interfaces { ge-0/0/2 { ... unit 29 { description "datacenter ip transit"; vlan-id 29; family inet { address peer-with-datacenter/27; } ... unit 101 { description 01009-public; vlan-id 101; family inet { address customer-public-address/29; } } } ... } ... security { ike { traceoptions { flag all; } proposal 01009-vpn1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy 01009-vpn1 { mode main; proposals 01009-vpn1; pre-shared-key ascii-text "$9$W0j8dsaJDHkm4aFn/A0OhSrl8x7-wY4a"; ## SECRET-DATA } gateway 01009-vpn1 { ike-policy 01009-vpn1; address remote-endpoint-address; external-interface ge-0/0/2.101; } } ipsec { proposal 01009-vpn1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy 01009-vpn1 { proposals 01009-vpn1; } vpn 01009-vpn1 { vpn-monitor { optimized; } ike { gateway 01009-vpn1; ipsec-policy 01009-vpn1; } establish-tunnels immediately; } } nat { source { ... pool 01009-nat-pool { address { customer-public-address/32; } } ... rule-set customer-nat { from zone customer-private; to zone public; ... rule 01009-nat-rule { match { source-address 10.211.68.0/24; } then { source-nat { pool { 01009-nat-pool; } } } } ... } } } zones { security-zone public { address-book { ... address 01009-vpn1-remote remote-lan/26; ... } ... interfaces { ge-0/0/2.101 { host-inbound-traffic { system-services { ike; } } } } } ... security-zone customer-private { address-book { ... address 01009-cbi1 10.211.68.0/24; ... } host-inbound-traffic { system-services { all; } } ... } } policies { ... from-zone customer-private to-zone public { policy 01009-vpn1-out { match { source-address 01009-cbi1; destination-address 01009-vpn1-remote; application any; } then { permit { tunnel { ipsec-vpn 01009-vpn1; } } } } policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } } ... }