version 15.1X49-D75.5; system { host-name chocolatepudding; domain-name wcoil.com; time-zone EST; root-authentication { encrypted-password "someencrypteddata"; ## SECRET-DATA } name-server { 45.27.2.4; 45.37.4.4; } name-resolution { no-resolve-on-input; } services { ssh; telnet; dhcp-local-server { group dhcp-users { interface irb.100; interface vlan.100; } } web-management { management-url admin; http; https { pki-local-certificate chocolate; } session { idle-timeout 1440; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } file kmd-logs { daemon any; match KMD; allow-duplicates; } } max-configurations-on-flash 5; max-configuration-rollbacks 49; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } processes { general-authentication-service { traceoptions { flag all; } } } ntp { server us.ntp.pool.org; } } security { certificates { local { Staff { "-----BEGIN CERTIFICATE----- kajsdfhasdjhadshfasd" } } } pki { ca-profile juniper-ca { ca-identity DIGICERT; } ca-profile digicert_ca { ca-identity digicert; revocation-check { disable; } } } ike { traceoptions { file ike-debug size 10m files 2; flag all; } policy ike_pol_wizard_dyn_vpn { mode aggressive; proposal-set compatible; pre-shared-key ascii-text "someencrypteddata"; ## SECRET-DATA } gateway gw_wizard_dyn_vpn { ike-policy ike_pol_wizard_dyn_vpn; dynamic { hostname wcoil; connections-limit 50; ike-user-type group-ike-id; } dead-peer-detection; external-interface ge-0/0/0.0; xauth { access-profile remote_access_profile; } } } ipsec { policy ipsec_pol_wizard_dyn_vpn { perfect-forward-secrecy { keys group2; } proposal-set compatible; } vpn wizard_dyn_vpn { ike { gateway gw_wizard_dyn_vpn; ipsec-policy ipsec_pol_wizard_dyn_vpn; } } } alg { mgcp disable; sccp disable; sip disable; } application-tracking { first-update; } dynamic-vpn { access-profile remote_access_profile; clients { wizard-dyn-group { remote-protected-resources { 45.27.139.0/24; 172.21.2.0/24; 172.21.1.0/24; 8.8.8.8/32; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn wizard_dyn_vpn; user { bunch_of_users_in_here } } } } flow { traceoptions { file DebugTraffic size 5m files 2; flag basic-datapath; flag route; flag tcp-basic; flag host-traffic; flag session; flag tunnel; packet-filter filter1 { source-prefix 45.27.139.0/24; destination-prefix 45.27.129.0/24; } packet-filter filter2 { source-prefix 172.21.2.0/24; } packet-filter filter3 { source-prefix 45.27.139.0/24; destination-prefix 172.21.2.0/24; } packet-filter filter4 { source-prefix 172.21.2.0/24; destination-prefix 45.27.128.0/18; } packet-filter filter5 { source-prefix 172.21.2.0/24; destination-prefix 45.27.139.0/24; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone Trust; to zone Untrust; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } proxy-arp { interface ge-0/0/0.0 { address { 45.27.139.175/32 to 45.27.139.182/32; } } } } policies { from-zone Trust to-zone Untrust { policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } from-zone Trust to-zone Trust { policy Internal_to_Internal { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } from-zone VPN to-zone Trust { policy VPN-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Trust to-zone VPN { policy Internal-to-VPN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone VPN to-zone Untrust { policy VPN-to-Internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Untrust to-zone Trust { policy Internet-to-Internal { description "some zone"; match { source-address any; destination-address any; application any; } then { permit; } } policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } from-zone Untrust to-zone Untrust { policy Untrust_To_Untrust { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } } zones { security-zone Untrust { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; } application-tracking; } security-zone Trust { host-inbound-traffic { system-services { dhcp; ping; ntp; http; https; ssh; telnet; bootp; traceroute; ike; } } interfaces { irb.100; irb.2; } } security-zone VPN { interfaces { st0.0 { host-inbound-traffic { system-services { ping; dhcp; https; dns; ssh; ike; } } } } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 45.27.153.58/30; } } } ge-0/0/1 { unit 0 { family ethernet-switching { interface-mode access; vlan { members dhcp-members; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { interface-mode access; vlan { members dhcp-members; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { interface-mode access; vlan { members dhcp-members; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { interface-mode access; vlan { members staff-vlan; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { interface-mode access; vlan { members staff-vlan; } } } } irb { unit 2 { description vlan2; family inet { address 45.27.139.1/24; } } unit 100 { description vlan100; family inet { address 192.168.1.1/24; } } } inactive: lo0 { unit 0 { family inet { filter { input protect_srx; } } } } st0 { unit 0 { family inet; } } } forwarding-options { dhcp-relay { server-group { dhcp-relay-server { 45.27.128.20; } } active-server-group dhcp-relay-server; group staff { interface irb.2; } } } routing-options { static { route 0.0.0.0/0 next-hop 45.27.153.57; route 8.8.8.8/32 next-hop 45.27.139.1; } } protocols { l2-learning { global-mode switching; } } access { profile remote_access_profile { authentication-order password; client user1 { firewall-user { password "secret"; ## SECRET-DATA } } client user2 { firewall-user { password "secret"; ## SECRET-DATA } } client user3 { firewall-user { password "secret"; ## SECRET-DATA } } client user4 { firewall-user { password "secrecy"; ## SECRET-DATA } } client user5 { firewall-user { password "secret"; ## SECRET-DATA } } client user6 { firewall-user { password "secret"; ## SECRET-DATA } } client user7 { firewall-user { password "secret"; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dhcp-members { family inet { network 192.168.1.0/24; range 192_168_1_0 { low 192.168.1.5; high 192.168.1.150; } dhcp-attributes { name-server { 45.37.2.3; 45.37.8.7; 8.8.8.8; } router { 192.168.1.1; } } } } pool dyn-vpn-address-pool { family inet { network 45.27.139.176/29; range 45_27_139_0 { low 45.27.139.176; high 45.27.139.182; } xauth-attributes { primary-dns 45.37.8.3/32; } } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } applications { application ssh { protocol tcp; source-port 22; destination-port 22; inactivity-timeout never; } application scotts-pc-ssh { protocol tcp; destination-port 2022; } application sshout { protocol tcp; destination-port 22; inactivity-timeout never; } } vlans { dhcp-members { vlan-id 100; l3-interface irb.100; } staff-vlan { vlan-id 13; l3-interface irb.2; } }