Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
534 lines (525 sloc) 19.4 KB
# -*- junos -*-
system {
host-name V3-2;
delete: autoinstallation;
services {
delete: web-management;
ssh;
}
# Password is .Linux.
root-authentication {
encrypted-password "$1$avyI22e2$Qs8P0WjiG0WgUWRGMXX16/"; ## SECRET-DATA
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
delete: license;
}
chassis {
aggregated-devices {
ethernet {
device-count 4;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet6;
}
}
ge-0/0/1 {
unit 0 {
family inet6;
}
}
ge-0/0/2 {
unit 0 {
family inet6;
}
}
lo0 {
unit 1 {
family inet6 {
address 2001:db8:3::2/128;
}
}
}
st0 {
unit 1 {
family inet6 {
address 2001:db8:ff::7/127;
}
}
unit 2 {
family inet6 {
address 2001:db8:ff::15/127;
}
}
unit 3 {
family inet6 {
address 2001:db8:ff::19/127;
}
}
unit 4 {
family inet6 {
address 2001:db8:ff::23/127;
}
}
}
}
policy-options {
policy-statement FROM-BGP {
term 10 {
from protocol bgp;
then accept;
}
}
policy-statement FROM-OSPF {
term 10 {
from {
protocol ospf3;
route-type internal;
}
then {
metric 0;
accept;
}
}
}
policy-statement NEXT-HOP-SELF {
term 10 {
then next-hop self;
}
}
policy-statement NOTHING {
term 10 {
then reject;
}
}
policy-statement ECMP {
then load-balance per-packet;
}
}
routing-instances {
private {
instance-type virtual-router;
interface st0.1;
interface st0.2;
interface st0.3;
interface st0.4;
interface ge-0/0/1;
interface ge-0/0/2;
routing-options {
router-id 1.0.3.2;
maximum-paths 16;
}
protocols {
ospf3 {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
export [ FROM-BGP NOTHING ];
}
bgp {
preference 140;
log-updown;
group v4-VPN {
type external;
local-as 65003;
hold-time 6;
neighbor 2001:db8:ff::6 {
peer-as 65001;
}
neighbor 2001:db8:ff::14 {
peer-as 65001;
}
neighbor 2001:db8:ff::18 {
peer-as 65002;
}
neighbor 2001:db8:ff::22 {
peer-as 65002;
}
multipath;
export [ NEXT-HOP-SELF FROM-OSPF NOTHING ];
}
}
}
}
public {
instance-type virtual-router;
interface ge-0/0/0.0;
interface lo0.1;
routing-options {
maximum-paths 16;
static {
route 203.0.113.128/26 {
discard;
preference 250;
}
}
router-id 2.0.3.2;
}
protocols {
ospf3 {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface lo0.1 {
passive;
}
}
}
}
}
}
routing-options {
forwarding-table {
export ECMP;
}
}
groups {
SECURITY-VPN {
security {
ike {
proposal IKE-P1 {
authentication-method pre-shared-keys;
dh-group group20;
encryption-algorithm aes-256-gcm;
}
policy <*> {
mode main;
proposals IKE-P1;
}
gateway <*> {
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
external-interface lo0.1;
general-ikeid;
version v2-only;
}
}
ipsec {
proposal ESP-P2 {
protocol esp;
encryption-algorithm aes-256-gcm;
}
policy IPSEC-ESP {
perfect-forward-secrecy keys group20;
proposals ESP-P2;
}
vpn <*> {
df-bit copy;
ike {
ipsec-policy IPSEC-ESP;
}
establish-tunnels on-traffic;
}
}
}
}
}
security {
apply-groups [ SECURITY-VPN ];
ike {
policy IKE-V1-1 {
pre-shared-key ascii-text "d8bdRxaY22oH1j89Z2nATeYyrXfP9ga6xC5mi0RG1uc";
}
policy IKE-V1-2 {
pre-shared-key ascii-text "d8bdRxaY22oH1j89Z2nATeYyrXfP9ga6xC5mi0RG1uc";
}
policy IKE-V2-1 {
pre-shared-key ascii-text "d8bdRxaY22oH1j89Z2nATeYyrXfP9ga6xC5mi0RG1uc";
}
policy IKE-V2-2 {
pre-shared-key ascii-text "d8bdRxaY22oH1j89Z2nATeYyrXfP9ga6xC5mi0RG1uc";
}
gateway GW-V1-1 {
ike-policy IKE-V1-1;
address 2001:db8:1::1;
}
gateway GW-V1-2 {
ike-policy IKE-V1-2;
address 2001:db8:1::2;
}
gateway GW-V2-1 {
ike-policy IKE-V2-1;
address 2001:db8:2::1;
}
gateway GW-V2-2 {
ike-policy IKE-V2-2;
address 2001:db8:2::2;
}
}
ipsec {
vpn VPN-V1-1 {
bind-interface st0.1;
ike gateway GW-V1-1;
}
vpn VPN-V1-2 {
bind-interface st0.2;
ike gateway GW-V1-2;
}
vpn VPN-V2-1 {
bind-interface st0.3;
ike gateway GW-V2-1;
}
vpn VPN-V2-2 {
bind-interface st0.4;
ike gateway GW-V2-2;
}
}
flow {
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
