The SSG140 that connects to the SSG5 has this config:
set clock timezone -6
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "****************************"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 10.38.71.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 172.16.1.100/16
set interface ethernet0/1 nat
set interface ethernet0/2 ip x.x.x.x/25
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface ethernet0/2 gateway x.x.x.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 10
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.38.71.0/24" 10.38.71.0 255.255.255.0
set address "Trust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set address "Untrust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set ike gateway "My GW1" address 0.0.0.0 id "mygw1" Aggr outgoing-interface "ethernet0/2" preshare "*********************************" proposal "pre-g2-3des-sha"
unset ike gateway "My GW1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "My VPN1" gateway "My GW1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "My VPN1" monitor
set vpn "My VPN1" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "My VPN1" proxy-id local-ip 10.38.71.0/24 remote-ip 172.20.0.0/16 "ANY"
set policy id 1 from "Trust" to "Trust" "10.38.71.0/24" "172.20.0.0/16" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.20.0.0/16 interface tunnel.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
The other SSG140 has almost exactly the same config :
set clock timezone -6
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "*********************************"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 10.38.70.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 172.16.1.100/16
set interface ethernet0/1 nat
set interface ethernet0/2 ip y.y.y.y/28
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface ethernet0/2 gateway y.y.y.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 10
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.38.70.0/24" 10.38.70.0 255.255.255.0
set address "Trust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set address "Untrust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set ike gateway "My GW2" address 0.0.0.0 id "mygw2" Aggr outgoing-interface "ethernet0/2" preshare "*************************" proposal "pre-g2-3des-sha"
unset ike gateway "My GW2" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "My VPN2" gateway "My GW2" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "My VPN2" monitor
set vpn "My VPN2" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "My VPN2" proxy-id local-ip 10.38.70.0/24 remote-ip 172.20.0.0/16 "ANY"
set policy id 1 from "Trust" to "Trust" "10.38.70.0/24" "172.20.0.0/16" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.20.0.0/16 interface tunnel.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
And this is the SSG5's config:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "**********************************"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.2" zone "Trust"
set interface "tunnel.3" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip z.z.z.z/22
set interface ethernet0/0 route
set interface bgroup0 ip 172.20.1.250/16
set interface bgroup0 nat
set interface tunnel.2 ip unnumbered interface bgroup0
set interface tunnel.3 ip unnumbered interface bgroup0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 dhcp client enable
set interface ethernet0/1 dhcp client enable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface "serial0/0" modem aux enable
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 10
set domain myisp.net
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.38.70.0/24" 10.38.70.0 255.255.255.0
set address "Trust" "10.38.71.0/24" 10.38.71.0 255.255.255.0
set address "Trust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set address "Untrust" "10.38.71.0/24" 10.38.71.0 255.255.255.0
set ike gateway "My GW1" address x.x.x.x Aggr local-id "mygw1" outgoing-interface "ethernet0/0" preshare "*****************" proposal "pre-g2-3des-sha"
set ike gateway "My GW2" address y.y.y.y Aggr local-id "mygw2" outgoing-interface "ethernet0/0" preshare "*****************" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "My VPN1" gateway "My GW1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "My VPN1" monitor rekey
set vpn "My VPN1" id 1 bind interface tunnel.2
set vpn "My VPN2" gateway "My GW2" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "My VPN2" monitor rekey
set vpn "My VPN2" id 2 bind interface tunnel.3
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "My VPN1" proxy-id local-ip 172.20.0.0/16 remote-ip 10.38.71.0/24 "ANY"
set vpn "My VPN2" proxy-id local-ip 172.20.0.0/16 remote-ip 10.38.70.0/24 "ANY"
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 4 from "Trust" to "Trust" "172.20.0.0/16" "10.38.71.0/24" "ANY" permit log
set policy id 4
exit
set policy id 5 from "Trust" to "Trust" "172.20.0.0/16" "10.38.70.0/24" "ANY" permit log
set policy id 5
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.38.71.0/24 interface tunnel.2 preference 20
set route 10.38.70.0/24 interface tunnel.3 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit