Friday, September 3, 2021

Juniper Networks SRX Firewall Site-to-Site IPSec VPN (Route Based)

A Route Based VPN is a configuration in which an IPsec VPN tunnel created between two end points is referenced by a route that determines which traffic is sent through the tunnel based on a destination IP address.

A secure tunnel (st0) interface supports only one IPv4 address and one IPv6 address at the same time. This applies to all route-based VPNs. Examples of where route-based VPNs can be used:

  • There are overlapping subnets or IP addresses between the two LANs.
  • A hub-and-spoke VPN topology is used in the network, and spoke-to-spoke traffic is required.
  • Primary and backup VPNs are required.
  • A dynamic routing protocol (for example, OSPF, RIP, or BGP) is running across the VPN.
  • Configuring RIP demand circuits over point-to-multipoint VPN interfaces is not supported.

 

I modified my Juniper virtual lab by adding a Cisco CSRv router to act as a remote VPN gateway.

You first create a logical zone for the VPN. Go to Configure > Security > Zones/Screens > click Add.

Type Zone Name: VPN > leave the default Zone Type: Security > click OK.

 

Note the Secure Tunnel interface (st0.0) will be assigned to the VPN zone later.

 

To configure a Route Based Site-to-Site IPSec VPN, go to Configure > IPSec VPN > VPN Tunnel > Phase 1 > click Launch Wizard.

Select Site-to-Site VPN (Route based) > click Start.

 

A Remote Access VPN is where a remote user use the NCP client to VPN to HQ.

 

Type VPN Name: S2S_VPN > under Local Private Network > select Zone: trust.

Type Networks: 172.16.1.0/24 > click Add.

 

Under Secure Tunnel Interface > type logical unit 0 for Interface st0.0 > select Interface Zone: VPN.

 

Select Interface type: Numbered > type 10.1.1.1/30 > under Public Network > select Interface: ge-0/0/0.0 (vSRX WAN/Untrust) > click Next.

Type Remote Gateway Public IP: 192.168.1.140 (CSRv WAN IP address) > type Remote Private Network: 172.16.10.0/24 > click Add > click Next.

Under IKE settings (IKE Phase 1) > select IKE Security Level: Standard (group2,aes128,sha1).


Select IKE Mode: Main (if using a manual/static IP address for the WAN/Untrust) > type IKE Preshared key (ASCII): juniper2cisco (should be the same PSK on the remote device).

 

Note the Aggressive IKE Mode is chosen if using a DCHP address (Dynamic) for the WAN.

 

Under IPSec settings (IKE Phase 2) > select IPSec Security Level: Standard (esp,aes128,sha1).

Select IPSec Perfect Forward Secrecy (optional): group2 > click Next.

Under the Site-to-site VPN: Traffic Profiles > leave the default to any > click Next.

 

This will create a Security Policy (crypto ACL in Cisco) for the "interesting" traffic from the local to remote private networks.

 

Review the summary before Commit the changes.

 

Click Commit when done.

 

You can view the newly configured IKE Phase I and Phase II policy under Configure > Security > IPSec VPN > VPN Tunnel > click Phase I or Phase II.




Below are the IKE Phase I and Phase II policy configuration in Cisco CSRv router.

 

CSRv#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1       192.168.1.140   YES NVRAM  up                    up     

GigabitEthernet2       unassigned      YES TFTP   administratively down down 

 

CSRv#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

CSRv(config)#ip http authentication local    // TO SIMULATE A WEB SERVER

CSRv(config)#username admin privilege 15 password 0 cisco

CSRv(config)#interface loopback200   // REMOTE LAN NETWORK

CSRv(config-if)#ip address 172.16.10.200 255.255.255.0

CSRv(config-if)#exit

CSRv(config)#crypto isakmp policy 10   // IKE PHASE 1 POLICY

CSRv(config-isakmp)#encryption aes 128

CSRv(config-isakmp)#hash sha 

CSRv(config-isakmp)#group 2

CSRv(config-isakmp)#authentication pre-share

CSRv(config-isakmp)#exit

CSRv(config)#crypto isakmp key juniper2cisco address 192.168.1.150   // PRE-SHARED KEY

CSRv(config)#

CSRv(config)#crypto ipsec transform-set TSET esp-aes 128 esp-sha-hmac   // IPSEC/IKE PHASE 2 POLICY

