version 15.1X49-D60.7; system { host-name SRX-Test; ports { console log-out-on-disconnect; } root-authentication { encrypted-password "$5$xFSU7VL0$SnKNOwRhWODY3Cxoio5GYPCb9Zl3asIYsrgrm9ksz80"; ## SECRET-DATA } services { dhcp-local-server { group dhc { interface ge-0/0/5.0; } } web-management { traceoptions { level all; flag dynamic-vpn; } http { interface ge-0/0/5.0; } https { system-generated-certificate; interface ge-0/0/5.0; } } } processes { general-authentication-service { traceoptions { flag all; } } } } security { ike { traceoptions { flag all; level 15; } proposal phase1-prop { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-pol { mode aggressive; proposals phase1-prop; pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA } gateway dyn-gw-boston { ike-policy ike-pol; dynamic hostname boston; external-interface ge-0/0/5.0; xauth { access-profile user-auth-profile; } } gateway dyn-gw-newyork { ike-policy ike-pol; dynamic hostname newyork; external-interface ge-0/0/5.0; xauth { access-profile user-auth-profile; } } } ipsec { proposal phase2-prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsec-pol { perfect-forward-secrecy { keys group2; } proposals phase2-prop; } vpn dynamic-vpn-boston { ike { gateway dyn-gw-boston; ipsec-policy ipsec-pol; } } vpn dynamic-vpn-newyork { ike { gateway dyn-gw-newyork; ipsec-policy ipsec-pol; } } } dynamic-vpn { access-profile user-auth-profile; clients { client1 { remote-protected-resources { 172.16.1.0/24; 5.1.1.0/24; 10.0.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dynamic-vpn-boston; user { boston-user; } } client2 { remote-protected-resources { 5.1.1.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn dynamic-vpn-newyork; user { newyork-user; } } } } flow { traceoptions { file DebugTraffic; flag basic-datapath; packet-filter MatchTraffic { source-prefix 172.16.1.100/32; destination-prefix 5.1.1.11/32; } } } nat { source { rule-set trusttountursut { from zone trust; to zone untrust; rule as { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone untrust to-zone trust { policy vpn-boston { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dynamic-vpn-boston; } } } } } from-zone untrust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone junos-host to-zone trust { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone junos-host { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone manage { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone manage { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone manage to-zone trust { policy all { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { any-service; } } interfaces { ge-0/0/5.0; } } security-zone trust { host-inbound-traffic { system-services { any-service; } } interfaces { ge-0/0/1.0; } } security-zone manage { host-inbound-traffic { system-services { any-service; } } interfaces { ge-0/0/0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 172.16.1.1/24; } } } ge-0/0/1 { unit 0 { family inet { address 5.1.1.1/24; } } } ge-0/0/5 { unit 0 { family inet { address 10.0.0.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.159.4.1; } } access { profile user-auth-profile { client boston-user { firewall-user { password "$9$4pJZj6/tOIcApK8xdg4"; ## SECRET-DATA } } client newyork-user { firewall-user { password "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA } } address-assignment { pool test-pool; } } address-assignment { pool test-pool { family inet { network 5.1.1.0/24; range dvpn { low 5.1.1.10; high 5.1.1.20; } } } pool dhcp-pool { family inet { network 10.0.0.0/24; range default { low 10.0.0.5; high 10.0.0.10; } dhcp-attributes { router { 10.0.0.1; } } } } } firewall-authentication { web-authentication { default-profile user-auth-profile; } traceoptions { flag all; } } }