Good morning dudes!
So I currently have an SRX 220h at home and wanted to setup dynamic VPN so I can connect to my home network remotely. I have a sucessfull site-to-ste vpn tunnel setup (not peering with another SRX if that changes anything), no issues there.
Now I setup the dynamic VPN via GUI Wizard, the client just hangs at "connecting", below are some logs when I attempt to connect. Nothing is yelling foul (that I can tell):
Messages Log
Oct 2 13:28:57 sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_INVALID: token 96393c4bd82418cfa8335967bbc5bf0f is invalid
Oct 2 13:29:11 sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_LICENSE_CHECK_OK: Dynamic VPN license check succeed for user test
Oct 2 13:29:11 sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_OK: user test with remote IP 10.200.21.137 authenticated successfully.
Oct 2 13:29:11 sc-srx220h-fw1 httpd-gk: DYNAMIC_VPN_AUTH_OK: user test with remote IP 10.200.21.137 authenticated successfully.
IKE Debug Log is empty 😞
It looks like this isnt starting ike process, I cant seem to locate any logs in the PULSE client to point to an issue.
Here is the configs for it:
scline@sc-srx220h-fw1> show configuration security ike
traceoptions {
file ike.log;
flag all;
}
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text; ## SECRET-DATA
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname *******.net;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile remote_access_profile;
}
scline@sc-srx220h-fw1> show configuration security ipsec
policy ipsec_pol_wizard_dyn_vpn {
perfect-forward-secrecy {
keys group2;
}
proposal-set compatible;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
scline@sc-srx220h-fw1> show configuration security dynamic-vpn
access-profile remote_access_profile;
clients {
wizard-dyn-group {
remote-protected-resources {
192.168.200.0/22;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn wizard_dyn_vpn;
user {
test;
}
}
}
scline@sc-srx220h-fw1> show configuration access
profile remote_access_profile {
client test {
firewall-user {
password; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 192.168.200.32/28;
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
Show commands (the entry listed if from the site-to-site tunnel)
scline@sc-srx220h-fw1> show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
2710137 UP 5bc3f18d09a599c1 c92deb06b8dea1eb Main xxx.xxx.xxx.xxx
Thanks in advance for looking at this (^_^)