version 12.1X46-D35.1; interfaces { ge-0/0/0 { description "ISP1 INTERNET"; unit 0 { family inet { address 1.1.1.5/29 { primary; } } } } ge-0/0/1 { description LAN1; unit 0 { family inet { address 10.0.0.1/24; } } } ge-0/0/4 { description ISP2_DSL; enable; unit 0 { encapsulation ppp-over-ether; } } pp0 { enable; unit 0 { description "connect to ISP2"; ppp-options { pap { default-password "---"; ## SECRET-DATA local-name namedata; local-password "---"; ## SECRET-DATA passive; } } pppoe-options { underlying-interface ge-0/0/4.0; idle-timeout 0; auto-reconnect 5; client; } family inet { mtu 1492; negotiate-address; } } } st0 { description "MAIN VPN"; unit 0 { family inet { sampling { input; output; } address 172.16.1.6/30; } } unit 20 { description "SECONDARY VPN"; family inet { sampling { input; output; } address 172.16.1.10/30; } } } } routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.1; route 172.18.1.100/32 next-hop 172.16.1.9; } autonomous-system 65555; } protocols { bgp { group external-peers { type external; description "IPSEC BGP"; local-address 172.16.1.6; authentication-key "---; ## SECRET-DATA peer-as 33333; neighbor 172.16.1.5 { import import-routes; export send-routes; } neighbor 172.18.1.100 { multihop { ttl 20; } local-address 172.16.1.10; authentication-key "---"; ## SECRET-DATA export send-routes-and-prepend; local-as 64444; } } } rstp; } policy-options { policy-statement import-routes { term 1 { from { route-filter 10.0.0.0/8 prefix-length-range /8-/32; } then { local-preference add 200; accept; } } term reject { then reject; } } policy-statement send-routes { term 1 { from { route-filter 10.0.0.0/24 exact; } then accept; } } policy-statement send-routes-and-prepend { term 1 { from { route-filter 10.0.0.0/24 exact; } then { as-path-prepend "65555 65555"; accept; } } } } security { ike { proposal PRE-G2-3DES-MD5-28800 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy PRIMARY_VPN_P1_POLICY { mode main; proposals PRE-G2-3DES-MD5-28800; pre-shared-key ascii-text "---"; ## SECRET-DATA } policy SECONDARY_VPN_P1_POLICY { mode main; proposals PRE-G2-3DES-MD5-28800; pre-shared-key ascii-text "---"; ## SECRET-DATA } gateway PRIMARYVPN { ike-policy PRIMARY_VPN_P1_POLICY; address 5.5.5.5; dead-peer-detection { probe-idle-tunnel; interval 30; threshold 5; } external-interface ge-0/0/0.0; version v1-only; } gateway SECONDARYVPN { ike-policy SECONDARY_VPN_P1_POLICY; address 6.6.6.6; dead-peer-detection { probe-idle-tunnel; interval 30; threshold 5; } external-interface pp0.0; version v1-only; } } ipsec { policy SECONDARY_VPN_P2_POLICY { proposal-set compatible; } vpn PRIMARYVPN { bind-interface st0.0; ike { gateway PRIMARYVPN; ipsec-policy SECONDARY_VPN_P2_POLICY; } establish-tunnels immediately; } vpn SECONDARYVPN { bind-interface st0.20; ike { gateway SECONDARYVPN; proxy-identity { local 10.0.0.0/24; remote 172.16.1.8/30; } ipsec-policy SECONDARY_VPN_P2_POLICY; } establish-tunnels immediately; } } policies { from-zone LAN1 to-zone INTERNET { policy LAN1-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; } } } log { session-close; } } } } from-zone VPN to-zone LAN1 { policy VPN-to-LAN1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone LAN1 to-zone VPN { policy LAN1-to-VPN { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone LAN1 { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; https; ssh; snmp; traceroute; } } } } application-tracking; } security-zone INTERNET { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; https; ike; } } } ge-0/0/4.0 { host-inbound-traffic { system-services { ping; dhcp; traceroute; } } } pp0.0 { host-inbound-traffic { system-services { ike; ping; traceroute; } } } } application-tracking; } security-zone VPN { host-inbound-traffic { system-services { ike; ping; traceroute; } } interfaces { st0.0; st0.20; } } } }