CSRv(cfg-crypto-trans)#exit

CSRv(config)#crypto ipsec profile S2S_VPN

CSRv(ipsec-profile)#set transform-set TSET

CSRv(ipsec-profile)#set pfs group2

CSRv(ipsec-profile)#exit

CSRv(config)#

CSRv(config)#interface Tunnel0

CSRv(config-if)#ip address 10.1.1.2 255.255.255.252

CSRv(config-if)#tunnel source 192.168.1.140

CSRv(config-if)#tunnel destination 192.168.1.150

CSRv(config-if)#tunnel mode ipsec ipv4

CSRv(config-if)#tunnel protection ipsec profile S2S_VPN

CSRv(config-if)#exit

CSRv(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.1

 

 

I was able to ping and HTTP from the Windows 7 VM (172.16.1.100) to 172.16.10.200 Web server located in the remote network.

 


To view Site-to-Site VPN IKE Phase I statistics, go to Monitor > IPSec VPN > Phase I.

 

Notice the SA (Security Association) State is UP.

 

To view IKE Phase 2 statistics, go to Monitor > IPSec VPN > Phase II. Click Refresh to update the counters.

 

Notice the value for the Encrypted and Decrypted packets/bytes.

 



You can view the same output using CLI commands below.

 

root@vSRX-1> show security ?

Possible completions:

  advance-policy-based-routing  Show advance policy based routing information

  alarms               Show active security alarm information

  alg                  Show ALG security services information

  application-firewall  Show security application firewall policies

  application-tracking  Show Application tracking information

  dns-cache            Show DNS cache of firewall policy

  dynamic-address      Security dynamic address name

  dynamic-policies     Show security firewall dynamic policies

  firewall-authentication  Show firewall authentication tables, information

  flow                 Show flow information

  forward-options      Show forward-options status

  gprs                 Show GPRS information

  group-vpn            Show Group VPN Security information

  idp                  Show Intrusion Detection and Prevention information

  ike                  Show Internet Key Exchange information

  internal-security-association  Show internal security association

  ipsec                Show IP Security information

  keychain             Show all protocols keychain

  log                  Show auditable security log information

  match-policies       Show security match policies

  monitoring           Show security SPU monitoring information

  nat                  Show Network Address Translation information

  pki                  Show public-key infrastructure information

  policies             Show security firewall policies

  resource-manager     Show resource manager security services information

  screen               Show screen service information

  shadow-policies      Show security shadow policies

  softwires            Show softwire information

  ssh                  Show SSH information

  tcp-encap            Show TCP encapsulation information

  user-identification  Show user-identification information

  utm                  Show security utm information

  zones                Show security zone information

root@vSRX-1> show security ike ?

Possible completions:

  active-peer          Show IKE active peers

  debug-status         Show current enabled IKE debug information

  pre-shared-key       Show IKE pre-shared key information for a particular group-ike-id user

  security-associations  Show IKE security association information

root@vSRX-1> show security ike security-associations ?

Possible completions:

  <[Enter]>            Execute this command

  <peer-address>       IP address of the peer

  brief                Show brief output (default)

  detail               Show detailed output

  family               Show IKE security association by family

  index                Index of security association (1..4294967295)

  sa-type              Show IKE security association by type

  |                    Pipe through a command

 

root@vSRX-1> show security ike security-associations    // VERIFY IKE PHASE 1

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address  

6082118 UP     9e045a25a7735c3e  ad7d83d26bfea52b  Main           192.168.1.140

 

 

root@vSRX-1> show security ike security-associations index ?

Possible completions:

  <index>              Index of security association (1..4294967295)

root@vSRX-1> show security ike security-associations index 6082118 ?

Possible completions:

  <[Enter]>            Execute this command

  <peer-address>       IP address of the peer

  brief                Show brief output (default)

  detail               Show detailed output

  family               Show IKE security association by family

  sa-type              Show IKE security association by type

  |                    Pipe through a command

 

root@vSRX-1> show security ike security-associations index 6082118 detail

IKE peer 192.168.1.140, Index 6082118, Gateway Name: gw_S2S_VPN

  Role: Responder, State: UP

  Initiator cookie: 9e045a25a7735c3e, Responder cookie: ad7d83d26bfea52b

  Exchange type: Main, Authentication method: Pre-shared-keys

  Local: 192.168.1.150:500, Remote: 192.168.1.140:500

  Lifetime: Expires in 85690 seconds

  Reauth Lifetime: Disabled

  IKE Fragmentation: Disabled, Size: 0

  Remote Access Client Info: Unknown Client

  Peer ike-id: 192.168.1.140

  AAA assigned IP: 0.0.0.0

  Algorithms:

