Thanks for your reply. Here Hub device config
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
}
policy ike-phase1-policy {
mode aggressive;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$c-wSK8db2Ujq7-Zjk.F3hSrK87-Vw2oJN-"; ## SECRET-DATA
}
gateway gw-htn {
ike-policy ike-phase1-policy;
dynamic hostname branch.ddns.net;
no-nat-traversal;
local-identity user-at-hostname "responder_nat@xxx.com";
external-interface pp0.0;
version v1-only;
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group5;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-htn {
bind-interface st0.0;
ike {
gateway gw-htn;
no-anti-replay;
proxy-identity {
local 192.168.6.0/24;
remote 192.168.7.0/24;
}
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
from-zone Internal to-zone vpn-htn {
policy vpn-site-htn {
match {
source-address PT;
destination-address [ HTN vpn-nt TL LG ];
application any;
}
then {
permit;
}
}
}
security-zone Internet {
host-inbound-traffic {
system-services {
ike;
}
}
security-zone vpn-htn {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 10.1.1.1/8;
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 1;
}
}
route 192.168.7.0/24 next-hop 10.1.1.2;
route 192.168.4.0/24 next-hop 10.1.1.6;
route 192.168.3.0/24 next-hop 10.1.1.7;
route 192.168.9.0/24 next-hop 10.1.1.4;
}
}