set security ike proposal SAVANA_SIGNATURES_ike_p1 authentication-method pre-shared-keys
set security ike proposal SAVANA_SIGNATURES_ike_p1 dh-group group14
set security ike proposal SAVANA_SIGNATURES_ike_p1 authentication-algorithm sha-256
set security ike proposal SAVANA_SIGNATURES_ike_p1 encryption-algorithm aes-256-cbc
set security ike proposal SAVANA_SIGNATURES_ike_p1 lifetime-seconds 28800

set security ike proposal SAVANA_SIGNATURES_ike_p1_2 authentication-method pre-shared-keys
set security ike proposal SAVANA_SIGNATURES_ike_p1_2 dh-group group14
set security ike proposal SAVANA_SIGNATURES_ike_p1_2 authentication-algorithm sha-256
set security ike proposal SAVANA_SIGNATURES_ike_p1_2 encryption-algorithm aes-256-cbc
set security ike proposal SAVANA_SIGNATURES_ike_p1_2 lifetime-seconds 28800

set security ike policy SAVANA_SIGNATURES_ike_policy mode aggressive
set security ike policy SAVANA_SIGNATURES_ike_policy proposals SAVANA_SIGNATURES_ike_p1
set security ike policy SAVANA_SIGNATURES_ike_policy pre-shared-key ascii-text "$9$ZFGDH.mTz39q.pBEyW8bs2oJUkqPTFnPfESyl8Lg4aJjHzF6AuONdDi.mzFylev7d4oZDHqGU/tOBcS4aZU.PCAuhyK24"

set security ike policy SAVANA_SIGNATURES_ike_policy_2 mode aggressive
set security ike policy SAVANA_SIGNATURES_ike_policy_2 proposals SAVANA_SIGNATURES_ike_p1_2
set security ike policy SAVANA_SIGNATURES_ike_policy_2 pre-shared-key ascii-text "$9$WAF8XN4aZDi.wsUHq.Qz/9ApIhevWLxdWLds4aUD5Tz3Ct1IcKMLYgUHk.F3SreWx-ZGji.5IE2oJGiHAtuBSlW87w24.P"

set security ike gateway SAVANA_SIGNATURES_GW ike-policy SAVANA_SIGNATURES_ike_policy
set security ike gateway SAVANA_SIGNATURES_GW address y.y.y.y
set security ike gateway SAVANA_SIGNATURES_GW dead-peer-detection
set security ike gateway SAVANA_SIGNATURES_GW no-nat-traversal
set security ike gateway SAVANA_SIGNATURES_GW external-interface reth0.1000
set security ike gateway SAVANA_SIGNATURES_GW local-address X.X.X.X
set security ike gateway SAVANA_SIGNATURES_GW version v2-only

set security ike gateway SAVANA_SIGNATURES_GW_2 ike-policy SAVANA_SIGNATURES_ike_policy_2
set security ike gateway SAVANA_SIGNATURES_GW_2 address Z.Z.Z.Z
set security ike gateway SAVANA_SIGNATURES_GW_2 dead-peer-detection
set security ike gateway SAVANA_SIGNATURES_GW_2 no-nat-traversal
set security ike gateway SAVANA_SIGNATURES_GW_2 external-interface reth0.1000
set security ike gateway SAVANA_SIGNATURES_GW_2 local-address X.X.X.X
set security ike gateway SAVANA_SIGNATURES_GW_2 version v2-only

set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1 protocol esp
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1 encryption-algorithm aes-256-cbc
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1 lifetime-seconds 3600

set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1_2 protocol esp
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1_2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1_2 encryption-algorithm aes-256-cbc
set security ipsec proposal SAVANA_SIGNATURES_ipsec_p1_2 lifetime-seconds 3600

set security ipsec policy SAVANA_SIP_policy perfect-forward-secrecy keys group14
set security ipsec policy SAVANA_SIP_policy proposals SAVANA_SIGNATURES_ipsec_p1

set security ipsec policy SAVANA_SIP_policy_2 perfect-forward-secrecy keys group14
set security ipsec policy SAVANA_SIP_policy_2 proposals SAVANA_SIGNATURES_ipsec_p1_2

set security ipsec vpn SAVANA_SIGNATURES_VPN bind-interface st0.17
set security ipsec vpn SAVANA_SIGNATURES_VPN df-bit clear
set security ipsec vpn SAVANA_SIGNATURES_VPN ike gateway SAVANA_SIGNATURES_GW
set security ipsec vpn SAVANA_SIGNATURES_VPN ike ipsec-policy SAVANA_SIP_policy
set security ipsec vpn SAVANA_SIGNATURES_VPN establish-tunnels immediately