   Authentication        : hmac-sha1-96

   Encryption            : aes128-cbc

   Pseudo random function: hmac-sha1

   Diffie-Hellman group  : DH-group-2

  Traffic statistics:

   Input  bytes  :                  936

   Output bytes  :                  936

   Input  packets:                    5

   Output packets:                    4

   Input  fragmentated packets:       0

   Output fragmentated packets:       0

  IPSec security associations: 1 created, 0 deleted

  Phase 2 negotiations in progress: 1

 

    Negotiation type: Quick mode, Role: Responder, Message ID: 0

    Local: 192.168.1.150:500, Remote: 192.168.1.140:500

    Local identity: 192.168.1.150

    Remote identity: 192.168.1.140

    Flags: IKE SA is created

 

 

root@vSRX-1> show security ipsec ?

Possible completions:

  control-plane-security-associations  Show IPSec control plane security association information

  inactive-tunnels     Inactive-tunnels

  next-hop-tunnels     Show manual and auto next-hop-tunnel entries

  security-associations  Show IPSec security association information

  statistics           Show IPSec statistics

  traffic-selector     Show traffic-selector information for a st0 interface

  tunnel-events-statistics  Show tunnel event statstics

 

root@vSRX-1> show security ipsec security-associations   // VERIFY IPSEC/IKE PHASE 2

  Total active tunnels: 1

  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  

  <131073 ESP:aes-cbc-128/sha1 e959c4c4 2843/  4607956 - root 500 192.168.1.140  

  >131073 ESP:aes-cbc-128/sha1 372d8551 2843/  4607956 - root 500 192.168.1.140  

 

 

root@vSRX-1> show security ipsec security-associations ? 

Possible completions:

  <[Enter]>            Execute this command

  brief                Display brief output

  detail               Display detailed output

  family               Show IPSec security association information by family

  index                Index of security association (1..4294967295)

  sa-type              Show IPSec security association by type

  traffic-selector     Traffic-selector name

  vpn-name             VPN name

  |                    Pipe through a command

root@vSRX-1> show security ipsec security-associations index ?

Possible completions:

  <index>              Index of security association (1..4294967295)

root@vSRX-1> show security ipsec security-associations index 131073 ?

Possible completions:

  <[Enter]>            Execute this command

  brief                Display brief output

  detail               Display detailed output

  family               Show IPSec security association information by family

  sa-type              Show IPSec security association by type

  traffic-selector     Traffic-selector name

  vpn-name             VPN name

  |                    Pipe through a command

 

root@vSRX-1> show security ipsec security-associations index 131073 detail                     

 

ID: 131073 Virtual-system: root, VPN Name: S2S_VPN

  Local Gateway: 192.168.1.150, Remote Gateway: 192.168.1.140

  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Version: IKEv1

  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29

  Tunnel events:

    Tue Mar 02 2021 15:23:46

    : IPSec SA negotiation successfully completed          (1 times)

    Tue Mar 02 2021 15:23:45

    : IKE SA negotiation successfully completed            (1 times)

    Tue Mar 02 2021 15:23:44

    : No response from peer. Negotiation failed            (19 times)

    Tue Mar 02 2021 15:05:38

    : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)

    Tue Mar 02 2021 15:05:33

    : Bind-interface's address received. Information updated (1 times)

    Tue Mar 02 2021 15:05:27

    : External interface's address received. Information updated (1 times)

    Tue Mar 02 2021 15:05:27

    : External interface's zone received. Information updated (1 times)

  Direction: inbound, SPI: e959c4c4, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 2813 seconds

    Lifesize Remaining:  4607956 kilobytes

    Soft lifetime: Expires in 2236 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

  Direction: outbound, SPI: 372d8551, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 2811 seconds

    Lifesize Remaining:  4607956 kilobytes

    Soft lifetime: Expires in 2234 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

 

 

root@vSRX-1> show security ipsec statistics

ESP Statistics:

  Encrypted bytes:           828328

  Decrypted bytes:          6840151

  Encrypted packets:           4753

  Decrypted packets:           7120

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

 

 

You can view the IKE Phase 1 and Phase 2 status and statistics in a Cisco router using the commands below.

