reth-count 2; redundancy-group 0 { node 0 priority 100; node 1 priority 99; } redundancy-group 1 { node 0 priority 100; node 1 priority 99; preempt; interface-monitor { ge-0/0/3 weight 255; ge-9/0/3 weight 255; ge-0/0/4 weight 255; ge-9/0/4 weight 255; } } } } interfaces { ge-0/0/3 { gigether-options { redundant-parent reth0; } } ge-0/0/4 { gigether-options { redundant-parent reth1; } } ge-9/0/3 { gigether-options { redundant-parent reth0; } } ge-9/0/4 { gigether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-9/0/2; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 192.168.110.248/24; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 10.45.224.1/29; } } } st0 { unit 0 { family inet { address 10.65.1.1/24; } } unit 1 { description "VPN2 interface"; family inet { address 10.88.1.1/16; } family inet6; } unit 2 { description "VPN3 interface"; family inet { address 10.87.1.1/16; } family inet6; } unit 3 { description "VPN4 interface"; family inet { address 10.86.1.1/16; } family inet6; } unit 4 { description "VPN5 interface"; family inet { address 10.85.1.1/16; } family inet6; } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } snmp { location "IL3 "; community wsatrap { authorization read-only; } } routing-options { static { route 10.68.0.0/16 next-hop st0.0; route 10.60.0.0/16 next-hop 10.60.224.3; route 10.69.0.0/16 next-hop st0.1; route 10.61.0.0/16 next-hop st0.2; route 10.62.0.0/16 next-hop st0.3; route 10.63.0.0/16 next-hop st0.4; route 10.72.0.0/16 next-hop 192.168.110.1; route 10.74.0.0/16 next-hop 192.168.110.1; route 51.63.26.47/32 next-hop 192.168.110.1; route 172.31.254.0/24 next-hop 192.168.110.1; route 192.168.63.0/24 next-hop 192.168.110.1; route 192.168.69.0/24 next-hop 192.168.110.1; route 192.168.120.0/24 next-hop 192.168.110.1; route 192.168.130.0/24 next-hop 192.168.110.1; route 192.168.140.0/24 next-hop 192.168.110.1; route 192.168.150.0/24 next-hop 192.168.110.1; route 192.168.160.0/24 next-hop 192.168.110.1; route 10.45.0.0/16 next-hop 10.45.224.3; } } protocols { stp; } security { log { cache; } ike { proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy ike-phase1-policy { mode main; proposals ike-phase1-proposal; pre-shared-key ascii-text "***********************"; ## SECRET-DATA } gateway VPN1-ASA { ike-policy ike-phase1-policy; address 192.168.130.248; local-identity inet 192.168.110.248; external-interface reth0; version v1-only; } gateway VPN2-ASA { ike-policy ike-phase1-policy; address 192.168.120.248; local-identity inet 192.168.110.248; external-interface reth0; version v1-only; } gateway VPN3-ASA { ike-policy ike-phase1-policy; address 192.168.160.248; local-identity inet 192.168.110.248; external-interface reth0; version v1-only; } gateway VPN4-ASA { ike-policy ike-phase1-policy; address 192.168.150.248; local-identity inet 192.168.110.248; external-interface reth0; version v1-only; } gateway VPN5-ASA { ike-policy ike-phase1-policy; address 192.168.140.248; local-identity inet 192.168.110.248; external-interface reth0; version v1-only; } } ipsec { proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group5; } proposals ipsec-phase2-proposal; } vpn VPN1 { bind-interface st0.0; ike { gateway VPN1-ASA; ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } vpn VPN2 { bind-interface st0.1; ike { gateway VPN2-ASA; ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } vpn VPN3 { bind-interface st0.2; ike { gateway VPN3-ASA; ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } vpn VPN4 { bind-interface st0.3; ike { gateway VPN4-ASA; ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } vpn VPN5 { bind-interface st0.4; ike { gateway VPN5-ASA; ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } } address-book { global { description address-objects; address REMOTE1 10.69.0.0/16; address REMOTE2 10.61.0.0/16; address REMOTE3 10.62.0.0/16; address REMOTE4 10.63.0.0/16; address REMOTE4 10.68.0.0/16; address SITE1-WAN 192.168.120.0/24; address SITE2-WAN 192.168.130.0/24; address SITE3-WAN 192.168.150.0/24; address SITE4-WAN 192.168.160.0/24; address SITELOCAL-WAN 192.168.110.0/24; address TESTLAN 10.45.0.0/16; address-set ALL-IL3-REMOTE { address ******; address **********; address *******; address ********; address ******; } address-set IL3-WAN { **********; } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone REMOTE-OFFICES to-zone IL3-LAN { policy REMOTESITES-TO-IL3 { match { source-address ALL-IL3-REMOTE; destination-address TESTLAN; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone IL3-LAN to-zone REMOTE-OFFICES { policy IL3-TO-REMOTEOFFICES { match { source-address TESTLAN ; destination-address ALL-IL3-REMOTE; application any; } then { permit; log { session-init; session-close; } count; } } } zones { security-zone IL3-WAN { host-inbound-traffic { system-services { ike; https; ping; ssh; traceroute; } } interfaces { reth0.0; } } security-zone IL3-LAN { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone REMOTE-OFFICES { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.1 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.2 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.2 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.3 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.4 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone junos-host; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }