version 19.4R3-S2.2; groups { node0 { system { host-name vpn-wdc02-01-vsrx-vSRX-Node0; } } node1 { system { host-name vpn-wdc02-01-vsrx-vSRX-Node1; } } } apply-groups "${node}"; system { host-name vpn-wdc02-01-vsrx-vSRX; root-authentication { encrypted-password "XXX"; ## SECRET-DATA } login { class security { permissions [ security-control view-configuration ]; } user admin { uid 2000; class super-user; authentication { encrypted-password "YYY"; ## SECRET-DATA } } } services { ssh { root-login allow; } netconf { ssh { port 830; } } web-management { http { interface fxp0.0; } https { port 8443; system-generated-certificate; interface [ fxp0.0 reth0.0 reth1.0 ]; } session { session-limit 100; } } } name-server { 10.0.80.11; 10.0.80.12; } syslog { user * { any emergency; } file messages { any info; authorization info; } file interactive-commands { interactive-commands any; } } ntp { server 10.0.77.54; } } chassis { cluster { control-link-recovery; reth-count 4; heartbeat-interval 2000; heartbeat-threshold 8; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; preempt; interface-monitor { ge-0/0/3 weight 130; ge-0/0/4 weight 130; ge-7/0/3 weight 130; ge-7/0/4 weight 130; } } } } security { log { mode stream; } ike { traceoptions { file kmd size 1024768 files 10; flag all; } proposal ike-prop-aws-vpn-1 { authentication-method pre-shared-keys; dh-group group2; encryption-algorithm aes-128-gcm; lifetime-seconds 28800; } proposal ike-prop-aws-vpn-2 { authentication-method pre-shared-keys; dh-group group2; encryption-algorithm aes-128-gcm; lifetime-seconds 28800; } policy ike-pol-aws-vpn-1 { mode main; proposals ike-prop-aws-vpn-1; pre-shared-key ascii-text "1111"; ## SECRET-DATA } policy ike-pol-aws-vpn-2 { mode main; proposals ike-prop-aws-vpn-2; pre-shared-key ascii-text "2222"; ## SECRET-DATA } gateway gw-aws-vpn-1 { ike-policy ike-pol-aws-vpn-1; address 1.1.1.1; #AWS's public IP for tunnel 1 dead-peer-detection { interval 10; threshold 3; } no-nat-traversal; nat-keepalive 3; external-interface reth1.0; version v2-only; } gateway gw-aws-vpn-2 { ike-policy ike-pol-aws-vpn-2; address 2.2.2.2; #AWS's public IP for tunnel 2 dead-peer-detection { interval 10; threshold 3; } no-nat-traversal; nat-keepalive 3; external-interface reth1.0; version v2-only; } } ipsec { proposal ipsec-prop-aws-vpn-1 { protocol esp; encryption-algorithm aes-128-gcm; lifetime-seconds 3600; } proposal ipsec-prop-aws-vpn-2 { protocol esp; encryption-algorithm aes-128-gcm; lifetime-seconds 3600; } policy ipsec-pol-aws-vpn-1 { perfect-forward-secrecy { keys group2; } proposals ipsec-prop-aws-vpn-1; } policy ipsec-pol-aws-vpn-2 { perfect-forward-secrecy { keys group2; } proposals ipsec-prop-aws-vpn-2; } vpn aws-vpn-1 { bind-interface st0.10; df-bit clear; ike { gateway gw-aws-vpn-1; ipsec-policy ipsec-pol-aws-vpn-1; } establish-tunnels immediately; } vpn aws-vpn-2 { bind-interface st0.20; df-bit clear; ike { gateway gw-aws-vpn-2; ipsec-policy ipsec-pol-aws-vpn-2; } establish-tunnels immediately; } } address-book { global { address SL1 10.0.64.0/19; address SL2 10.1.128.0/19; address SL3 10.0.86.0/24; address SL4 10.2.128.0/20; address SL5 10.1.176.0/20; address SL6 10.1.64.0/19; address SL7 10.1.96.0/19; address SL8 10.1.192.0/20; address SL9 10.1.160.0/20; address SL10 10.2.32.0/20; address SL11 10.2.64.0/20; address SL12 10.2.112.0/20; address SL13 10.2.160.0/20; address SL14 10.1.208.0/20; address SL15 10.2.80.0/20; address SL16 10.2.144.0/20; address SL17 10.2.48.0/20; address SL18 10.2.176.0/20; address SL19 10.3.64.0/20; address SL20 10.3.80.0/20; address SL_PRIV_MGMT 10.191.5.39/32; address SL_PUB_MGMT 169.62.3.91/32; address AWS 10.3.0.0/16; address VSI_PUB_NET 169.61.109.0/29; address IBM_wdc02_old 10.0.0.0/16; address IBM_wdc01_new 10.1.0.0/16; address IBM_wdc02_new 10.2.0.0/16; address-set SERVICE { address SL1; address SL2; address SL3; address SL4; address SL5; address SL6; address SL7; address SL8; address SL9; address SL10; address SL11; address SL12; address SL13; address SL14; address SL15; address SL16; address SL17; address SL18; address SL19; address SL20; } address-set IBM { address IBM_wdc02_old; address IBM_wdc01_new; address IBM_wdc02_new; } } } flow { tcp-mss { ipsec-vpn { mss 1379; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } nat { source { pool src-nat-pool-1 { address { 10.2.0.100/32 to 10.2.0.200/32; } } session-persistence-scan; session-drop-hold-down 28800; port-randomization disable; rule-set aws-to-ciq { from zone CUSTOMER-PRIVATE; to zone SL-PRIVATE; rule r1 { match { source-address 10.3.0.0/16; destination-address [ 10.0.0.0/16 ]; } then { source-nat { pool { src-nat-pool-1; } } } } } } } policies { from-zone