 

CSRv#show run | section crypto

crypto isakmp policy 10

 encr aes

 authentication pre-share

 group 2

crypto isakmp key juniper2cisco address 192.168.1.150 

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

 mode tunnel

crypto ipsec profile S2S_VPN

 set transform-set TSET

 set pfs group2

 

 

CSRv#show crypto ?

  call             Show crypto call admission info

  datapath         Data Path

  debug-condition  Debug Condition filters

  dynamic-map      Crypto map templates

  eli              Encryption Layer Interface

  engine           Show crypto engine info

  entropy          Entropy sources

  gdoi             Show Crypto GKM - Group Key Management (including GDOI)

                   Information

  gkm              Show Crypto GKM - Group Key Management Information

  ha               Crypto High Availability information

  identity         Show crypto identity list

  ikev2            Shows ikev2 info

  ipsec            Show IPSEC policy

  isakmp           Show ISAKMP

  key              Show long term public keys

  map              Crypto maps

  mib              Show Crypto-related MIB Parameters

  optional         Optional Encryption Status

  pki              Show PKI

  route            Show crypto VPN routes

  ruleset          Show crypto rules on outgoing packets

  session          Show crypto sessions (tunnels)

  sockets          Secure Socket Information

  ssl              Shows SSL info

  tech-support     Displays relevant crypto information

  tls-tunnel       Shows TLS-Tunnel info

  |                Output modifiers

  <cr>

 

CSRv#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.1.150   192.168.1.140   QM_IDLE           1001 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

 

CSRv#show crypto isakmp sa ?

  active   Shows HA-enabled ISAKMP SAs in the active state

  count    Show the number of ISAKMP Security Associations

  detail   Show ISAKMP SA Detail

  nat      Show ISAKMP SA NAT Detail

  standby  Shows HA-enabled ISAKMP SAs in the standby state

  vrf      Show ISAKMP SA as per VRF

  |        Output modifiers

  <cr>

 

CSRv#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

 

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

 

1001  192.168.1.140   192.168.1.150          ACTIVE aes  sha    psk  2  23:43:21    

       Engine-id:Conn-id =  SW:1

 

IPv6 Crypto ISAKMP SA

 

 

CSRv#show crypto ipsec ?

  policy                Show IPSEC client policies

  profile               Show ipsec profile information

  sa                    IPSEC SA table

  security-association  Show parameters for IPSec security associations

  spi-lookup            IPSEC SPI table

  transform-set         Crypto transform sets

 

CSRv#show crypto ipsec sa

 

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 192.168.1.140

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 192.168.1.150 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 78, #pkts encrypt: 78, #pkts digest: 78

    #pkts decaps: 70, #pkts decrypt: 70, #pkts verify: 70

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 192.168.1.140, remote crypto endpt.: 192.168.1.150

     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1

     current outbound spi: 0xE959C4C4(3914974404)

     PFS (Y/N): Y, DH group: group2

 

     inbound esp sas:

      spi: 0x372D8551(925730129)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4607990/2560)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xE959C4C4(3914974404)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4607967/2560)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

         

     outbound ah sas:

 

     outbound pcp sas:

 

 

Below is the complete show configuration.

 

root@vSRX-1# show

## Last changed: 2021-03-02 15:10:02 SGT

version 15.1X49-D80.4;

system {

    host-name vSRX-1;

    root-authentication {

        encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

    }

    services {

        ssh {

            root-login allow;

        }

        web-management {

            https {

                system-generated-certificate;

                interface ge-0/0/0.0;

            }

        }

    }

    syslog {

        user * {                       

            any emergency;

        }

        file messages {

            any any;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp;

}

services {

    application-identification;

}

security {

    ike {

        policy ike_pol_S2S_VPN {       

            mode main;

            proposal-set standard;

            pre-shared-key ascii-text "$9$EGBSlM7-waZj8XZjHqQzhSrKLxdVYgoGdb2aUH5T"; ## SECRET-DATA

        }

        gateway gw_S2S_VPN {

            ike-policy ike_pol_S2S_VPN;

            address 192.168.1.140;

            external-interface ge-0/0/0.0;

        }

    }

    ipsec {

        policy ipsec_pol_S2S_VPN {

            perfect-forward-secrecy {

                keys group2;

            }

            proposal-set standard;

        }

        vpn S2S_VPN {

            bind-interface st0.0;

            ike {

                gateway gw_S2S_VPN;

                ipsec-policy ipsec_pol_S2S_VPN;

