Hi Zas,

Can you provide the SSG config? This is working fine for me.

Did you try to use FQDN instead of email? Also note that the "standard" proposal-set on the SRX and SSG is not the same (wil be changed on the SRX side in the next releases), it is better to use a custom proposal matching on both sides.

Regards,

Igor

i look stupid now...

Everything works, statement "local-id "junos@test" was missing in gateway setup on SSG end. Sorry for bringing attention.

Can you provide me the config ??? im trying to configure the same scenario with ScreenOS version 5.4 r06 but it doesnt work to me !! (SRX Static ip and SSG dynamic ip address)

security {
 zones {
  security-zone untrust {
   interfaces {
    ge-0/0/10.0 {
     host-inbound-traffic {
      system-services {
       ike;
       ping;
      }
     }
    }
   }
  }
 }
}


security {
 ike {
  policy ike_ER1-TOR_e2_via_ge-0-0-10-0 {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "rrr"; ## SECRET-DATA
  }

  gateway ike_ER1-TOR_e2_via_ge-0-0-10-0 {
    ike-policy ike_ER1-TOR_e2_via_ge-0-0-10-0;
    dynamic user-at-hostname "screenos@localid";
    external-interface ge-0/0/10.0;
  }
 }
}

security {
 ipsec {
  policy std_vpn_policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
  }

  vpn ER1-TOR_e2_via_ge-0-0-10-0 {
    bind-interface st0.0;
    vpn-monitor {
        source-interface st0.0;
        destination-ip x.x.x.x;   # x.x.x.x is IP on screenos tunnel interface
    }
    ike {
        gateway ike_ER1-TOR_e2_via_ge-0-0-10-0;
        ipsec-policy std_vpn_policy;
    }
  }
 }
}

 it should be enouth to configure SRX end. 

i have exactly the same, the unique difference is that i block the ping traffic in my external interface (untrust), but i permit ike.

I neither have the vpn monitor, can you share your ssg configuration?? im having this error on the SSG (after being a lot of time without any IKE message in the events log)

Retransmission limit has been reached.

i appreciate your help.

SSG side is this:

set interface "tunnel.11" zone "Untrust"
set interface tunnel.11 ip x.x.x.x/16

set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" address y.y.y.y Aggr local-id "screenos@localid" outgoing-interface "ethernet2" preshare "rrr" sec-level standard
set ike gateway  "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal udp-checksum
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal keepalive-frequency 5
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" heartbeat hello 15
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" heartbeat reconnect 60

set vpn "ER2-TOR_ge-0-0-10-0_via_e2" gateway "ER2-TOR_ge-0-0-10-0_via_e2" no-replay tunnel idletime 0 sec-level standard
set vpn "ER2-TOR_ge-0-0-10-0_via_e2" monitor rekey
set vpn "ER2-TOR_ge-0-0-10-0_via_e2" bind interface tunnel.11

and you should be able to make your routing across the tunnel.

Which firmware does you SSG have? i have a SSG5 with the 5.4r06, i have the same configuration without the NAT-T configuration.

The supose that the tunnel should come up before configure any routes.

Regards

Hey ppl,

I am doing the same configuratin. In my case, I have SRX at the one end which is set as static and SSG on the other end which is set as dynamic. I have configured all but in SSG I get this error message saying "Retransmission limit has been reached". I have configured user-at-hostname in SRX and in SSG as local ID under advanced option in gateway option. 

When doin similar config in case, SRX being dynamic and SSG being static. The VPN is up and running, it just works. Here is the link to the configuration. http://www.mustbegeek.com/juniper/configure-dynamic-site-to-site-vpn-in-juniper-srx-and-ssg/

But while doing the exact opposite when SRX is set to static and SSG as dynamic then the error message mentioned earlier appers.

HELP!!!!