policies {
delete: from-zone trust to-zone trust;
delete: from-zone trust to-zone untrust;
delete: from-zone untrust to-zone trust;
from-zone PUBLIC to-zone PUBLIC {
policy accept-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone PRIVATE to-zone PRIVATE {
policy accept-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone PRIVATE to-zone PUBLIC {
policy deny-all {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log session-init;
}
}
}
from-zone PUBLIC to-zone PRIVATE {
policy deny-all {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log session-init;
}
}
}
}
zones {
delete: security-zone trust;
delete: security-zone untrust;
security-zone PRIVATE {
interfaces st0.1;
interfaces st0.2;
interfaces st0.3;
interfaces st0.4;
interfaces ge-0/0/1.0;
interfaces ge-0/0/2.0;
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf3;
bgp;
}
}
}
security-zone PUBLIC {
interfaces ge-0/0/0.0;
interfaces lo0.1;
host-inbound-traffic {
system-services {
ping;
ike;
}
protocols {
ospf3;
}
}
}
}
}
# set system root-authentication encrypted-password "$1$avyI22e2$Qs8P0WjiG0WgUWRGMXX16/"
# set system services ssh root-login allow
# set system services netconf ssh
# set system syslog user * any emergency
# set system syslog file messages any any
# set system syslog file messages authorization info
# set system syslog file interactive-commands interactive-commands any
# delete system autoinstallation
# delete system services web-management
# delete system license
# set groups SECURITY-VPN security ike proposal IKE-P1 authentication-method pre-shared-keys
# set groups SECURITY-VPN security ike proposal IKE-P1 dh-group group20
# set groups SECURITY-VPN security ike proposal IKE-P1 encryption-algorithm aes-256-gcm
# set groups SECURITY-VPN security ike policy <*> mode main
# set groups SECURITY-VPN security ike policy <*> proposals IKE-P1
# set groups SECURITY-VPN security ike gateway <*> dead-peer-detection always-send
# set groups SECURITY-VPN security ike gateway <*> dead-peer-detection interval 10
# set groups SECURITY-VPN security ike gateway <*> dead-peer-detection threshold 3
# set groups SECURITY-VPN security ike gateway <*> external-interface lo0.1
# set groups SECURITY-VPN security ike gateway <*> general-ikeid
# set groups SECURITY-VPN security ike gateway <*> version v2-only
# set groups SECURITY-VPN security ipsec proposal ESP-P2 protocol esp
# set groups SECURITY-VPN security ipsec proposal ESP-P2 encryption-algorithm aes-256-gcm
# set groups SECURITY-VPN security ipsec policy IPSEC-ESP perfect-forward-secrecy keys group20
# set groups SECURITY-VPN security ipsec policy IPSEC-ESP proposals ESP-P2
# set groups SECURITY-VPN security ipsec vpn <*> df-bit copy
# set groups SECURITY-VPN security ipsec vpn <*> ike ipsec-policy IPSEC-ESP
# set groups SECURITY-VPN security ipsec vpn <*> establish-tunnels on-traffic
# set system host-name V3-2
# set chassis aggregated-devices ethernet device-count 4
# set security apply-groups SECURITY-VPN
# set security ike policy IKE-V1-1 pre-shared-key ascii-text "$9$f5Qn0BIhclfTRcSlXxNdbsJUik.fQFZUPTzF/9RhSyWLs24JDHsYqfTQ6/KvWLxdaZDi.5JGpOIEeK2goJHqzF/CA03nMX-dY2z3n/tOrlMWX7jHTFn6AtLxNbwg"
# set security ike policy IKE-V1-2 pre-shared-key ascii-text "$9$ynbreWVwY4oGyl2oaG.mfTz3t01Rhyevp0SlKvLX24aJHq369tOI3nEyle8LDjHqmTApO1hrtu-bYgUD6/CtIEKvLx7VMWi.5Tn6KMWLNbZGiH.PBIlvW87NqmfzF/"
# set security ike policy IKE-V2-1 pre-shared-key ascii-text "$9$e2oKMXs24JZjevoZGjf5QFn/01EcyeM8O1lvW87NoJGU.P/Ct0Ih/9SevMx7Hk.P5FuOIEyK0BbY4aiHCAp0hSW87-dsLXqfzF9CWLX7VYDjq.fTRhv8XxdVP5Qn6A"
# set security ike policy IKE-V2-2 pre-shared-key ascii-text "$9$UcDi.369tpBUjCpuByrevWLVsgoJUikbsGjHkPfCtu0hSLxNVY4LXaUjimPIRhSrvdbYgJDVwzn9A1Ix7-V4aHkP5T3q.EyKvXxHq.PQnOBEhyl24jk.mTQSreW87"
# set security ike gateway GW-V1-1 