            }

            establish-tunnels immediately;

        }

    }

    utm {

        custom-objects {

            url-pattern {

                ALLOWED_WEBSITES {

                    value [ www.juniper.net www.google.com www.playstation.com ];

                }

                BLOCKED_WEBSITES {

                    value [ www.cisco.com www.yahoo.com www.xbox.com ];

                }

            }

            custom-url-category {

                GOOD_WEBSITES {

                    value ALLOWED_WEBSITES;

                }

                BAD_WEBSITES {

                    value BLOCKED_WEBSITES;

                }

            }                          

        }

        feature-profile {

            web-filtering {

                url-whitelist GOOD_WEBSITES;

                url-blacklist BAD_WEBSITES;

                type juniper-local;

                juniper-local {

                    profile CUSTOM_LOCAL_WF {

                        default block;

                        custom-block-message "Website access denied. Please contact IT for assistance.";

                        fallback-settings {

                            default log-and-permit;

                            server-connectivity log-and-permit;

                            timeout log-and-permit;

                            too-many-requests log-and-permit;

                        }

                        timeout 30;

                    }

                }

            }

            content-filtering {

                profile CF_EXE {       

                    block-content-type {

                        exe;

                    }

                    notification-options {

                        type message;

                        custom-message "File Download Blocked due to IT Security Policy. Please contact IT for assistance.";

                    }

                }

            }

        }

        utm-policy UTM_POLICY_1 {

            content-filtering {

                http-profile CF_EXE;

            }

            traffic-options {

                sessions-per-client {

                    over-limit log-and-permit;

                }

            }

        }

    }

    screen {                           

        ids-option untrust-screen {

            icmp {

                fragment;

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                port-scan threshold 10000;

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: 'queue-size' is deprecated

                    timeout 20;

                }

                land;

            }

        }

    }                                  

    nat {

        source {

            rule-set SOURCE-NAT-TRUST {

                from zone trust;

                to zone untrust;

                rule SOURCE-NAT-TRUST {

                    match {

                        source-address 172.16.1.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

        destination {

            pool DEST_NAT_FTP {

                address 172.16.1.100/32 port 21;

            }

            rule-set DEST_NAT_FTP {    

                from zone untrust;

                rule DEST_NAT_FTP {

                    match {

                        destination-address 192.168.1.150/32;

                        destination-port {

                            21;

                        }

                    }

                    then {

                        destination-nat {

                            pool {

                                DEST_NAT_FTP;

                            }

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {                

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy FTP_UNTRUST_TRUST {

                match {

                    source-address any-ipv4;

                    destination-address WIN7-VM;

                    application junos-ftp;

                }

                then {

                    permit;

                    log {

                        session-init;

                    }

                }

            }                          

        }

        from-zone trust to-zone untrust {

            policy TRUST-UNTRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                    log {

                        session-init;

                    }

                }

            }

        }

        from-zone trust to-zone VPN {

            policy policy_out_S2S_VPN {

                match {

                    source-address addr_172_16_1_0_24;

                    destination-address addr_172_16_10_0_24;

                    application any;

                }                      

                then {

                    permit;

                }

            }

        }

        from-zone VPN to-zone trust {

            policy policy_in_S2S_VPN {

                match {

                    source-address addr_172_16_10_0_24;

                    destination-address addr_172_16_1_0_24;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }

    zones {

        security-zone trust {

            tcp-rst;

            address-book {

                address WIN7-VM 172.16.1.100/32;

                address addr_172_16_1_0_24 172.16.1.0/24;

            }

            host-inbound-traffic {

                system-services {

                    all;

                }

            }

            interfaces {

                ge-0/0/1.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                        }

                    }

                }

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                            https;

                        }

                    }

                }

            }

        }

        security-zone VPN {

            address-book {

                address addr_172_16_10_0_24 172.16.10.0/24;

            }

            host-inbound-traffic {

                system-services {

                    ike;

                }

            }

            interfaces {

                st0.0;

            }

        }

    }                                  

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.1.150/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 172.16.1.1/24;

            }

        }

    }

    fxp0 {

        unit 0 {

            family inet;

        }

    }

    st0 {

        unit 0 {                       

            family inet {

                address 10.1.1.1/30;

            }

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;

        route 172.16.10.0/24 next-hop st0.0;

    }

}

                                       

[edit]