Thanks I followed that as well and no luck....
Can you see anything glaringly wrong? ----------------------Head Office-------------------------- ike { traceoptions { file IKE-TEST-2; flag all; } proposal ONEPLAN { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm md5; encryption-algorithm des-cbc; } policy ONEPLAN { mode aggressive; proposal ONEPLAN; pre-shared-key ascii-text "$9$y0/K87ZGifT3jHqfTQ9CuO1hlM8Lx"; ## SECRET-DATA } gateway ONEPLAN { ike-policy ONEPLAN; dynamic hostname openplan-srx-1.oneplan.co.za; dead-peer-detection; nat-keepalive 10; external-interface ge-0/0/0.0; } } ipsec { proposal ONEPLAN { protocol esp; authentication-algorithm hmac-md5-96; } policy ONEPLAN { perfect-forward-secrecy { keys group5; } proposals ONEPLAN; } vpn ONEPLAN { ike { gateway ONEPLAN; proxy-identity { local 192.168.16.0/24; remote 192.168.1.0/24; } ipsec-policy ONEPLAN; } establish-tunnels on-traffic; } } ----------------------------------------------------------------- ------------------Remote Site----------------------------- ike { traceoptions { file ike-test; flag all; } proposal ipsec-ctn-jhb { description oneplan-jhb; authentication-method pre-shared-keys; dh-group group5; authentication-algorithm md5; encryption-algorithm des-cbc; lifetime-seconds 1800; } policy ipsec-ctn-jhb { mode aggressive; description ipsec-ctn-jhb; proposal ipsec-ctn-jhb; pre-shared-key ascii-text "$9$l0yMX-UDkTz6HqmTzFAtO1RSK8XxN"; ## SECRET-DATA } gateway ipsec-ctn-jhb { ike-policy ipsec-ctn-jhb; address zzz.zzz.zzz.zzz; dead-peer-detection; nat-keepalive 10; local-identity hostname openplan-srx-1.oneplan.co.za; external-interface pp0.1; } } ipsec { proposal ipsec-ctn-jhb { description ipsec-ctn-jhb; protocol esp; authentication-algorithm hmac-md5-96; lifetime-kilobytes 1500; } policy ipsec-ctn-jhb { perfect-forward-secrecy { keys group5; } proposals ipsec-ctn-jhb; } vpn ipsec-ctn-jhb { bind-interface st0.0; ike { gateway ipsec-ctn-jhb; proxy-identity { local 192.168.1.0/24; remote 192.168.16.0/24; } ipsec-policy ipsec-ctn-jhb; } establish-tunnels immediately; } } ----------------------------------------------------------------- The error in the Head Office logs: ---------------------------------------------------------------- Feb 18 12:05:44 Not doing MM check since initiator=FALSE and exch_type=4 Feb 18 12:05:44 Unable to find ike gateway as remote peer:196.215.zzz.zzz is not recognized. Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10) p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za) Feb 18 12:05:44 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.0.0.10) p1_remote=fqdn(udp:500,[0..27]=openplan-srx-1.oneplan.co.za) Feb 18 12:05:44 ike_isakmp_sa_reply: Start Feb 18 12:05:44 ike_st_i_nonce: Start, nonce[0..64] = 0ecbc9f8 fc1d422a ... Feb 18 12:05:44 ike_st_i_cert: Start Feb 18 12:05:44 ike_st_i_hash_key: Start, no key_hash Feb 18 12:05:44 ike_st_i_ke: Ke[0..128] = 51ad806d 497efe51 ... Feb 18 12:05:44 ike_st_i_cr: Start Feb 18 12:05:44 ike_st_i_private: Start Feb 18 12:05:44 ike_st_o_sa_values: Start Feb 18 12:05:44 10.0.0.10:500 (Responder) <-> 196.215.zzz.zzz:500 { 4b6d2059 bf8ccb39 - 0bf91a18 ab9c5e4c [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14) ------------------------------------------------------------ On 17 Feb 2011, at 4:41 PM, Kevin Vuong wrote: > This should get you going in the right direction: > > http://forums.juniper.net/t5/SRX-Services-Gateway/Site-to-Site-Tunnel-Dynamic-Peer/td-p/33613 > > -Kevin > > > > On Feb 17, 2011, at 8:28 AM, Mauritz Lewies wrote: > >> Hi >> >> For what ever reason I can't find documentation on this anywhere. (I'm just >> hoping my google-foo is lacking and that it's not an unsupported feature) >> >> I have 2 x SRX-210's, one with a static public IP and another behind a >> dynamic ADSL account. >> I'm trying to get an IPSEC session established from the dynamic site to the >> static site. >> >> But I can't get a combination of config options to work. >> >> Does anyone know how to get this done or point me in the right direction? >> >> Kind Regards, >> >> Mauritz >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > Mauritz Lewies email: m...@three6five.com mobile: +27 83 647 4901 Skype Phone: +27 11 08 365 02 three6five network solutions www.three6five.com _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp