Configs: Interfaces: set interfaces ge-0/0/3 unit 0 family inet address 10.9.91.125/24 set interfaces lo0 unit 100 family inet address 192.168.100.1/24 set interfaces st0 unit 2 family inet address 172.168.1.1/24 set interfaces st0 unit 2 family inet6 set interfaces st0 unit 4 family inet address 172.168.3.1/24 set interfaces st0 unit 4 family inet6 IKE: set security ike proposal BT-ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal BT-ike-phase1-proposal dh-group group2 set security ike proposal BT-ike-phase1-proposal authentication-algorithm sha1 set security ike proposal BT-ike-phase1-proposal encryption-algorithm aes-128-cbc set security ike policy BT-ike-phase1-policy proposals BT-ike-phase1-proposal set security ike policy BT-ike-phase1-policy pre-shared-key ascii-text "$9$4xaDiqmfzn/.mIESrvMDiHkTz" set security ike gateway BT-gw-srx1-bkp ike-policy BT-ike-phase1-policy set security ike gateway BT-gw-srx1-bkp address 10.79.105.234 set security ike gateway BT-gw-srx1-bkp local-identity hostname V12as34df56gh78jk90.wss.att.com set security ike gateway BT-gw-srx1-bkp external-interface lo0.100 set security ike gateway BT-gw-srx1-bkp local-address 192.168.100.1 set security ike gateway BT-gw-srx1-bkp version v2-only IPSec: set security ipsec proposal BT-ipsec-phase2-proposal protocol esp set security ipsec proposal BT-ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal BT-ipsec-phase2-proposal encryption-algorithm aes-128-cbc set security ipsec policy BT-ipsec-phase2-policy perfect-forward-secrecy keys group2 set security ipsec policy BT-ipsec-phase2-policy proposals BT-ipsec-phase2-proposal set security ipsec vpn BT-ike-vpn-srx1-bkp bind-interface st0.2 set security ipsec vpn BT-ike-vpn-srx1-bkp vpn-monitor source-interface st0.2 set security ipsec vpn BT-ike-vpn-srx1-bkp ike gateway BT-gw-srx1-bkp set security ipsec vpn BT-ike-vpn-srx1-bkp ike ipsec-policy BT-ipsec-phase2-policy set security ipsec vpn BT-ike-vpn-srx1-bkp establish-tunnels immediately NAT: set security nat source rule-set cust1_srcnat from zone cust1-untrust set security nat source rule-set cust1_srcnat to zone untrust1 set security nat source rule-set cust1_srcnat rule cust1_src_interface match source-address 0.0.0.0/0 set security nat source rule-set cust1_srcnat rule cust1_src_interface match destination-address 0.0.0.0/0 set security nat source rule-set cust1_srcnat rule cust1_src_interface then source-nat interface Zones: set security zones security-zone untrust1 host-inbound-traffic system-services all set security zones security-zone untrust1 host-inbound-traffic protocols all set security zones security-zone untrust1 interfaces ge-0/0/3.0 host-inbound-traffic system-services all set security zones security-zone untrust1 interfaces ge-0/0/3.0 host-inbound-traffic protocols all set security zones security-zone BT-vpn-srx host-inbound-traffic system-services all set security zones security-zone BT-vpn-srx host-inbound-traffic protocols all set security zones security-zone BT-vpn-srx interfaces st0.2 set security zones security-zone BT-vpn-srx-2 host-inbound-traffic system-services all set security zones security-zone BT-vpn-srx-2 host-inbound-traffic protocols all set security zones security-zone BT-vpn-srx-2 interfaces st0.4 set security zones security-zone cust1-untrust host-inbound-traffic system-services all set security zones security-zone cust1-untrust host-inbound-traffic protocols all set security zones security-zone cust1-untrust interfaces lo0.100 host-inbound-traffic system-services all set security zones security-zone cust1-untrust interfaces lo0.100 host-inbound-traffic protocols all Policies: set security policies from-zone BT-vpn-srx to-zone untrust1 policy vpn2u match source-address any set security policies from-zone BT-vpn-srx to-zone untrust1 policy vpn2u match destination-address any set security policies from-zone BT-vpn-srx to-zone untrust1 policy vpn2u match application any set security policies from-zone BT-vpn-srx to-zone untrust1 policy vpn2u then permit set security policies from-zone trust1 to-zone BT-vpn-srx policy t2vpn match source-address any set security policies from-zone trust1 to-zone BT-vpn-srx policy t2vpn match destination-address any set security policies from-zone trust1 to-zone BT-vpn-srx policy t2vpn match application any set security policies from-zone trust1 to-zone BT-vpn-srx policy t2vpn then permit set security policies from-zone untrust1 to-zone BT-vpn-srx policy u2vpn match source-address any set security policies from-zone untrust1 to-zone BT-vpn-srx policy u2vpn match destination-address any set security policies from-zone untrust1 to-zone BT-vpn-srx policy u2vpn match application any set security policies from-zone untrust1 to-zone BT-vpn-srx policy u2vpn then permit set security policies from-zone BT-vpn-srx-2 to-zone untrust1 policy vpn2u match source-address any set security policies from-zone BT-vpn-srx-2 to-zone untrust1 policy vpn2u match destination-address any set security policies from-zone BT-vpn-srx-2 to-zone untrust1 policy vpn2u match application any set security policies from-zone BT-vpn-srx-2 to-zone untrust1 policy vpn2u then permit set security policies from-zone cust1-untrust to-zone untrust1 policy c1u_2_u match source-address any set security policies from-zone cust1-untrust to-zone untrust1 policy c1u_2_u match destination-address any set security policies from-zone cust1-untrust to-zone untrust1 policy c1u_2_u match application any set security policies from-zone cust1-untrust to-zone untrust1 policy c1u_2_u then permit set security policies from-zone BT-vpn-srx to-zone cust1-untrust policy vpn2cust1 match source-address any set security policies from-zone BT-vpn-srx to-zone cust1-untrust policy vpn2cust1 match destination-address any set security policies from-zone BT-vpn-srx to-zone cust1-untrust policy vpn2cust1 match application any set security policies from-zone BT-vpn-srx to-zone cust1-untrust policy vpn2cust1 then permit Routing Instance: set routing-instances DC1 instance-type virtual-router set routing-instances DC1 interface st0.2 set routing-instances DC1 routing-options static route 0.0.0.0/0 next-hop st0.2 set routing-instances DC2 instance-type virtual-router set routing-instances DC2 interface st0.4 set routing-instances DC2 routing-options static route 0.0.0.0/0 next-hop st0.4