SRX Services Gateway
SRX Services Gateway

Cannot get VPN access to work

‎11-04-2017 02:39 PM



I am new to juniper and i cannot get any type of VPN actually connect.  I can get to where it accepts the authentication but then it fails.  I either get a tunnels not established or network error message.  Basically trying to get an outside vendor access to our voice gateway.


Below is my config.  Needs some cleaning up.  Any tips?  Also, the config wizards on the GUI did not work either.


policy CityNet {
mode aggressive;
description CityNet;
proposals PDIPROKMP;


gateway gw_CityNet {
ike-policy CityNet;
dynamic {
hostname OFFICE;
connections-limit 2;
ike-user-type group-ike-id;

external-interface ge-0/0/0.0;
xauth {

profile remote_access_profile;


policy CityNet {
description CityNet;
perfect-forward-secrecy {
keys group5;
proposals PDIPRO;


vpn CityNet {
ike {
gateway gw_CityNet;
ipsec-policy CityNet;
establish-tunnels immediately;


policy CityNet {
match {
source-address any;
destination-address any;
application any;
then {
permit {
tunnel {
ipsec-vpn CityNet;


interfaces {
ge-0/0/0 {
unit 0 {
family inet {


access {
profile remote_access_profile {
authentication-order password;
client citynet {
firewall-user {
password "$9$ErHyrKMWL-b2-VjkPfzFylKMxN"; ## SECRET-DATA

SRX Services Gateway

Re: Cannot get VPN access to work

‎11-04-2017 11:04 PM

Your config is not complete any how you may try following troubleshooting steps.


1. Are you able to access your - https://<firewall-ip>/dynamic-vpn

2. if yes, then go to step B.

3. If no, then check the host-inbound services on your internet facing zones. It should have ping, https and ike allowed.

4. Still if you are not able to open up the web page, pl check your ike and IPSec configuration.


Follow the kb. -


B. If you are able to access your web page from above url, are you able to login with the username and password you have configured in your profiles? And download the client profile from SRX.

5.If yes then  go to step C.

6. If not then, check your configuration of authencation profile and Firewall users.

7. When you are logging in, are you able to view the user in run show security dynamic-vpn users?


C. You check for the access whether the desired resources are accessible. if not then check protected resources configuration in VPN.


At last if nothing works then you will have to enable trace-options to view whether the request is htting the SRX or not and from there on you may troubleshoot.


Accept this as solution if it resolved your issue.
Kudos would be appreciated too.