ike-policy IKE-V1-1
# set security ike gateway GW-V1-1 address 2001:db8:1::1
# set security ike gateway GW-V1-2 ike-policy IKE-V1-2
# set security ike gateway GW-V1-2 address 2001:db8:1::2
# set security ike gateway GW-V2-1 ike-policy IKE-V2-1
# set security ike gateway GW-V2-1 address 2001:db8:2::1
# set security ike gateway GW-V2-2 ike-policy IKE-V2-2
# set security ike gateway GW-V2-2 address 2001:db8:2::2
# set security ipsec vpn VPN-V1-1 bind-interface st0.1
# set security ipsec vpn VPN-V1-1 ike gateway GW-V1-1
# set security ipsec vpn VPN-V1-2 bind-interface st0.2
# set security ipsec vpn VPN-V1-2 ike gateway GW-V1-2
# set security ipsec vpn VPN-V2-1 bind-interface st0.3
# set security ipsec vpn VPN-V2-1 ike gateway GW-V2-1
# set security ipsec vpn VPN-V2-2 bind-interface st0.4
# set security ipsec vpn VPN-V2-2 ike gateway GW-V2-2
# set security flow tcp-session no-syn-check
# set security flow tcp-session no-syn-check-in-tunnel
# set security flow tcp-session no-sequence-check
# delete security zones security-zone trust
# delete security zones security-zone untrust
# delete security policies from-zone trust to-zone trust
# delete security policies from-zone trust to-zone untrust
# delete security policies from-zone untrust to-zone trust
# set security policies from-zone PUBLIC to-zone PUBLIC policy accept-all match source-address any
# set security policies from-zone PUBLIC to-zone PUBLIC policy accept-all match destination-address any
# set security policies from-zone PUBLIC to-zone PUBLIC policy accept-all match application any
# set security policies from-zone PUBLIC to-zone PUBLIC policy accept-all then permit
# set security policies from-zone PRIVATE to-zone PRIVATE policy accept-all match source-address any
# set security policies from-zone PRIVATE to-zone PRIVATE policy accept-all match destination-address any
# set security policies from-zone PRIVATE to-zone PRIVATE policy accept-all match application any
# set security policies from-zone PRIVATE to-zone PRIVATE policy accept-all then permit
# set security policies from-zone PRIVATE to-zone PUBLIC policy deny-all match source-address any
# set security policies from-zone PRIVATE to-zone PUBLIC policy deny-all match destination-address any
# set security policies from-zone PRIVATE to-zone PUBLIC policy deny-all match application any
# set security policies from-zone PRIVATE to-zone PUBLIC policy deny-all then deny
# set security policies from-zone PRIVATE to-zone PUBLIC policy deny-all then log session-init
# set security policies from-zone PUBLIC to-zone PRIVATE policy deny-all match source-address any
# set security policies from-zone PUBLIC to-zone PRIVATE policy deny-all match destination-address any
# set security policies from-zone PUBLIC to-zone PRIVATE policy deny-all match application any
# set security policies from-zone PUBLIC to-zone PRIVATE policy deny-all then deny
# set security policies from-zone PUBLIC to-zone PRIVATE policy deny-all then log session-init
# set security zones security-zone PRIVATE host-inbound-traffic system-services ping
# set security zones security-zone PRIVATE host-inbound-traffic protocols ospf3
# set security zones security-zone PRIVATE host-inbound-traffic protocols bgp
# set security zones security-zone PRIVATE interfaces st0.1
# set security zones security-zone PRIVATE interfaces st0.2
# set security zones security-zone PRIVATE interfaces st0.3
# set security zones security-zone PRIVATE interfaces st0.4
# set security zones security-zone PRIVATE interfaces ge-0/0/1.0
# set security zones security-zone PRIVATE interfaces ge-0/0/2.0
# set security zones security-zone PUBLIC host-inbound-traffic system-services ping
# set security zones security-zone PUBLIC host-inbound-traffic system-services ike
# set security zones security-zone PUBLIC