Obviously, you can use whatever interface names that you want or ESP/IKE groups that you want, but this is a good template to use.
Site 1:
set firewall options mss-clamp interface-type tun
set firewall options mss-clamp mss 1328
set interfaces bridge br0 address 192.168.5.1/24
set interfaces bridge br0 aging 300
set interfaces bridge br0 bridged-conntrack disable
set interfaces bridge br0 description ‘Site 1 LAN Bridge’
set interfaces bridge br0 firewall in name MY_LAN_IN
set interfaces bridge br0 hello-time 2
set interfaces bridge br0 max-age 20
set interfaces bridge br0 priority 32768
set interfaces bridge br0 promiscuous disable
set interfaces bridge br0 stp false
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces tunnel tun0 encapsulation gre-bridge
set interfaces tunnel tun0 local-ip 10.255.12.13
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 10.255.12.14
set interfaces tunnel tun0 ttl 255
set vpn ipsec esp-group FOO3 compression disable
set vpn ipsec esp-group FOO3 lifetime 3600
set vpn ipsec esp-group FOO3 mode tunnel
set vpn ipsec esp-group FOO3 pfs enable
set vpn ipsec esp-group FOO3 proposal 1 encryption aes256
set vpn ipsec esp-group FOO3 proposal 1 hash sha1
set vpn ipsec ike-group FOO3 ikev2-reauth no
set vpn ipsec ike-group FOO3 key-exchange ikev1
set vpn ipsec ike-group FOO3 lifetime 28800
set vpn ipsec ike-group FOO3 proposal 1 dh-group 16
set vpn ipsec ike-group FOO3 proposal 1 encryption aes256
set vpn ipsec ike-group FOO3 proposal 1 hash sha1
set vpn ipsec site-to-site peer 11.22.33.44 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 11.22.33.44 authentication pre-shared-secret ‘PreSharedSecretHere’
set vpn ipsec site-to-site peer 11.22.33.44 connection-type initiate
set vpn ipsec site-to-site peer 11.22.33.44 description ‘My-EoGRE-Site-1’
set vpn ipsec site-to-site peer 11.22.33.44 ike-group FOO3
set vpn ipsec site-to-site peer 11.22.33.44 ikev2-reauth inherit
set vpn ipsec site-to-site peer 11.22.33.44 local-address 12.34.56.78
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 esp-group FOO3
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 local prefix 10.255.12.13/32
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 remote prefix 10.255.12.14/32
Site 2:
set firewall options mss-clamp interface-type tun
set firewall options mss-clamp mss 1328
set interfaces bridge br0 address 192.168.5.2/24
set interfaces bridge br0 aging 300
set interfaces bridge br0 bridged-conntrack disable
set interfaces bridge br0 description ‘Site 2 LAN Bridge’
set interfaces bridge br0 hello-time 2
set interfaces bridge br0 max-age 20
set interfaces bridge br0 priority 32768
set interfaces bridge br0 promiscuous disable
set interfaces bridge br0 stp false
set interfaces tunnel tun0 bridge-group bridge br0
set interfaces tunnel tun0 encapsulation gre-bridge
set interfaces tunnel tun0 local-ip 10.255.12.14
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 10.255.12.13
set interfaces tunnel tun0 ttl 255
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 16
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer 12.34.56.78 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 12.34.56.78 authentication pre-shared-secret ‘PreSharedSecretHere’
set vpn ipsec site-to-site peer 12.34.56.78 connection-type initiate
set vpn ipsec site-to-site peer 12.34.56.78 description ‘My-EoGRE-Site-2’
set vpn ipsec site-to-site peer 12.34.56.78 ike-group FOO0
set vpn ipsec site-to-site peer 12.34.56.78 ikev2-reauth inherit
set vpn ipsec site-to-site peer 12.34.56.78 local-address 11.22.33.44
set vpn ipsec site-to-site peer 12.34.56.78 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 12.34.56.78 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 12.34.56.78 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 12.34.56.78 tunnel 1 local prefix 10.255.12.14/32
set vpn ipsec site-to-site peer 12.34.56.78 tunnel 1 remote prefix 10.255.12.13/32
Add any routes to other networks behind each end as necessary. For example, if 192.168.6.0/24 is behind the EoGRE at Site 2, you’d use this on Site 1:
set protocols static route 192.168.6.0/24 next-hop 192.168.5.2
Obviously, replace all IP addresses and pre-shared-secrets with the appropriate values.
Also, I used 10.255.12.14 and 10.255.12.13 as transport addresses. Replace those with whatever private-scoped IP addresses you wish to use for that purpose.