Hi all, I write by following. I need create one VPN from SRX210B to PIX535, and I was configure it. show ## Last changed: 2011-09-29 10:21:28 UTC version 10.0R3.10; system { host-name ROU-PLATCO; root-authentication { encrypted-password "$1$WOzy96.aaaaaaaaaaaaaaaaaa5lwc6Oy1"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member ge-0/0/1; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; member fe-0/0/6; unit 0 { family ethernet-switching; } } ge-0/0/0 { unit 0; } fe-0/0/7 { speed 100m; link-mode full-duplex; unit 0 { family inet { address 10.0.16.3/24; } } } e1-1/0/0 { encapsulation cisco-hdlc; e1-options { framing g704; } unit 0 { family inet { address 192.168.41.222/30; } } } st0 { unit 0 { family inet; } } } routing-options { static { route 206.49.166.0/24 next-hop st0.0; } } security { ike { proposal P1-3DES { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 1440; } policy IKE-POLICY-1 { mode main; proposals P1-3DES; pre-shared-key ascii-text "$9$7RNwwwwwwww-Vws4ZUDkQ36"; ## SECRET-DATA } gateway GW-1 { ike-policy IKE-POLICY-1; address 192.168.41.221; external-interface e1-1/0/0.0; } } ipsec { proposal P2-3DES { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; } policy IPSEC-POLICY-1 { perfect-forward-secrecy { keys group2; } proposals P2-3DES; } vpn VPN-1 { bind-interface st0.0; ike { gateway GW-1; ipsec-policy IPSEC-POLICY-1; } establish-tunnels immediately; } } zones { security-zone untrust { host-inbound-traffic { system-services { ping; ike; all; } } interfaces { e1-1/0/0.0 { host-inbound-traffic { system-services { ike; all; } } } } } security-zone trust { address-book { address LAN 10.0.16.0/24; } host-inbound-traffic { system-services { all; } } interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { all; } } } st0.0 { host-inbound-traffic { system-services { all; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy untrust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } } } [edit] [email protected]# I don't skills with VPN. The topology is following form: SRX--->Router Cisco--->PIX These be parameters of configuring: IKE - Hashing algorithm :IKE/3DES/SHA-1/DH2/Aggressive mode=no IKE - SA lifetime :1440sec Initital mode :Main mode IPSEC :ESP IPSEC- ESP Encryption Algorithm :3DES IPSEC - Hashing algorithm :MD5 IPSEC - SA time lifetime: :3600sec IPSEC - PFS :No (It is possible to change it) Compression :None Authentication (pre-share only) :Pre-shared (provided by phone) Protocol :IP When i do write command show security ike security-association detail, these is results IKE peer 206.49.166.253, Index 52, Role: Initiator, State: DOWN Initiator cookie: ac99e923555018cb, Responder cookie: 0000000000000000 Exchange type: Main, Authentication method: Pre-shared-keys Local: 192.168.41.222:500, Remote: 206.49.166.253:500 Lifetime: Expires in 1331 seconds Algorithms: Authentication : unknown Encryption : unknown Pseudo random function: unknown Traffic statistics: Input bytes : 0 Output bytes : 1300 Input packets: 0 Output packets: 5 IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 0 The VPN is DOWN, i don't know do... Helpme please. Thanks, ... View more