host-inbound-traffic protocols ospf3
# set security zones security-zone PUBLIC interfaces ge-0/0/0.0
# set security zones security-zone PUBLIC interfaces lo0.1
# set interfaces ge-0/0/0 unit 0 family inet6
# set interfaces ge-0/0/1 unit 0 family inet6
# set interfaces ge-0/0/2 unit 0 family inet6
# set interfaces fxp0 unit 0 family inet dhcp
# set interfaces lo0 unit 1 family inet6 address 2001:db8:3::2/128
# set interfaces st0 unit 1 family inet6 address 2001:db8:ff::7/127
# set interfaces st0 unit 2 family inet6 address 2001:db8:ff::15/127
# set interfaces st0 unit 3 family inet6 address 2001:db8:ff::19/127
# set interfaces st0 unit 4 family inet6 address 2001:db8:ff::23/127
# set routing-options forwarding-table export ECMP
# set policy-options policy-statement ECMP then load-balance per-packet
# set policy-options policy-statement FROM-BGP term 10 from protocol bgp
# set policy-options policy-statement FROM-BGP term 10 then accept
# set policy-options policy-statement FROM-OSPF term 10 from protocol ospf3
# set policy-options policy-statement FROM-OSPF term 10 from route-type internal
# set policy-options policy-statement FROM-OSPF term 10 then metric 0
# set policy-options policy-statement FROM-OSPF term 10 then accept
# set policy-options policy-statement NEXT-HOP-SELF term 10 then next-hop self
# set policy-options policy-statement NOTHING term 10 then reject
# set routing-instances private instance-type virtual-router
# set routing-instances private interface ge-0/0/1.0
# set routing-instances private interface ge-0/0/2.0
# set routing-instances private interface st0.1
# set routing-instances private interface st0.2
# set routing-instances private interface st0.3
# set routing-instances private interface st0.4
# set routing-instances private routing-options maximum-paths 16
# set routing-instances private routing-options router-id 1.0.3.2
# set routing-instances private protocols bgp preference 140
# set routing-instances private protocols bgp log-updown
# set routing-instances private protocols bgp group v4-VPN type external
# set routing-instances private protocols bgp group v4-VPN hold-time 6
# set routing-instances private protocols bgp group v4-VPN export NEXT-HOP-SELF
# set routing-instances private protocols bgp group v4-VPN export FROM-OSPF
# set routing-instances private protocols bgp group v4-VPN export NOTHING
# set routing-instances private protocols bgp group v4-VPN local-as 65003
# set routing-instances private protocols bgp group v4-VPN multipath
# set routing-instances private protocols bgp group v4-VPN neighbor 2001:db8:ff::6 peer-as 65001
# set routing-instances private protocols bgp group v4-VPN neighbor 2001:db8:ff::14 peer-as 65001
# set routing-instances private protocols bgp group v4-VPN neighbor 2001:db8:ff::18 peer-as 65002
# set routing-instances private protocols bgp group v4-VPN neighbor 2001:db8:ff::22 peer-as 65002
# set routing-instances private protocols ospf3 export FROM-BGP
# set routing-instances private protocols ospf3 export NOTHING
# set routing-instances private protocols ospf3 area 0.0.0.0 interface ge-0/0/1.0
# set routing-instances private protocols ospf3 area 0.0.0.0 interface ge-0/0/2.0
# set routing-instances public instance-type virtual-router
# set routing-instances public interface ge-0/0/0.0
# set routing-instances public interface lo0.1
# set routing-instances public routing-options static route 203.0.113.128/26 discard
# set routing-instances public routing-options static route 203.0.113.128/26 preference 250
# set routing-instances public routing-options maximum-paths 16
# set routing-instances public routing-options router-id 2.0.3.2
# set routing-instances public protocols ospf3 area 0.0.0.0 interface ge-0/0/0.0
# set routing-instances public protocols ospf3 area 0.0.0.0 interface lo0.1 passive