============================================================================== Branch End ============================================================================== root@SRX-FSD-1638-TINDLIANWALA> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 77af98c6 3594/ unlim U root 500 10.50.40.1 >131073 ESP:3des/sha1 f4d08e3f 3594/ unlim U root 500 10.50.40.1 ===================================================================================== gateway IKE-GW-PRI-CORE { ike-policy IKE-GW-POLICY-PRI-CORE; address 10.50.40.1; dead-peer-detection { always-send; threshold 2; } external-interface ge-0/0/0; version v1-only; } gateway IKE-GW-BCK-CORE { ike-policy IKE-GW-POLICY-PRI-CORE; address 10.100.40.1; dead-peer-detection always-send; external-interface ge-0/0/1; version v1-only; } gateway IKE-GW-PRI-NTC { ike-policy IKE-GW-POLICY-PRI-CORE; address 172.16.2.1; external-interface ge-0/0/0.0; } } ipsec { vpn-monitor-options { interval 2; threshold 3; } policy IPSEC-POLICY-VPN-CORE { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn VPN-PRI-CORE { bind-interface st0.0; vpn-monitor { optimized; } ike { gateway IKE-GW-PRI-CORE; ipsec-policy IPSEC-POLICY-VPN-CORE; } establish-tunnels immediately; } vpn VPN-BCK-CORE { bind-interface st0.1; ike { gateway IKE-GW-BCK-CORE; ipsec-policy IPSEC-POLICY-VPN-CORE; } establish-tunnels on-traffic; } vpn VPN-PRI-NTC { bind-interface st0.2; ike { gateway IKE-GW-PRI-NTC; ipsec-policy IPSEC-POLICY-VPN-CORE; } traffic-selector NTC { local-ip 10.15.18.0/24; remote-ip 192.168.100.0/24; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy NSC-UNTRUST-SERVERFARM-1 { match { source-address NSC-LAN; destination-address CORE-SERVER-1; application any; } then { permit; log { session-init; session-close; } } } policy NSC-to-NTC-DC { match { source-address NSC-LAN; destination-address NTC-DC-LAN; application any; } then { permit; log { session-init; session-close; } } } } from-zone untrust to-zone trust { policy SERVERFARM-1-UNTRUST-NSC { match { source-address CORE-SERVER-1; destination-address NSC-LAN; application any; } then { permit; } } policy CDNS-LAN-UNTRUST-NSC { match { source-address CDNS-LAN; destination-address NSC-LAN; application any; } then { permit; } } policy NTC-DC-to-NSC { match { source-address NTC-DC-LAN; destination-address NSC-LAN; application any; } then { permit; log { session-init; session-close; } } } } } zones { security-zone trust { address-book { address NSC-LAN 10.15.18.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/5.0; ge-0/0/2.0; } } security-zone untrust { address-book { address WAN-1 10.50.66.44/30; address CORE-SERVER-1 10.1.1.0/24; address CDNS-LAN 172.168.168.0/24; address NTC-DC-LAN 192.168.100.0/24; } screen untrust-screen; host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } st0.0; st0.1; st0.2; } } }