The 2 zones involved:
security-zone peer1 {
address-book {
address Range5 192.168.5.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
security-zone peer2 {
address-book {
address Lan80 172.30.80.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
Policy aplied to zones involved:
from-zone peer1 to-zone peer2 {
policy 1to2 {
match {
source-address Range5;
destination-address Lan80;
application any;
}
then {
permit {
tunnel {
ipsec-vpn sitetosite;
pair-policy 2to1;
}
}
}
}
}
from-zone peer2 to-zone peer1 {
policy 2to1 {
match {
source-address Lan80AZA;
destination-address Range5;
application any;
}
then {
permit {
tunnel {
ipsec-vpn sitetosite;
pair-policy 1to2;
}
}
}
}
}
The vpn configuration
security {
ike {
traceoptions {
flag all;
}
proposal HQ_PHASE1 {
description vpn;
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy POLICY-HQ {
mode main;
proposals HQ_PHASE1;
pre-shared-key ascii-text "$9$bfsYoqmTzF/";
}
gateway GATEWAY-HQ {
ike-policy POLICY-HQ;
address 172.30.100.2;
no-nat-traversal;
external-interface ge-0/0/8;
}
}
ipsec {
traceoptions {
flag all;
}
vpn-monitor-options;
proposal HQ_PHASE2 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy VPN-POLICY {
perfect-forward-secrecy {
keys group2;
}
proposals HQ_PHASE2;
}
vpn sitetosite {
ike {
gateway GATEWAY-HQ;
ipsec-policy VPN-POLICY;
}
establish-tunnels immediately;
}
}