SRX

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

I am wanting traffic to flow from either site. 

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

In that case look into using static NAT instead of source NAT, so the mapping between 10.160.40.102 and 1.1.11.111 will work for traffic initiated from the other side as well. Here's a decent starting point: https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-static.html

I am wanting traffic to flow from either site. 

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

Thank you for the Feedback, what would a NAT statement with Port-forwarding look like. 
For example:
any IPv4>69.2.17.2:443>10.97.1.1

In that case look into using static NAT instead of source NAT, so the mapping between 10.160.40.102 and 1.1.11.111 will work for traffic initiated from the other side as well. Here's a decent starting point: https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-static.html

I am wanting traffic to flow from either site. 

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

That would be something like:

set security nat destination pool poolname address 10.97.1.1/32
set security nat destination rule-set blah from zone 0
set security nat destination rule-set blah rule rulename match destination-address 69.2.17.2/32
set security nat destination rule-set blah rule rulename match destination-port 443
set security nat destination rule-set blah rule rulename then destination-nat pool poolname

NOTE: if the incoming interface address is not 69.2.17.2 --AND-- we're talking about ethernet interface, then you'll also need:

set security nat proxy-arp interface interfacename address 69.2.17.2/32

Proxy-ARP is not needed if traffic is coming in on st0.0.

Thank you for the Feedback, what would a NAT statement with Port-forwarding look like. 
For example:
any IPv4>69.2.17.2:443>10.97.1.1

In that case look into using static NAT instead of source NAT, so the mapping between 10.160.40.102 and 1.1.11.111 will work for traffic initiated from the other side as well. Here's a decent starting point: https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-static.html

I am wanting traffic to flow from either site. 

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool

Nikolay I appreciate the responses!

I have one more question for you. When Setting up the Nat Statements how would you configure it when you have multiple address/devices. 

For example:

Is there a way to define the address-set in the rule-set instead of creating multiple entries?

That would be something like:

set security nat destination pool poolname address 10.97.1.1/32
set security nat destination rule-set blah from zone 0
set security nat destination rule-set blah rule rulename match destination-address 69.2.17.2/32
set security nat destination rule-set blah rule rulename match destination-port 443
set security nat destination rule-set blah rule rulename then destination-nat pool poolname

NOTE: if the incoming interface address is not 69.2.17.2 --AND-- we're talking about ethernet interface, then you'll also need:

set security nat proxy-arp interface interfacename address 69.2.17.2/32

Proxy-ARP is not needed if traffic is coming in on st0.0.

Thank you for the Feedback, what would a NAT statement with Port-forwarding look like. 
For example:
any IPv4>69.2.17.2:443>10.97.1.1

In that case look into using static NAT instead of source NAT, so the mapping between 10.160.40.102 and 1.1.11.111 will work for traffic initiated from the other side as well. Here's a decent starting point: https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-static.html

I am wanting traffic to flow from either site. 

Oh, I see. And, presumably the other side will have routes to send traffic for 10.160.40.102 and 10.160.40.103 into the tunnel.

Your NAT rule should be to zone VPN rather than to zone 0 since st0.0 is in zone VPN and traffic to 168.112.142.108/30 is routed via st0.0. 

And yes, you should be able to leave st0.0 unnumbered; just also omit the "address" keyword and leave it ending in "unit 0 family inet". That should be enough.

Are you looking to allow traffic initiated from the other side? Right now, it looks like you're just trying to cover your servers reaching out to the remote side. So technically you don't need security policies from VPN to 100.

Nikolay, I apologize if that configuration is a little difficult to read, here is hopefully a more readable version:

On first read what stands out is 1.1.1.1 -- that's the far side of the VPN tunnel. It should be reachable outside the tunnel and you shouldn't route it through the tunnel itself.  It becomes recursive when you do. Traffic going into st0 must be encapsulated in ESP, then the encapsulated traffic nust go to the gateway (1.1.1.1) but the route to the gateway is through st0 so it must be encapsulated, after which it goes through st0 again which means encapsulation, etc.

I have to give the config a more thorough read.

As an aside, it's possible to successfully mash together route-based VPN on the SRX side with tunnel-mode policy-based VPN on the other side. I've done it with MikroTik on the far side since they don't have an st interface equivalent, but I value most about the st0 interface is the ability to run dynamic routing on it.

CryptoMap Configuration

set security ike proposal Outside2-Map2 encryption-algorithm aes-256-cbc
set security ike proposal Outside2-Map2 authentication-algorithm sha-256
set security ike proposal Outside2-Map2 authentication-method pre-shared-keys
set security ike proposal Outside2-Map2 dh-group group14
set security ike proposal Outside2-Map2 lifetime-seconds 28800

set security ike policy Outside2-Map2-Policy proposals Outside2-Map2
set security ike policy Outside2-Map2-Policy pre-shared-key ascii-text "In Keepass"

set security ike gateway Outside2-Map2-Gateway address 1.1.1.1
set security ike gateway Outside2-Map2-Gateway external-interface reth1.0
set security ike gateway Outside2-Map2-Gateway ike-policy Outside2-Map2-Policy
set security ike gateway Outside2-Map2-Gateway version v2-only
set security ike gateway Outside2-Map2-Gateway dead-peer-detection interval 10 threshold 3

set security ipsec proposal Outside2-Maps2-IPSEC-Proposal protocol esp
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Outside2-Maps2-IPSEC-Proposal lifetime-seconds 3600
set security ipsec policy Outside2-Maps2-IPSEC-Policy proposals Outside2-Maps2-IPSEC-Proposal
set security ipsec policy Outside2-Maps2-IPSEC-Policy perfect-forward-secrecy keys group14

set interfaces st0 unit 0 family inet address 169.254.0.1/30

set security ipsec vpn Outside2-Map2-VPN ike gateway Outside2-Map2-Gateway
set security ipsec vpn Outside2-Map2-VPN ike ipsec-policy Outside2-Maps2-IPSEC-Policy
set security ipsec vpn Outside2-Map2-VPN bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set security policies from-zone 100 to-zone VPN policy 100-to-VPN match source-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match destination-address any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN match application any
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then permit
set security policies from-zone 100 to-zone VPN policy 100-to-VPN then log session-init

set security policies from-zone VPN to-zone 100 policy VPN-to-100 match source-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match destination-address any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 match application any
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then permit
set security policies from-zone VPN to-zone 100 policy VPN-to-100 then log session-init

set routing-options static route 1.1.1.1/30 next-hop st0.0

NAT Statement:

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers description "NAT for Server1 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match source-address 10.10.10.10/32
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Sever1-NAT-Pool

set security nat source rule-set 100-to-Outside_2 from zone 100
set security nat source rule-set 100-to-Outside_2 to zone 0
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers description "NAT for Server2 traffic to Remote Servers"
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match source-address 10.10.10.11/30 
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers match destination-address 1.1.1.1/30
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemoteServers then source-nat pool Sever2-NAT-Pool

set security nat source pool Server1-NAT-Pool address 11.11.11.11/32
set security nat source pool Server2-NAT-Pool address 11.11.11.12/32

set security nat source rule-set 100-to-Outside_2 rule Server1_to_RemoteServers then source-nat pool Server1-NAT-Pool
set security nat source rule-set 100-to-Outside_2 rule Server2_to_RemotesServers then source-nat pool Server2-NAT-Pool