version 10.0R3.10; system { time-zone Asia/Hong_Kong; root-authentication { encrypted-password "$1$YWFB.GbI$RYp4LJcCYGVRl0SYpntbc."; ## SECRET-DATA } login { user admin { uid 2002; class super-user; authentication { encrypted-password "$1$r.P4NvZ9$MQJkbwjMbCMMO1POsvrN0."; ## SECRET-DATA } } } services { ssh; telnet; web-management { http { interface [ vlan.0 ge-0/0/0.0 ge-0/0/1.0 ]; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 10.30.10.0/24 { address-range low 10.30.10.51 high 10.30.10.249; default-lease-time 3600; domain-name must.edu.mo; name-server { 202.175.3.3; } router { 10.30.10.1; } } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 202.175.115.244; } } interfaces { ge-0/0/0 { description outside; unit 0 { family inet { address **********; } } } ge-0/0/1 { description inside; unit 0 { family inet { address 10.30.10.1/24; } } } st0 { unit 0 { family inet { mtu 1400; address 172.30.255.2/30; } } } } routing-options { static { route 0.0.0.0/0 next-hop **********; } } security { ike { proposal MUST-Phase1 { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy MUST-Phase1-Policy { mode main; proposals MUST-Phase1; pre-shared-key ascii-text "$9$v01Wx-YgJDHmaZn/9Cu08Xx7bs"; ## SECRET-DATA } gateway MUST-Phase1-Gateway { ike-policy MUST-Phase1-Policy; address **********; external-interface ge-0/0/0.0; } } ipsec { traceoptions { flag all; } proposal MUST-Phase2 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; } policy MUST-Phase2-Policy { perfect-forward-secrecy { keys group5; } proposals MUST-Phase2; } vpn MUST-Tunnel { ike { gateway MUST-Phase1-Gateway; ipsec-policy MUST-Phase2-Policy; } establish-tunnels immediately; } } nat { traceoptions { file nat.log; flag all; } source { pool nat-poo1-1 { address { **********; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } inactive: proxy-arp { interface ge-0/0/0.0 { address { 10.30.10.1/32 to 10.30.10.254/32; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address 10.30.10.0/24 10.30.10.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { address-book { address 10.100.3.0/24 10.100.3.0/24; address 10.20.100.0/24 10.20.100.0/24; address 172.16.120.0/24 172.16.120.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } } } st0.0 { host-inbound-traffic { system-services { all; } } } } } } policies { from-zone trust to-zone untrust { policy VPN_for_172_16_120_0 { match { source-address 10.30.10.0/24; destination-address 172.16.120.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_from_172_16_120_0; } } log { session-init; session-close; } count; } } policy VPN_for_10_20_100_0 { match { source-address 10.30.10.0/24; destination-address 10.20.100.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_from_10_20_100_0; } } log { session-init; session-close; } count; } } policy VPN_for_10_100_3_0 { match { source-address 10.30.10.0/24; destination-address 10.100.3.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_from_10_100_3_0; } } log { session-init; session-close; } count; } } policy trust-untrus { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } from-zone untrust to-zone trust { policy VPN_from_10_100_3_0 { match { source-address 10.100.3.0/24; destination-address 10.30.10.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_for_10_100_3_0; } } log { session-init; session-close; } } } policy VPN_from_10_20_100_0 { match { source-address 10.20.100.0/24; destination-address 10.30.10.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_for_10_20_100_0; } } log { session-init; session-close; } } } policy VPN_from_172_16_120_0 { match { source-address 172.16.120.0/24; destination-address 10.30.10.0/24; application any; } then { permit { tunnel { ipsec-vpn MUST-Tunnel; pair-policy VPN_for_172_16_120_0; } } log { session-init; session-close; } count; } } policy Untrust_to_trust { match { source-address any; destination-address any; application any; } then { permit; } } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } } vlans { vlan-trust { vlan-id 3; } }