SL-PRIVATE to-zone SL-PRIVATE { policy Allow_Management { match { source-address any; destination-address [ SL_PRIV_MGMT SERVICE ]; application any; } then { permit; } } } from-zone SL-PUBLIC to-zone SL-PUBLIC { policy Allow_Management { match { source-address any; destination-address SL_PUB_MGMT; application [ junos-ssh junos-https junos-http junos-icmp-ping ]; } then { permit; } } } from-zone CUSTOMER-PRIVATE to-zone CUSTOMER-PRIVATE { policy ALLOW_INTERNAL { description "Allow all traffic within CUSTOMER_PRIVATE zone"; match { source-address any; destination-address any; application any; } then { permit; } } } from-zone CUSTOMER-PRIVATE to-zone SL-PRIVATE { policy ALLOW_OUTBOUND { description "Allow all outbound traffic from CUSTOMER-PRIVATE to the management"; match { source-address any; destination-address [ SL_PRIV_MGMT IBM SERVICE ]; application any; } then { permit; } } } from-zone SL-PRIVATE to-zone CUSTOMER-PRIVATE { policy Allow-internal { match { source-address IBM; destination-address [ IBM AWS ]; application any; } then { permit; } } } } zones { security-zone SL-PRIVATE { host-inbound-traffic { protocols { all; } } interfaces { reth0.0 { host-inbound-traffic { system-services { all; } } } } } security-zone SL-PUBLIC { interfaces { reth1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone CUSTOMER-PRIVATE { tcp-rst; interfaces { reth2.1594 { host-inbound-traffic { system-services { all; } } } st0.10; st0.20; } } } } interfaces { ge-0/0/1 { gigether-options { redundant-parent reth0; } } ge-0/0/2 { gigether-options { redundant-parent reth0; } } ge-0/0/3 { gigether-options { redundant-parent reth1; } } ge-0/0/4 { gigether-options { redundant-parent reth1; } } ge-0/0/5 { gigether-options { redundant-parent reth2; } } ge-0/0/6 { gigether-options { redundant-parent reth2; } } ge-0/0/7 { gigether-options { redundant-parent reth3; } } ge-0/0/8 { gigether-options { redundant-parent reth3; } } ge-7/0/1 { gigether-options { redundant-parent reth0; } } ge-7/0/2 { gigether-options { redundant-parent reth0; } } ge-7/0/3 { gigether-options { redundant-parent reth1; } } ge-7/0/4 { gigether-options { redundant-parent reth1; } } ge-7/0/5 { gigether-options { redundant-parent reth2; } } ge-7/0/6 { gigether-options { redundant-parent reth2; } } ge-7/0/7 { gigether-options { redundant-parent reth3; } } ge-7/0/8 { gigether-options { redundant-parent reth3; } } fab0 { fabric-options { member-interfaces { ge-0/0/0; ge-0/0/9; } } } fab1 { fabric-options { member-interfaces { ge-7/0/0; ge-7/0/9; } } } lo0 { unit 0 { family inet { filter { input PROTECT-IN; } address 127.0.0.1/32; } } } reth0 { redundant-ether-options { redundancy-group 1; } unit 0 { description "SL PRIVATE VLAN INTERFACE"; family inet { address 10.0.a.a/26; # IBM provided private vlan interface. Comes by default } } } reth1 { redundant-ether-options { redundancy-group 1; } unit 0 { description "SL PUBLIC VLAN INTERFACE"; family inet { address 169.a.a.a/29; # IBM provided public interface. Comes by default } family inet6 { address 2607:x:x:x:x:x:x:x/64; # IBM provided public interface. Comes by default } } } reth2 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 1594 { vlan-id 1594; family inet { address 10.2.0.1/26; } } } reth3 { vlan-tagging; redundant-ether-options { redundancy-group 1; } } st0 { disable; unit 10 { disable; family inet { mtu 1436; address 169.a.a.a/30; } } unit 20 { disable; family inet { mtu 1436; address 169.b.b.b/30; } } } } firewall { filter PROTECT-IN { term PING { from { destination-address { x.x.x.x/32; } protocol icmp; } then accept; } term SSH { from { destination-address { x.x.x.x/32; } protocol tcp; destination-port ssh; } then accept; } term WEB { from { destination-address { x.x.x.x/32; } protocol tcp; port 8443; } then accept; } term DNS { from { protocol udp; source-port 53; } then accept; } term AWS { from { source-address { 1.1.1.1/32; # AWS's public IP 2.2.2.2/32; } } then accept; } term INTERNAL { from { source-address { 10.0.0.0/8; } } then accept; } term AWS-2 { from { destination-address { 1.1.1.1/32; 2.2.2.2/32; } } then accept; } } filter ALLOW-PING { term ICMP { from { protocol icmp; } then accept; } } } applications { application SQL { protocol tcp; destination-port 1433; inactivity-timeout 43200; } } routing-options { static { route 0.0.0.0/0 next-hop 169.x.x.x; # public gateway device for internet traffic route 10.0.0.0/8 next-hop 10.x.x.x; # IBM's default gateway device IP route 161.26.0.0/16 next-hop 10.x.x.x; # IBM's default gateway device IP route 166.9.0.0/16 next-hop 10.x.x.x; # IBM's default gateway device IP route 10.3.0.0/16 next-hop [ st0.10 st0.20 ]; # Traffic to AWS via the VPN tunnels } }