set security ipsec vpn SAVANA_SIGNATURES_VPN_2 bind-interface st0.18
set security ipsec vpn SAVANA_SIGNATURES_VPN_2 df-bit clear
set security ipsec vpn SAVANA_SIGNATURES_VPN_2 ike gateway SAVANA_SIGNATURES_GW_2
set security ipsec vpn SAVANA_SIGNATURES_VPN_2 ike ipsec-policy SAVANA_SIP_policy_2
set security ipsec vpn SAVANA_SIGNATURES_VPN_2 establish-tunnels immediately

set security policies from-zone SIP_ext to-zone Gi_untrust policy SBC_to_SAVANA_SIP match source-address ACDC_SBC_Ext_Public
set security policies from-zone SIP_ext to-zone Gi_untrust policy SBC_to_SAVANA_SIP match source-address TM_SBC_Ext_Public
set security policies from-zone SIP_ext to-zone Gi_untrust policy SBC_to_SAVANA_SIP match destination-address SAVANA_SIG
set security policies from-zone SIP_ext to-zone Gi_untrust policy SBC_to_SAVANA_SIP match application any
set security policies from-zone SIP_ext to-zone Gi_untrust policy SBC_to_SAVANA_SIP then permit
set security policies from-zone Gi_untrust to-zone SIP_ext policy SAVANA_SIP_to_SBC match source-address SAVANA_SIG
set security policies from-zone Gi_untrust to-zone SIP_ext policy SAVANA_SIP_to_SBC match destination-address ACDC_SBC_Ext_Public
set security policies from-zone Gi_untrust to-zone SIP_ext policy SAVANA_SIP_to_SBC match destination-address TM_SBC_Ext_Public
set security policies from-zone Gi_untrust to-zone SIP_ext policy SAVANA_SIP_to_SBC match application any
set security policies from-zone Gi_untrust to-zone SIP_ext policy SAVANA_SIP_to_SBC then permit
set security zones security-zone Gi_untrust address-book address SAVANA_SIG_SIP_1 172.31.0.0/16
set security zones security-zone Gi_untrust address-book address-set SAVANA_SIG address SAVANA_SIG_SIP_1
set interfaces st0 unit 17 description SAVANA_IPSEC_1
set interfaces st0 unit 18 description SAVANA_IPSEC_2


BGP CONFIG 
============

set policy-options policy-statement SAVANA_EXPORT_1 term 1 from protocol static
set policy-options policy-statement SAVANA_EXPORT_1 term 1 from route-filter INTERNAL_IP_1 exact
set policy-options policy-statement SAVANA_EXPORT_1 term 1 from route-filter INTERNAL_IP_2 exact
set policy-options policy-statement SAVANA_EXPORT_1 term 1 then accept
set policy-options policy-statement SAVANA_EXPORT_1 term reject then reject
set policy-options policy-statement SAVANA_EXPORT_2 term 1 from protocol static
set policy-options policy-statement SAVANA_EXPORT_2 term 1 from route-filter INTERNAL_IP_1 exact
set policy-options policy-statement SAVANA_EXPORT_2 term 1 from route-filter INTERNAL_IP_2 exact
set policy-options policy-statement SAVANA_EXPORT_2 term 1 then as-path-prepend "37030 37030 37030 37030 37030"
set policy-options policy-statement SAVANA_EXPORT_2 term 1 then accept
set policy-options policy-statement SAVANA_EXPORT_2 term reject then reject
set policy-options policy-statement SAVANA_IMPORT term 1 from route-filter 172.31.0.0/16 exact
set policy-options policy-statement SAVANA_IMPORT term 1 then accept
set policy-options policy-statement SAVANA_IMPORT term reject then reject


set routing-instances internet-vr protocols bgp group SAVANA_ebgp type external
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.170.121 hold-time 30
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.170.121 import SAVANA_IMPORT
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.170.121 export SAVANA_EXPORT_1
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.170.121 peer-as 65000
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.170.121 local-as 37030


set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.13.49 hold-time 30
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.13.49 import SAVANA_IMPORT
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.13.49 export SAVANA_EXPORT_2
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.13.49 peer-as 65000
set routing-instances internet-vr protocols bgp group SAVANA_ebgp neighbor 169.254.13.49 local-as 37030


Secure tunnel configuration
================================

set security ipsec vpn SAVANA_SIGNATURES_VPN bind-interface st0.17
set security zones security-zone Gi_untrust interfaces st0.17 host-inbound-traffic system-services all
set security zones security-zone Gi_untrust interfaces st0.17 host-inbound-traffic protocols bgp
set routing-instances internet-vr interface st0.17


set security ipsec vpn SAVANA_SIGNATURES_VPN_2 bind-interface st0.18
set security zones security-zone Gi_untrust interfaces st0.18 host-inbound-traffic system-services all
set security zones security-zone Gi_untrust interfaces st0.18 host-inbound-traffic protocols bgp
set routing-instances internet-vr interface st0.18




description SAVANA_IPSEC_1;
family inet {
    mtu 1436;
    address 169.254.170.122/30;
}


description SAVANA_IPSEC_2;
family inet {
    mtu 1436;
    address 169.254.13.50/30;
}