SITE ONE (VPN1.AA)

interfaces {
    st0 {
        unit 0 {
            point-to-point;
            family inet {
                mtu 1420;
                address 10.255.0.1/30;
            }
        }
    }
}
security {
    ike {
        proposal vpn1-bb-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy vpn1-bb-ike-policy {
            mode main;
            proposals vpn1-bb-proposal;
            pre-shared-key ascii-text "secret-key"; ## ENSURE THIS IS THE SAME ON BOTH SIDES
        }
        gateway vpn1-bb-gateway {
            ike-policy vpn1-bb-ike-policy;
            address 1.2.3.4; ## EXTERNAL-FACING INTERFACE ADDRESS OF VPN1.BB
            external-interface ge-0/0/0.0; ## EXTERNAL-FACING INTERFACE OF VPN1.AA
        }
    }
    ipsec {
        proposal vpn1-bb-ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
        }
        policy vpn1-bb-ipsec-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals vpn1-bb-ipsec-proposal;
        }
        vpn vpn1-bb-ipsec-vpn {
            bind-interface st0.0;
            ike {
                gateway vpn1-bb-gateway;
                ipsec-policy vpn1-bb-ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone vpn1-bb-vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone vpn1-bb-vpn {
            policy permit-trust-to-vpn1-bb-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1420;
            }
        }
    }
}

SITE TWO (VPN1.BB)

interfaces {
    st0 {
        unit 0 {
            point-to-point;
            family inet {
                mtu 1420;
                address 10.255.0.2/30;
            }
        }
    }
}
security {
    ike {
        proposal vpn1-aa-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy vpn1-aa-ike-policy {
            mode main;
            proposals vpn1-aa-proposal;
            pre-shared-key ascii-text "secret-key"; ## ENSURE THIS IS THE SAME ON BOTH SIDES
        }
        gateway vpn1-aa-gateway {
            ike-policy vpn1-aa-ike-policy;
            address 2.3.4.5; ## EXTERNAL-FACING INTERFACE ADDRESS OF VPN1.AA
            external-interface ge-0/0/0.0; ## EXTERNAL-FACING INTERFACE OF VPN1.BB
        }
    }
    ipsec {
        proposal vpn1-aa-ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
        }
        policy vpn1-aa-ipsec-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals vpn1-aa-ipsec-proposal;
        }
        vpn vpn1-aa-ipsec-vpn {
            bind-interface st0.0;
            ike {
                gateway vpn1-aa-gateway;
                ipsec-policy vpn1-aa-ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone vpn1-aa-vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone vpn1-aa-vpn {
            policy permit-trust-to-vpn1-aa-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1420;
            }
        }
    }
}

USEFUL COMMANDS

show security ike security-associations
show security ipsec security-associations