version 11.1R6.4; system { host-name srx100-3; time-zone America/New_York; root-authentication { encrypted-password "$1$GOwFbV.b$lpOwxyPbfRyYf4dUBXLYf/"; ## SECRET-DATA } name-server { 8.8.8.8; } login { user chaynes { uid 2000; class super-user; authentication { encrypted-password "$1$DQ1.DjlC$To8tcX9Ur/2VDmWSQM9/W0"; ## SECRET-DATA } } } services { ssh; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 192.5.41.40; } } interfaces { fe-0/0/0 { vlan-tagging; mtu 1400; unit 40 { vlan-id 40; family inet { address 172.16.40.1/24; } } unit 100 { vlan-id 100; family inet { address 172.16.100.4/24; } } } lo0 { unit 0 { family inet { address 10.0.0.4/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 172.16.100.254; route 10.0.0.2/32 next-hop 172.16.100.2; route 10.0.0.3/32 next-hop 172.16.100.3; } router-id 172.16.40.1; } security { group-vpn { server { traceoptions { flag all; } ike { proposal srv-prop { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-pol { mode main; proposals srv-prop; pre-shared-key ascii-text "$9$xM6NVYkqfTFnikORhclegoa"; ## SECRET-DATA } gateway srx100-1 { ike-policy ike-pol; address 10.0.0.2; } gateway srx100-2 { ike-policy ike-pol; address 10.0.0.3; } } ipsec { proposal ipsec-proposal { authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } } group ike-group { group-id 1; ike-gateway srx100-1; ike-gateway srx100-2; anti-replay-time-window 60; server-address 10.0.0.4; server-member-communication { communication-type unicast; retransmission-period 10; number-of-retransmission 2; encryption-algorithm aes-128-cbc; sig-hash-algorithm sha1; } ipsec-sa group-ipsec { proposal ipsec-proposal; match-policy allow-any { source 0.0.0.0/0; destination 0.0.0.0/0; source-port 0; destination-port 0; protocol 0; } } } } } policies { from-zone untrust to-zone untrust { policy allow-any { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { ike; } } interfaces { fe-0/0/0.100 { host-inbound-traffic { system-services { ssh; ping; } } } lo0.0; } } security-zone trust { interfaces { fe-0/0/0.40 { host-inbound-traffic { system-services { ping; } } } } } } }