Created
December 1, 2014 23:09
-
-
Save suidroot/fb42db94f8a880003da2 to your computer and use it in GitHub Desktop.
SRX VPN Blog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root> show configuration | |
## Last commit: 2014-12-01 01:56:39 UTC by root | |
version 12.1X47-D10.4; | |
system { | |
root-authentication { | |
encrypted-password "$1$8fS5JWdL$EXfcEOme1QfZUjfKv757U."; ## SECRET-DATA | |
} | |
services { | |
ssh; | |
web-management { | |
http { | |
interface ge-0/0/0.0; | |
} | |
} | |
} | |
syslog { | |
user * { | |
any emergency; | |
} | |
file messages { | |
any any; | |
authorization info; | |
} | |
file interactive-commands { | |
interactive-commands any; | |
} | |
} | |
license { | |
autoupdate { | |
url https://ae1.juniper.net/junos/key_retrieval; | |
} | |
} | |
} | |
interfaces { | |
ge-0/0/0 { | |
unit 0 { | |
family inet { | |
address 11.11.11.22/24; | |
} | |
} | |
} | |
ge-0/0/1 { | |
unit 0 { | |
family inet { | |
address 10.0.1.1/24; | |
} | |
} | |
} | |
lo0 { | |
unit 10 { | |
family inet { | |
address 172.16.1.1/24; | |
} | |
} | |
} | |
} | |
routing-options { | |
static { | |
route 0.0.0.0/0 next-hop 11.11.11.11; | |
} | |
} | |
security { | |
ike { | |
proposal IKE-SHA-AES128-DH1 { | |
authentication-method pre-shared-keys; | |
dh-group group2; | |
authentication-algorithm sha1; | |
encryption-algorithm aes-128-cbc; | |
lifetime-seconds 86400; | |
} | |
policy IKE-POLICY-HQ { | |
mode main; | |
proposals IKE-SHA-AES128-DH1; | |
pre-shared-key ascii-text "$9$MOiXds4aZjHm4ajq.PF3B1RhSeNds"; ## SECRET-DATA | |
} | |
gateway IKE-GATEWAY-HQ { | |
ike-policy IKE-POLICY-HQ; | |
address 11.11.11.11; | |
external-interface ge-0/0/0.0; | |
} | |
} | |
ipsec { | |
proposal IPSEC-SHA-AES128-ESP { | |
protocol esp; | |
authentication-algorithm hmac-sha1-96; | |
encryption-algorithm aes-128-cbc; | |
lifetime-seconds 3600; | |
} | |
policy VPN-POLICY-HQ { | |
proposals IPSEC-SHA-AES128-ESP; | |
} | |
vpn VPN-HQ { | |
ike { | |
gateway IKE-GATEWAY-HQ; | |
ipsec-policy VPN-POLICY-HQ; | |
} | |
} | |
} | |
screen { | |
ids-option untrust-screen { | |
icmp { | |
ping-death; | |
} | |
ip { | |
source-route-option; | |
tear-drop; | |
} | |
tcp { | |
syn-flood { | |
alarm-threshold 1024; | |
attack-threshold 200; | |
source-threshold 1024; | |
destination-threshold 2048; | |
queue-size 2000; ## Warning: 'queue-size' is deprecated | |
timeout 20; | |
} | |
land; | |
} | |
} | |
} | |
policies { | |
from-zone trust to-zone trust { | |
policy default-permit { | |
match { | |
source-address any; | |
destination-address any; | |
application any; | |
} | |
then { | |
permit; | |
} | |
} | |
} | |
from-zone trust to-zone untrust { | |
policy VPN-HQ-LAN-LAN-OUT { | |
match { | |
source-address NET-LOCAL-LAN; | |
destination-address NET-REMOTE-LAN; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LAN-LAN-IN; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LOOP-LOOP-OUT { | |
match { | |
source-address NET-LOCAL-LOOP; | |
destination-address NET-REMOTE-LOOP; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LOOP-LOOP-IN; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LOOP-LAN-OUT { | |
match { | |
source-address NET-LOCAL-LOOP; | |
destination-address NET-REMOTE-LAN; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LOOP-LAN-IN; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LAN-LOOP-OUT { | |
match { | |
source-address NET-LOCAL-LAN; | |
destination-address NET-REMOTE-LOOP; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LAN-LOOP-IN; | |
} | |
} | |
} | |
} | |
policy default-permit { | |
match { | |
source-address any; | |
destination-address any; | |
application any; | |
} | |
then { | |
permit; | |
} | |
} | |
} | |
from-zone untrust to-zone trust { | |
policy VPN-HQ-LAN-LAN-IN { | |
match { | |
source-address NET-REMOTE-LAN; | |
destination-address NET-LOCAL-LAN; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LAN-LAN-OUT; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LOOP-LOOP-IN { | |
match { | |
source-address NET-REMOTE-LOOP; | |
destination-address NET-LOCAL-LOOP; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LOOP-LOOP-OUT; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LOOP-LAN-IN { | |
match { | |
source-address NET-REMOTE-LAN; | |
destination-address NET-LOCAL-LOOP; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LOOP-LAN-OUT; | |
} | |
} | |
} | |
} | |
policy VPN-HQ-LAN-LOOP-IN { | |
match { | |
source-address NET-REMOTE-LOOP; | |
destination-address NET-LOCAL-LAN; | |
application any; | |
} | |
then { | |
permit { | |
tunnel { | |
ipsec-vpn VPN-HQ; | |
pair-policy VPN-HQ-LAN-LOOP-OUT; | |
} | |
} | |
} | |
} | |
policy default-deny { | |
match { | |
source-address any; | |
destination-address any; | |
application any; | |
} | |
then { | |
deny; | |
} | |
} | |
} | |
} | |
zones { | |
security-zone trust { | |
tcp-rst; | |
address-book { | |
address NET-LOCAL-LOOP 172.16.1.0/24; | |
address NET-LOCAL-LAN 10.0.1.0/24; | |
} | |
host-inbound-traffic { | |
system-services { | |
all; | |
} | |
protocols { | |
all; | |
} | |
} | |
interfaces { | |
ge-0/0/1.0; | |
lo0.10; | |
} | |
} | |
security-zone untrust { | |
address-book { | |
address NET-REMOTE-LAN 10.0.2.0/24; | |
address NET-REMOTE-LOOP 172.16.2.0/24; | |
} | |
screen untrust-screen; | |
interfaces { | |
ge-0/0/0.0 { | |
host-inbound-traffic { | |
system-services { | |
http; | |
https; | |
ssh; | |
telnet; | |
dhcp; | |
ike; | |
} | |
} | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment