set interfaces st0 unit 2 family inet address 31.1.1.2/24 set security zones security-zone vpn interfaces st0.2 set interfaces lo0 unit 0 family inet address 100.100.100.100/32 set routing-instances VR-MAIN interface st0.2 set routing-instances VR-MAIN routing-options static route 10.80.4.0/24 next-hop st0.2 set routing-instances VR-MAIN routing-options static route 192.168.113.2/32 next-hop 99.99.99.99 set security ike proposal csd_ilm authentication-method pre-shared-keys set security ike proposal csd_ilm dh-group group14 set security ike proposal csd_ilm authentication-algorithm sha-256 set security ike proposal csd_ilm encryption-algorithm aes-256-cbc set security ike proposal csd_ilm lifetime-seconds 3600 set security ike policy csd_ilm mode main set security ike policy csd_ilm proposals csd_ilm set security ike policy csd_ilm pre-shared-key ascii-text "xxx" set security ike gateway csd_ilm ike-policy csd_ilm set security ike gateway csd_ilm address 192.168.113.2 set security ike gateway csd_ilm local-identity user-at-hostname "alfa@csd.ro" set security ike gateway csd_ilm remote-identity user-at-hostname "beta@csd.ro" set security ike gateway csd_ilm external-interface lo0.0 set security ipsec proposal csd_ilm protocol esp set security ipsec proposal csd_ilm authentication-algorithm hmac-sha-256-128 set security ipsec proposal csd_ilm encryption-algorithm aes-256-cbc set security ipsec proposal csd_ilm lifetime-seconds 13000 set security ipsec policy csd_ilm perfect-forward-secrecy keys group14 set security ipsec policy csd_ilm proposals csd_ilm set security ipsec vpn csd_ilm bind-interface st0.2 set security ipsec vpn csd_ilm ike gateway csd_ilm set security ipsec vpn csd_ilm ike ipsec-policy csd_ilm set security ipsec vpn csd_ilm establish-tunnels immediately - security policies are also in place to allow traffic from vpn zone to internal (trust), but these are clearly not the reason of VPN Phase I issues