The solution was adding a static route to the routers.
My pings were reaching the other networks by could not find a return path.
Example below for two SRX devices prior to solution
SRX-A hosts
- IP block 192.168.5.0/24
- Has static routes for Internet, Amazon, and SRX-B internal network
- Assigns 192.168.10.0/24 to dynamic-vpn
# show routing-options
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.6.0/24 next-hop st0.3;
SRX-B hosts
- IP block 192.168.6.0/24
- Has static routes for Internet, Amazon, and SRX-B internal network
- Assigns 192.168.20.0/24 to dynamic-vpn
# show routing-options
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.5.0/24 next-hop st0.3;
In the above example dynamic vpn traffic could reach the other networks but there was no return path. SRX-A had no idea how to send traffic to 192.168.20.0.
Below is the solution:
SRX-A hosts
# show routing-options
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.6.0/24 next-hop st0.3; <-- this is the route to SRX-B
route 192.168.20.0/24 next hop st0.3; <-- this is the route to the dynamic-vpn ip-range on SRX-B
SRX-B hosts
# show routing-options
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.161.47.xxx;
route 192.168.5.0/24 next-hop st0.3; <-- this is the route to SRX-A
route 192.168.10.0/24 next-hop st0.3; <-- this is the route to the dynamic-vpn ip-range on SRX-A