interfaces { ge-0/0/0 { description "WAN Uplink"; unit 0 { family inet { address #.#.#.#/29; } } } ge-0/0/5 { description "Trusted Network"; unit 0 { family inet { address 192.168.0.0/24; } } } st0 { unit 0 { description "IPv4 Tunnel to Main Office"; family inet { mtu 1500; address #.#.#.#/31; } } } } routing-options { static { route 0.0.0.0/0 next-hop st0.0; route ##.##.##.##/32 next-hop #.#.#.#; } } security { ike { proposal ike_prop { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha-256; encryption-algorithm 3des-cbc; } policy GLERL { mode main; proposals ike_prop; pre-shared-key ascii-text "thisisasecretkeyofasciitext"; ## SECRET-DATA } gateway IPv4-Main { ike-policy GLERL; address ##.##.##.##; external-interface ge-0/0/0.0; } } ipsec { proposal ipsec_prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy MAIN { perfect-forward-secrecy { keys group5; } proposals ipsec_prop; } vpn MainOffice { bind-interface st0.0; ike { gateway IPv4-Main; ipsec-policy MAIN; } establish-tunnels immediately; } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone untrust { policy AllowAll { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy AllowAll { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy AllowAll { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { ping; ssh; } protocols { all; } } interfaces { ge-0/0/5.0; st0.0 { host-inbound-traffic { system-services { ike; ping; traceroute; } protocols { all; } } } } } security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; ntp; ike; traceroute; } } } } } } }