hey everyone. i was using the juniper official guide to deploy a dynamic vpn on srx110. this is the script :
set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$SGAl87NdsJGiNdjqfQ9CO1REclKM8dwY8L" set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id set security ike gateway dyn-vpn-local-gw external-interface pp0.0 set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy set security dynamic-vpn access-profile dyn-vpn-access-profile set security dynamic-vpn clients all remote-protected-resources 172.16.1.0/24 set security dynamic-vpn clients all remote-protected-resources 200.200.200.40/32 set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0 set security dynamic-vpn clients all ipsec-vpn dyn-vpn set security dynamic-vpn clients all user matan set security flow traceoptions file flow-debug set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter test source-prefix 172.16.100.0/24 set security flow traceoptions packet-filter test destination-prefix 172.16.1.254/32 set security flow traceoptions packet-filter test2 source-prefix 172.16.1.254/32 set security flow traceoptions packet-filter test2 destination-prefix 172.16.100.0/24 set security flow tcp-mss all-tcp mss 1350 set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces at-1/0/0.0 set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic protocols all set security zones security-zone trust address-book address loop 200.200.200.40/32 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.10 set security zones security-zone trust interfaces at-1/0/0.1 set access profile dyn-vpn-access-profile client matan firewall-user password "$9$OXBY1hreK8NVYuOMXxN2g" set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.100.0/24 set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range low 172.16.100.10 set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range high 172.16.100.20 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32 set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile the problem is that i can connect using pulse (windows 7 32 bit) but cant reach protected resource. using traceoption and logging it seems that no traffic match's the client. on srx im getting this info : bezeq@SMB> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173324 ESP:aes-128/sha1 257a7e0 3594/ 500000 - root 54223 109.66.170.220 >268173324 ESP:aes-128/sha1 fda75566 3594/ 500000 - root 54223 109.66.170.220 show sec ipsec stati: ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 help will be much appreciated :):):): _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp