## Last commit: 2011-03-10 07:33:32 UTC by lab version 10.4R1.9; system { host-name srx3600; root-authentication { encrypted-password "$1$juuHqQiP$50qRss6RsVyMCetJbwUWo."; ## SECRET-DATA } name-server { 10.1.2.8; 202.96.209.6; } login { user lab { uid 2000; class super-user; authentication { encrypted-password "$1$xxLlr6xJ$a1FZ.PxYC.5kInUZI6Mqh."; ## SECRET-DATA } } } services { ssh; telnet; web-management { http { interface [ ge-0/0/0.0 ge-0/0/1.0 ]; } } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address y.232.124.40/28; } } } ge-0/0/1 { mtu 1500; unit 0 { family inet { address x.61.1.3/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop y.232.124.33; route 10.0.0.0/8 next-hop x.61.1.12; } } security { ike { traceoptions { file ipsec-vpn; flag all; } proposal p1 { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 57600; } policy ike-policy1 { mode aggressive; proposals p1; pre-shared-key ascii-text "$9$QoP3nAuIRSrvLn/dw24UD69Au1hlK8-dsM8UH"; ## SECRET-DATA } gateway ike-gate { ike-policy ike-policy1; dynamic hostname jn-lcruanjianxueyuan-zbt-hw; external-interface ge-0/0/0; } gateway ike-gate-1 { ike-policy ike-policy1; dynamic hostname jn-test; external-interface ge-0/0/0; } } ipsec { traceoptions { flag all; } proposal p2 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm des-cbc; lifetime-seconds 57600; } policy vpn-policy1 { perfect-forward-secrecy { keys group1; } proposals p2; } vpn ike-vpn { ike { gateway ike-gate; ipsec-policy vpn-policy1; } establish-tunnels immediately; } vpn ike-vpn-test { ike { gateway ike-gate-1; ipsec-policy vpn-policy1; } establish-tunnels immediately; } } zones { security-zone trust { address-book { address local-net x.61.1.0/24; address server-net 10.0.0.0/8; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { address-book { address remote-net x.51.96.0/28; address remote-net-test x.51.96.16/28; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } } } } } } policies { from-zone trust to-zone untrust { policy vpn-policy-to-Nortel { match { source-address [ local-net server-net ]; destination-address remote-net; application any; } then { permit { tunnel { ipsec-vpn ike-vpn; } } } } policy vpn-policy-test { match { source-address [ local-net server-net ]; destination-address remote-net-test; application any; } then { permit { tunnel { ipsec-vpn ike-vpn-test; } } } } policy Internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy vpn-policy-to-SRX { match { source-address remote-net; destination-address [ local-net server-net ]; application any; } then { permit { tunnel { ipsec-vpn ike-vpn; } } } } policy von-policy-srx-test { match { source-address remote-net-test; destination-address [ local-net server-net ]; application any; } then { permit { tunnel { ipsec-vpn ike-vpn-test; } } } } } } flow { tcp-mss { ipsec-vpn { mss 1500; } } } } lab@srx3600>