## Last changed: 2021-03-06 08:48:20 GMT version 19.4R3-S1.3; system { host-name STFWHQ; root-authentication { encrypted-password "XXX"; } services { ssh { root-login allow; sftp-server; } telnet; xnm-clear-text; web-management { http { interface [ ge-0/0/12.0 ge-0/0/15.0 ]; } session { idle-timeout 1440; session-limit 7; } } } domain-name root; backup-router 192.168.0.1; time-zone GMT; name-server { 8.8.8.8; 8.8.4.4; } name-resolution { no-resolve-on-input; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } file ids { any any; match RT_IDS; archive world-readable; structured-data; } file traffic-log { any any; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } chassis { alarm { management-ethernet { link-down ignore; } } } security { log { mode event; format syslog; } ike { policy ike-dyn-vpn-policy { mode aggressive; proposal-set standard; pre-shared-key ascii-text "XXX"; } policy ike-policy-stvpn { mode aggressive; proposal-set standard; pre-shared-key ascii-text "XXX"; } gateway dyn-vpn-local-gw { ike-policy ike-dyn-vpn-policy; dynamic { hostname dynvpn; connections-limit 10; ike-user-type group-ike-id; } external-interface ge-0/0/2.0; aaa { access-profile dyn-vpn-access-profile; } } gateway ike-gate-stvpn { ike-policy ike-policy-stvpn; address XXX; external-interface ge-0/0/2.0; } } ipsec { policy ipsec-dyn-vpn-policy { proposal-set standard; } policy ipsec-policy-stvpn { proposal-set standard; } vpn dyn-vpn { ike { gateway dyn-vpn-local-gw; ipsec-policy ipsec-dyn-vpn-policy; } } vpn ipsec-vpn-stvpn { ike { gateway ike-gate-stvpn; ipsec-policy ipsec-policy-stvpn; } establish-tunnels immediately; } } alg { h323 disable; sccp disable; sip disable; } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { all { remote-protected-resources { 192.168.0.0/19; 10.10.0.0/24; 192.169.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dyn-vpn; user { } } } } flow { traceoptions { file lt-testing; flag basic-datapath; packet-filter 1 { source-prefix 10.10.0.2/32; destination-prefix 192.168.0.2/32; } } tcp-mss { all-tcp { mss 1452; } } } screen { } nat { } policies { from-zone Internal-vdsl to-zone Internet-vdsl { policy Internal_vdsl_to_Internet_vdsl { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet-vdsl to-zone Internal-vdsl { policy Internet_vdsl_to_Internal_vdsl { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internal-vf1 to-zone Internet-vf1 { policy Internal-vf1-to-Internet-v1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet-vf2 to-zone Internal-vf2 { policy Internet-vf2-to-Internal-vf2 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internal-vf2 to-zone Internet-vf2 { policy Internal-vf2-to-Internet-vf2 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet-vf1 to-zone Internal-vf1 { policy internet-vf1-to-internal-vf1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet-vf3 to-zone Internal-vf3 { policy vpnpolicy-Internet-vf3-Internal-vf3-stvpn { match { source-address net-stvpn_192-169-0-0--24; destination-address net-stvpn_192-168-0-0--19; application any; } then { permit { tunnel { ipsec-vpn ipsec-vpn-stvpn; pair-policy vpnpolicy-Internal-vf3-Internet-vf3-stvpn; } } } } policy dyn-vpn-policy { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } } } policy Internet-vf3-to-Internal-vf3 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internal-vf3 to-zone Internet-vf3 { policy vpnpolicy-Internal-vf3-Internet-vf3-stvpn { match { source-address net-stvpn_192-168-0-0--19; destination-address net-stvpn_192-169-0-0--24; application any; } then { permit { tunnel { ipsec-vpn ipsec-vpn-stvpn; pair-policy vpnpolicy-Internet-vf3-Internal-vf3-stvpn; } } } } policy Internal-vf3-to-Internet-vf3 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet-vdsl to-zone Internet-vf1 { policy guest-to-Internet-vf-1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone guest to-zone Internet-vf1 { policy guest-to-Internet-vf1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internal-vdsl to-zone Internal-vf3 { policy Internal-vdsl-to-Internal-vf3 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internal-vf3 to-zone Internal-vdsl { policy Internal-vf3-to-Internal-vdsl { match { source-address any; destination-address any; application any; } then { permit; } } } global { policy default { match { source-address any; destination-address any; application