SRX

I configured 2 sites with an SRX100 connected with a routed based ipsec.

Now I configured dynamic VPN on site 1 which works perfectly to site 1  resources.
However, I would like to be able to route to the second site as well from the dynamic VPN. 

I configured the remote-protected-resources with the site 2 prefix and this seems to push the route to the Pulse client.

Do I need extra policies or just insure that my policies to my vpn zones allow the vpn address pool? (source match any, destination match any)?
Is my route based VPN SA with just the 2 remote lans as proxy ids blocking the traffic from my dynamic vpn address pool outside of the SA prefixes?

Yes you need to create an extra policy to allow the traffic from the dyn-vpn towards the routed -vpn.

You also need to set a route back from the remote vpn site over the routed vpn towards the site where the dyn-vpn is terminating.

Policies needs to be places on all the zones where the dyn-vpn ip-allocation will have access to

See the KB below: Read part 3. from the kb It gives you some hands howto setup the policies on the dyn-vpn side to allow traffic to differtent zones.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23954&smlogin=true

Hi MarcTB

It seems I didnt need an extra policy from dynamic to the remote site. 
Just on policy to the first zone from Untrust to Trust  permit tunnel ipsec-vpn ...
The policy that is already in place for the site to site just needs to be updated to allow traffic from the dynamic vpn address pool and back.

The only thing I had missing was the route  to send the traffic back from the second site to my first. 
Your answer was usefull and I will mark it as such.
Thanks!

Hi,

glad I could help you with my answer! Nice to see that you have fixed your little problem 🙂