## Last changed: 2011-09-12 11:04:43 UTC version 10.4R6.5; groups { node0 { system { host-name branch-pernik-0; } interfaces { fxp0 { unit 0 { family inet { address 10.32.1.100/29; } } } } } node1 { system { host-name branch-pernik-1; } interfaces { fxp0 { unit 0 { family inet { address 10.32.1.101/29; } } } } } } apply-groups "${node}"; system { # root-authentication { # encrypted-password "xxxxxxx"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 2; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-0/0/0 weight 255; ge-2/0/0 weight 255; fe-0/0/2 weight 255; fe-2/0/2 weight 255; } } } } interfaces { ge-0/0/0 { gigether-options { redundant-parent reth0; } } fe-0/0/2 { fastether-options { redundant-parent reth1; } } ge-2/0/0 { gigether-options { redundant-parent reth0; } } fe-2/0/2 { fastether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { fe-0/0/4; fe-0/0/5; } } } fab1 { fabric-options { member-interfaces { fe-2/0/4; fe-2/0/5; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 192.168.1.1/24; } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 1.2.3.4/24; } } } st0 { unit 0 { family inet { address 10.199.0.2/24; } } } } routing-options { static { route 192.168.2.0/24 next-hop st0.0; route 0.0.0.0/0 next-hop 1.2.3.1; route 1.1.1.0/24 next-hop 1.2.3.1; } } security { ike { policy ike-policy-cfgr { mode main; proposal-set standard; pre-shared-key ascii-text "XXXXX; ## SECRET-DATA } gateway ike-gate-cfgr { ike-policy ike-policy-cfgr; address 1.1.1.2; external-interface reth1.0; } } ipsec { policy ipsec-policy-cfgr { proposal-set standard; } vpn ipsec-vpn-cfgr { bind-interface st0.0; vpn-monitor { optimized; } ike { gateway ike-gate-cfgr; ipsec-policy ipsec-policy-cfgr; } } } inactive: nat { source { rule-set kxpernik-to-untrust { from zone kxpernik; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone vpn { address-book { address net-cfgr_192-168-2-0--24 192.168.2.0/24; } interfaces { st0.0; } } security-zone kxpernik { address-book { address net-cfgr_192-168-1-0--24 192.168.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ike; ping; } } interfaces { reth1.0; } } } policies { from-zone kxpernik to-zone vpn { policy kxpernik-vpn-cfgr { match { source-address net-cfgr_192-168-1-0--24; destination-address net-cfgr_192-168-2-0--24; application any; } then { permit; } } } from-zone vpn to-zone kxpernik { policy vpn-kxpernik-cfgr { match { source-address net-cfgr_192-168-2-0--24; destination-address net-cfgr_192-168-1-0--24; application any; } then { permit; } } } from-zone kxpernik to-zone untrust { policy kxpernik-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } alg { ftp disable; } flow { tcp-mss { ipsec-vpn { mss 1350; } } } }