any; dynamic-application any; } then { permit; } } } } zones { security-zone Internet-vdsl { screen screen-vdsl; host-inbound-traffic { system-services { ping; ike; } } interfaces { pp0.0; } } security-zone Internal-vdsl { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/12.0; lt-0/0/0.1; } } security-zone Internet-vf1 { screen screen-vf1; host-inbound-traffic { system-services { dhcp; } } interfaces { ge-0/0/0.0; } } security-zone Internal-vf1 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/13.0; } } security-zone Internet-vf2 { screen screen-vf2; host-inbound-traffic { system-services { dhcp; } } interfaces { ge-0/0/1.0; } } security-zone Internal-vf2 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/14.0; } } security-zone Internal-vf3 { address-book { address net-stvpn_192-168-0-0--19 192.168.0.0/19; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/15.0; lt-0/0/0.2; } } security-zone Internet-vf3 { address-book { address net-stvpn_192-169-0-0--24 192.169.0.0/24; } screen screen-vf3; host-inbound-traffic { system-services { dhcp; https; ike; ping; } } interfaces { ge-0/0/2.0; } } security-zone guest { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/7.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp; } } } lt-0/0/0 { unit 1 { encapsulation ethernet; peer-unit 2; family inet { address 10.20.30.1/30; } } unit 2 { encapsulation ethernet; peer-unit 1; family inet { address 10.20.30.2/30; } } } ge-0/0/1 { unit 0 { family inet { dhcp; } } } ge-0/0/2 { unit 0 { family inet { dhcp; } } } ge-0/0/7 { unit 0 { family inet { address 192.168.199.1/24; } } } ge-0/0/12 { unit 0 { family inet { address 10.10.0.1/24; } } } ge-0/0/13 { unit 0 { family inet { address 10.10.1.1/24; } } } ge-0/0/14 { unit 0 { family inet { address 192.168.0.254/19; } } } ge-0/0/15 { unit 0 { family inet { address 192.168.0.1/19; } } } pt-1/0/0 { vlan-tagging; vdsl-options { vdsl-profile auto; } unit 0 { encapsulation ppp-over-ether; vlan-id 7; } } pp0 { unit 0 { ppp-options { chap { default-chap-secret "XXX"; local-name "XXX"; passive; } } pppoe-options { underlying-interface pt-1/0/0.0; idle-timeout 0; auto-reconnect 120; client; } family inet { mtu 1492; negotiate-address; } } } } policy-options { policy-statement p1 { from { instance vdsl; protocol direct; } then accept; } policy-statement p2 { from { instance vf-3; protocol direct; } then accept; } } access { profile dyn-vpn-access-profile { address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.10.10.0/24; xauth-attributes { primary-dns 1.1.1.1/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } routing-instances { vdsl { protocols { ospf { area 0.0.0.0 { interface lt-0/0/0.1; } traceoptions { file vdsl; flag all; } export p1; } } interface lt-0/0/0.1; interface ge-0/0/12.0; interface pt-1/0/0.0; interface pp0.0; instance-type virtual-router; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; route 10.10.1.0/24 next-hop 10.10.0.2; } } } vf-1 { interface ge-0/0/0.0; interface ge-0/0/7.0; interface ge-0/0/13.0; instance-type virtual-router; system { services { dhcp-local-server { group guest_group { interface ge-0/0/7.0; } } } } access { address-assignment { pool guest-pool { family inet { network 192.168.199.0/24; range guest_range { low 192.168.199.2; high 192.168.199.254; } dhcp-attributes { name-server { 1.1.1.1; } router { 192.168.199.1; } propagate-settings ge-0/0/7.0; } } } } } routing-options { static { route 192.168.0.0/19 next-hop 10.10.1.2; route 10.10.0.0/24 next-hop 10.10.1.2; route 10.0.0.0/24 next-hop 10.10.1.1; } } } vf-2 { interface ge-0/0/1.0; interface ge-0/0/14.0; instance-type virtual-router; routing-options { static { route 192.168.0.0/19 next-hop 10.10.0.2; } } } vf-3 { protocols { ospf { area 0.0.0.0 { interface lt-0/0/0.2; } export p2; } } interface lt-0/0/0.2; interface ge-0/0/2.0; interface ge-0/0/15.0; instance-type virtual-router; routing-options { static { route 10.10.1.0/24 next-hop 192.168.0.2; route 10.10.2.0/24 next-hop 192.168.0.2; } } } } applications { application ssh_2222 { protocol tcp; destination-port 2222; } } protocols { l2-learning { global-mode switching; } rstp { interface all; } } routing-options { static { route 10.10.2.0/24 next-hop 192.168.0.2; route 0.0.0.0/0 next-hop 192.168.0.1; route 192.168.0.0/19 discard; route 10.10.0.0/24 next-hop 192.168.0.2; } }