I have been attempting to configure the VPN on my SRX210 using the wizard but I can't seem to access the /dynamic-vpn portal. I can't seem to quite put my finger on what I'm doing wrong here. I come to the expertise of the forums yet again to try and get this solved,
thank you.
## Last changed: 2011-07-15 16:08:43 UTC
version 11.1R2.3;
system {
host-name digi-srx-1;
domain-name digi-pets.com;
root-authentication {
encrypted-password "$1$KRfQ.WBe$chXFsQG643TKllPj.ciM9/";
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
management-url admin;
http;
https {
system-generated-certificate;
}
}
dhcp {
pool 10.0.16.0/20 {
address-range low 10.0.16.10 high 10.0.16.254;
router {
10.0.16.1;
}
server-identifier 10.0.16.1;
}
pool 10.0.32.0/20 {
address-range low 10.0.32.10 high 10.0.32.254;
router {
10.0.32.1;
}
server-identifier 10.0.32.1;
}
pool 10.0.0.1/20 {
address-range low 10.0.0.10 high 10.0.0.254;
router {
10.0.0.1;
}
server-identifier 10.0.0.1;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 16 {
description Servers;
vlan-id 16;
family inet {
address 10.0.16.1/20;
}
}
unit 32 {
description Dev;
vlan-id 32;
family inet {
address 10.0.32.1/20;
}
}
unit 100 {
description vlan-trust;
vlan-id 100;
family inet {
address 10.0.0.1/20;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
stp;
}
security {
ike {
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$A6y8tu1eK8Vb2cy-VY2UD9ApuEy-dbsgox7jHk.5T";
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname digi-srx-1;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile remote_access_profile;
}
}
ipsec {
policy ipsec_pol_wizard_dyn_vpn {
perfect-forward-secrecy {
keys group2;
}
proposal-set compatible;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
}
dynamic-vpn {
access-profile remote_access_profile;
clients {
wizard-dyn-group {
remote-protected-resources {
10.0.32.0/20;
}
ipsec-vpn wizard_dyn_vpn;
user {
jlatta;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set dev-to-untrust {
from zone dev-zone;
to zone untrust;
rule dev-source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-pool-1 {
address 10.0.17.10/20;
}
rule-set dst-nat {
from zone untrust;
rule r1 {
match {
destination-address 24.78.143.203/22;
}
then {
destination-nat pool dnat-pool-1;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
24.78.143.203/22;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone untrust {
policy dev-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone servers-zone to-zone dev-zone {
policy ssh-to-dev {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone servers-zone {
policy ssh-to-servers {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone servers-zone {
policy untrust-to-servers {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
}
from-zone untrust to-zone dev-zone {
policy policy_in_wizard_dyn_vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn wizard_dyn_vpn;
}
}
}
}
}
}
zones {
security-zone trust {
interfaces {
ge-0/0/1.100 {
host-inbound-traffic {
system-services {
ping;
dhcp;
https;
http;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
https;
ping;
}
}
}
}
}
security-zone dev-zone {
interfaces {
ge-0/0/1.32 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
}
}
}
}
}
security-zone servers-zone {
interfaces {
ge-0/0/1.16 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
}
}
access {
profile remote_access_profile {
client jlatta {
firewall-user {
password "$9$E.MSv8oaUji.dbDk.Pn6SreWNd";
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.0.32.0/20;
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
}
