SRX

Hi,

I am trying to setup dynamic vpn on SRX 210H, it comes with 1 user license license that comes with the unit,  I attached my config for review,

1.  running 10.1r4

I am able to https://192.168.1.1/dynamic-vpn and  J-web interface

2.  running 10.2r3

I am not able to get to the dynamic-vpn page, but I am able to get to j-web interface.

The dynamics vpn license is not longer listed after I upgrade to 10.2r3.  Did I miss something?

Attachment(s)

testlab210.txt   10 KB 1 version

Looks like you removed your management-url statement from your configuration.

Try putting that back in and run a "commit full."

Also make sure you've followed the directions in the technote.

Hopefully something there helps fix it up.

I added the mangement url command as suggested and commited full,

root@SRX210# show system services
ssh;
web-management {
    traceoptions {
        flag all;
    }
    management-url mgmt;
    https {
        system-generated-certificate;
        interface [ ge-0/0/1.0 vlan.0 ];
    }
    session {
        session-limit 4;
    }

https://192.168.1.1/mgmt work, no luck on https://192.168.1.1/dynamic-ip

I tested in 10.1r4, I am able to bring up the dynamic vpn webpage.

Ernest

Do you have dynamic vpn configured completely like the dynamic vpn getting started document? Do you have any users with the interface that you are trying to connect to specified as the external-interface?

(security ike gateway <name> external-interface <interface>)

Do the following to see what interfaces dynamic vpn is available on:

start shell

cat /var/jail/etc/httpd.conf

Look for a line that says IKEGatewayInterfaces <interfaces>

If the interface that you are trying to connect to is not there, dynamic vpn should not be available on that interface in 10.2 and later releases.

---

@BenR wrote:

Do you have dynamic vpn configured completely like the dynamic vpn getting started document? Do you have any users with the interface that you are trying to connect to specified as the external-interface?

 

(security ike gateway <name> external-interface <interface>)

 

Do the following to see what interfaces dynamic vpn is available on:

start shell

cat /var/jail/etc/httpd.conf

 

Look for a line that says IKEGatewayInterfaces <interfaces>

If the interface that you are trying to connect to is not there, dynamic vpn should not be available on that interface in 10.2 and later releases.

---

Benr,

I checked, the config look right.  When I test from the trust zone (NAT behind the SRX) to untrust interface ip address, I am not able to https to it.  But if I test from another ip address, then it will work..

Thanks,

Ernest

---

@rotearc wrote:

 

I checked, the config look right.  When I test from the trust zone (NAT behind the SRX) to untrust interface ip address, I am not able to https to it.  But if I test from another ip address, then it will work.. 

---

Your untrust interface doesn't have https enabled as a system service.  Your previous posts said you were trying to access via the IP 192.168.1.1 -- that's not the IP on your untrust interface.

Could you clarify?

Keithr,

My bad, I was going to open open up to the untrust interface but I was testing it via the trusted interface first.  But  running 10.1r4,  I was able to go to both 192.168.1.1 and untrust interface ip address.   After upgraded to 10.3r2, I can't  login via 192.168.1.1 to the dynamic vpn page anymore..