Tag Archives: NAT

PSK IPSec VPN – SRX to SRX – Thru NAT

In this video, we’re going overcome the challenges in setting up an IPSec VPN thru a NAT. We’ll be using Juniper SRXs as our VPN peers, IKEv2 for the Phase 1 tunnel with pre-shared keys for authentication, and our Phase 2 tunnel with be route-based. We’re also going to look at what NAT Keepalive and NAT Traversal do for us.

Static NAT - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 208.105.102.61
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 address 208.105.102.62
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 remote-identity hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity inet 208.105.102.61
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
Dynamic NAT - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
NAT Overload - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#