set system host-name Site-1 set system root-authentication encrypted-password "$1$uq1NHQqW$oe4TkpcW8mFUmxgg4/1tn0" set interfaces ge-0/0/0 unit 0 family inet address 85.1.1.1/30 set interfaces ge-0/0/0 unit 0 family inet address 86.1.1.1/30 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet set interfaces st0 unit 2 family inet set routing-options static route 172.16.2.0/24 next-hop st0.1 set routing-options static route 172.16.2.0/24 next-hop st0.2 set routing-options forwarding-table export load-balancing-policy set policy-options policy-statement load-balancing-policy then load-balance per-packet set security ike proposal IKE-PROP-SITE-1 authentication-method pre-shared-keys set security ike proposal IKE-PROP-SITE-1 dh-group group5 set security ike proposal IKE-PROP-SITE-1 authentication-algorithm sha1 set security ike proposal IKE-PROP-SITE-1 encryption-algorithm aes-128-cbc set security ike proposal IKE-PROP-SITE-1 lifetime-seconds 3600 set security ike proposal IKE-PROP-SITE-2 authentication-method pre-shared-keys set security ike proposal IKE-PROP-SITE-2 dh-group group5 set security ike proposal IKE-PROP-SITE-2 authentication-algorithm sha1 set security ike proposal IKE-PROP-SITE-2 encryption-algorithm aes-128-cbc set security ike proposal IKE-PROP-SITE-2 lifetime-seconds 3600 set security ike policy IKE-POL-SITE-1 mode main set security ike policy IKE-POL-SITE-1 proposals IKE-PROP-SITE-1 set security ike policy IKE-POL-SITE-1 pre-shared-key ascii-text "$9$PTF/uORlK8CtK8X7sYfTz" set security ike policy IKE-POL-SITE-2 mode main set security ike policy IKE-POL-SITE-2 proposals IKE-PROP-SITE-2 set security ike policy IKE-POL-SITE-2 pre-shared-key ascii-text "$9$ouZDk5Qnp0I.P0IEcvMaZU" set security ike gateway IKE-GW-SITE-1 ike-policy IKE-POL-SITE-1 set security ike gateway IKE-GW-SITE-1 address 85.1.1.2 set security ike gateway IKE-GW-SITE-1 external-interface ge-0/0/0.0 set security ike gateway IKE-GW-SITE-1 version v2-only set security ike gateway IKE-GW-SITE-2 ike-policy IKE-POL-SITE-2 set security ike gateway IKE-GW-SITE-2 address 86.1.1.2 set security ike gateway IKE-GW-SITE-2 external-interface ge-0/0/0.0 set security ike gateway IKE-GW-SITE-2 version v2-only set security ipsec proposal IPSEC-PROP-SITE-1 protocol esp set security ipsec proposal IPSEC-PROP-SITE-1 authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC-PROP-SITE-1 encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC-PROP-SITE-1 lifetime-seconds 3600 set security ipsec proposal IPSEC-PROP-SITE-2 protocol esp set security ipsec proposal IPSEC-PROP-SITE-2 authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC-PROP-SITE-2 encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC-PROP-SITE-2 lifetime-seconds 3600 set security ipsec policy IPSEC-POL-SITE-1 perfect-forward-secrecy keys group5 set security ipsec policy IPSEC-POL-SITE-1 proposals IPSEC-PROP-SITE-1 set security ipsec policy IPSEC-POL-SITE-2 perfect-forward-secrecy keys group5 set security ipsec policy IPSEC-POL-SITE-2 proposals IPSEC-PROP-SITE-2 set security ipsec vpn IPSEC-VPN-SITE-1 bind-interface st0.1 set security ipsec vpn IPSEC-VPN-SITE-1 ike gateway IKE-GW-SITE-1 set security ipsec vpn IPSEC-VPN-SITE-1 ike proxy-identity local 172.16.1.0/24 set security ipsec vpn IPSEC-VPN-SITE-1 ike proxy-identity remote 172.16.2.0/24 set security ipsec vpn IPSEC-VPN-SITE-1 ike ipsec-policy IPSEC-POL-SITE-1 set security ipsec vpn IPSEC-VPN-SITE-1 establish-tunnels immediately set security ipsec vpn IPSEC-VPN-SITE-2 bind-interface st0.2 set security ipsec vpn IPSEC-VPN-SITE-2 ike gateway IKE-GW-SITE-2 set security ipsec vpn IPSEC-VPN-SITE-2 ike proxy-identity local 172.16.1.0/24 set security ipsec vpn IPSEC-VPN-SITE-2 ike proxy-identity remote 172.16.2.0/24 set security ipsec vpn IPSEC-VPN-SITE-2 ike ipsec-policy IPSEC-POL-SITE-2 set security ipsec vpn IPSEC-VPN-SITE-2 establish-tunnels immediately set security address-book global address Site-1 172.16.1.0/24 set security address-book global address Site-2 172.16.2.0/24 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone trust to-zone VPN policy trust-to-VPN match source-address Site-1 set security policies from-zone trust to-zone VPN policy trust-to-VPN match destination-address Site-2 set security policies from-zone trust to-zone VPN policy trust-to-VPN match application any set security policies from-zone trust to-zone VPN policy trust-to-VPN then permit set security policies from-zone VPN to-zone trust policy VPN-to-trust match source-address Site-2 set security policies from-zone VPN to-zone trust policy VPN-to-trust match destination-address Site-1 set security policies from-zone VPN to-zone trust policy VPN-to-trust match application any set security policies from-zone VPN to-zone trust policy VPN-to-trust then permit set security policies from-zone untrust to-zone trust policy default-deny match source-address any set security policies from-zone untrust to-zone trust policy default-deny match destination-address any set security policies from-zone untrust to-zone trust policy default-deny match application any set security policies from-zone untrust to-zone trust policy default-deny then deny set security zones security-zone trust tcp-rst set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone VPN interfaces st0.1 host-inbound-traffic system-services ike set security zones security-zone VPN interfaces st0.2 host-inbound-traffic system-services ike