root@vsrx-turin> show configuration | display set set version 12.1X47-D15.4 set system host-name vsrx-turin set system root-authentication encrypted-password "$1$9JIHgfwn$18rUTCSgRbe/KsHoCMh3W." set system services ssh set system services web-management http interface ge-0/0/0.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set system ntp server 7.7.7.7 set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.254/24 set interfaces ge-0/0/1 unit 0 family inet address 93.12.12.23/28 set interfaces st0 unit 1 family inet set routing-options static route 0.0.0.0/0 next-hop 93.12.12.24 set routing-options static route 192.168.100.0/24 next-hop st0.1 set security ike proposal IKE_PROPOSAL_01 authentication-method pre-shared-keys set security ike proposal IKE_PROPOSAL_01 dh-group group5 set security ike proposal IKE_PROPOSAL_01 authentication-algorithm sha-384 set security ike proposal IKE_PROPOSAL_01 encryption-algorithm aes-256-cbc set security ike proposal IKE_PROPOSAL_01 lifetime-seconds 86400 set security ike policy IKE_POLICY_UBI mode main set security ike policy IKE_POLICY_UBI proposals IKE_PROPOSAL_01 set security ike policy IKE_POLICY_UBI pre-shared-key ascii-text "$9$8un7bY24ZH.5gokP5T3nyleKX7Ndb" set security ike gateway IKE_GATEWAY_UBI ike-policy IKE_POLICY_UBI set security ike gateway IKE_GATEWAY_UBI address 74.13.13.11 set security ike gateway IKE_GATEWAY_UBI external-interface ge-0/0/1.0 set security ipsec proposal IPSEC_PROPOSAL_01 protocol esp set security ipsec proposal IPSEC_PROPOSAL_01 authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PROPOSAL_01 encryption-algorithm aes-256-cbc set security ipsec proposal IPSEC_PROPOSAL_01 lifetime-seconds 3600 set security ipsec policy IPSEC_POLICY_UBI perfect-forward-secrecy keys group5 set security ipsec policy IPSEC_POLICY_UBI proposals IPSEC_PROPOSAL_01 set security ipsec vpn IPSEC_VPN_UBI bind-interface st0.1 set security ipsec vpn IPSEC_VPN_UBI vpn-monitor optimized set security ipsec vpn IPSEC_VPN_UBI ike gateway IKE_GATEWAY_UBI set security ipsec vpn IPSEC_VPN_UBI ike ipsec-policy IPSEC_POLICY_UBI set security ipsec vpn IPSEC_VPN_UBI establish-tunnels immediately set security address-book global address n192.168.100.0_24 192.168.100.0/24 set security address-book global address n192.168.20.0_24 192.168.20.0/24 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy default-deny match source-address any set security policies from-zone untrust to-zone trust policy default-deny match destination-address any set security policies from-zone untrust to-zone trust policy default-deny match application any set security policies from-zone untrust to-zone trust policy default-deny then deny set security policies from-zone trust to-zone vpn policy VPN_UBI description "policy-based VPN to reach UBI banca networks" set security policies from-zone trust to-zone vpn policy VPN_UBI match source-address n192.168.20.0_24 set security policies from-zone trust to-zone vpn policy VPN_UBI match destination-address n192.168.100.0_24 set security policies from-zone trust to-zone vpn policy VPN_UBI match application any set security policies from-zone trust to-zone vpn policy VPN_UBI then permit set security zones security-zone trust tcp-rst set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike set security zones security-zone vpn interfaces st0.1 root@vsrx-turin>