— Exhibit —
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show route
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25

> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
— Exhibit —
Click the Exhibit button.
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is
configured correctly, but traffic from a host with the IP address of 10.12.1.10 cannot reach a
remote device over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface
is in the trust zone and the st0.0 interface is in the vpn zone. The output of four show
commands is shown in the exhibit.
What is the configuration problem with the tunnel?

— Exhibit —
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 ac23df79 2532/ unlim – root 4500 1.1.1.1
>131073 ESP:3des/sha1 cbc9281a 2532/ unlim – root 4500 1.1.1.1
user@host> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 1.0.0.1, Remote Gateway: 1.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: ac23df79, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds

Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
Direction: outbound, SPI: cbc9281a, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
— Exhibit —
Click the Exhibit button.
The exhibit shows output from two show commands.
What are two conclusions about the VPN tunnel from the output? (Choose two.)

Click the Exhibit button.
Server A is communicating with Server B directly over the Internet. The servers now must
begin exchanging additional information through an unencrypted protocol. To protect this
new data exchange, you want to establish a VPN tunnel between the two sites that will
encrypt just the unencrypted data while leaving the existing communications directly over the
Internet.
Which statement would achieve the desired results?