I have a strange issue (to me at least!). Hopefully someone will find something obvious to point out.
I first configured a dynamic vpn with the address pool in the same subnet as the trust interface. I am able to connect and access all hosts within the protected-resources list. However, I'm not able to ping the trust interface address.
I then configured the address pool with a different subnet (20.20.20.0/24 low .20 high .30) and was able to ping the trust interface address and still ping the protected-resources hosts. However, the SRX did not have a route for 20.20.20.0/24 so any traffic initated from the trust subnet got routed out the default route instead of to the VPN user.
Any ideas? I'm running JunOS 12.1R2.9.
Thank you!!!
set interfaces fe-0/0/0 fastether-options redundant-parent reth1
set interfaces fe-0/0/1 fastether-options redundant-parent reth0
set interfaces fe-0/0/2 fastether-options redundant-parent reth2
set interfaces fe-1/0/0 fastether-options redundant-parent reth1
set interfaces fe-1/0/1 fastether-options redundant-parent reth0
set interfaces fe-1/0/2 fastether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces fe-0/0/5
set interfaces fab1 fabric-options member-interfaces fe-1/0/5
set interfaces lo0 unit 0 family inet address 100.100.100.2/32
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.0.0.20/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.2.1/24
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.100.1/24
set access profile vpn-users client mike firewall-user password "$9$/y75Au1Srv7-wRh-wYgUD9Ap0RhylK8xN"
set access profile vpn-users address-assignment pool vpn-pool
set access address-assignment pool vpn-pool family inet network 192.168.2.0/24
set access address-assignment pool vpn-pool family inet range range1 low 192.168.2.20
set access address-assignment pool vpn-pool family inet range range1 high 192.168.2.30
set access address-assignment pool vpn-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile vpn-users
set security ike policy dyn-vpn mode aggressive
set security ike policy dyn-vpn proposal-set standard
set security ike policy dyn-vpn pre-shared-key ascii-text "$9$jqkmT69pRhrz3hrev7Nik.Pz3/CtOIE"
set security ike gateway dyn-vpn-gw ike-policy dyn-vpn
set security ike gateway dyn-vpn-gw dynamic hostname netzolt.com
set security ike gateway dyn-vpn-gw dynamic connections-limit 2
set security ike gateway dyn-vpn-gw dynamic ike-user-type shared-ike-id
set security ike gateway dyn-vpn-gw external-interface reth0.0
set security ike gateway dyn-vpn-gw xauth access-profile vpn-users
set security ipsec policy dyn-vpn-pol proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-gw
set security ipsec vpn dyn-vpn ike ipsec-policy dyn-vpn-pol
set security dynamic-vpn access-profile vpn-users
set security dynamic-vpn clients allusers remote-protected-resources 192.168.100.0/24
set security dynamic-vpn clients allusers remote-protected-resources 192.168.2.0/24
set security dynamic-vpn clients allusers remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients allusers ipsec-vpn dyn-vpn
set security dynamic-vpn clients allusers user mike
set security nat proxy-arp interface reth1.0 address 192.168.2.20/32 to 192.168.2.30/32
set security policies from-zone untrust to-zone trust policy vpn-ingress match source-address any
set security policies from-zone untrust to-zone trust policy vpn-ingress match destination-address any
set security policies from-zone untrust to-zone trust policy vpn-ingress match application any
set security policies from-zone untrust to-zone trust policy vpn-ingress then permit tunnel ipsec-vpn dyn-vpn
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces reth1.0
set security zones security-zone trust interfaces reth2.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces reth0.0