lab@CORE_RTR_B# show | no-more ## Last changed: 2016-01-26 14:55:27 UTC version 13.3R4.6; system { /* OMITTED */ }; services { ipsec-vpn { rule vpn-1 { term 1 { from { source-address { 10.18.128.5/32; } destination-address { 10.18.129.144/30; } } then { remote-gateway 10.18.129.142; dynamic { ike-policy pol-ike-1; ipsec-policy pol-ipsec-1; } anti-replay-window-size 4096; } } match-direction input; } ipsec { proposal prop-ipsec-1 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy pol-ipsec-1 { perfect-forward-secrecy { keys group2; } proposals prop-ipsec-1; } } ike { proposal prop-ike-1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy pol-ike-1 { version 2; proposals prop-ike-1; pre-shared-key ascii-text "$9$VLwgJf5F9A0z3A0ORleLxNbwg4aZHqf"; ## SECRET-DATA } } traceoptions { file ike.log; flag all; } establish-tunnels immediately; } service-set ipsec-ss-1 { next-hop-service { inside-service-interface ms-0/0/0.1; outside-service-interface ms-0/0/0.2; } ipsec-vpn-options { local-gateway 10.18.129.137; } ipsec-vpn-rules vpn-1; } } interfaces { ms-0/0/0 { unit 0 { family inet; } unit 1 { family inet { address 10.18.129.149/30; } service-domain inside; } unit 2 { family inet; service-domain outside; } } ge-1/1/0 { unit 0 { family inet { address 10.18.129.134/30; } } } ge-1/1/1 { unit 0 { family inet { address 10.18.129.137/30; } } } fxp0 { unit 0 { family inet { address 10.18.132.25/24; } } } } routing-options { static { route 10.110.1.0/24 next-hop 10.18.132.1; route 10.18.9.0/24 next-hop 10.18.132.1; route 10.18.128.5/32 next-hop 10.18.129.133; route 10.18.129.140/30 next-hop 10.18.129.138; route 10.18.129.144/32 next-hop st0.0; } } [edit]