This happens to be one of those double-edged swords for Juniper. I don't think there are any supported clients on the Mac OS X side of things, but incidentally the apps that do work appear not to count against your dynamic-vpn license count. VPN Tracker is my favorite...but it's not cheap.
As far as the SRX side of things goes, the following config works for me:
//Standard DVPN IKE proposal
root@SRX> show configuration security ike proposal DYNAMIC-IKE-PROPOSAL-1
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
//IKE policy that references the IKE proposal for DVPN
//Note: When setting the PSK, do not include quotes unless you want them to be in the PSK
root@SRX> show configuration security ike policy DYNAMIC-IKE-POLICY-1
mode aggressive;
proposals DYNAMIC-IKE-PROPOSAL-1;
pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
//IKE gateway that references the IKE policy and access-profile for DVPN
root@SRX> show configuration security ike gateway DYNAMIC-IKE-GATEWAY-1
ike-policy DYNAMIC-IKE-POLICY-1;
dynamic {
hostname yourdomain.net;
connections-limit 10;
ike-user-type shared-ike-id;
}
dead-peer-detection interval 10;
external-interface cm-1/0/0.0;
xauth access-profile DYNAMIC-ACCESS-PROFILE-1;
//Standard DVPN IPsec proposal
root@SRX> show configuration security ipsec proposal DYNAMIC-IPSEC-PROPOSAL-1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
//IPsec policy that refers back to the IPsec proposal for DVPN
root@SRX> show configuration security ipsec policy DYNAMIC-IPSEC-POLICY-1
perfect-forward-secrecy {
keys group2;
}
proposals DYNAMIC-IPSEC-PROPOSAL-1;
//IPsec gateway that ties together the IPsec policy with the DVPN IKE gateway
root@SRX> show configuration security ipsec vpn DYNAMIC-IPSEC-VPN-1
ike {
gateway DYNAMIC-IKE-GATEWAY-1;
ipsec-policy DYNAMIC-IPSEC-POLICY-1;
}
//Define DVPN client settings as well as users and protected nets
root@SRX> show configuration security dynamic-vpn
force-upgrade;
access-profile DYNAMIC-ACCESS-PROFILE-1;
clients {
USER1 {
remote-protected-resources {
0.0.0.0/0;
}
ipsec-vpn DYNAMIC-IPSEC-VPN-1;
user {
user1;
}
}
}
//Set passwords for DVPN users as well as address-assignment for the DVPN pool
//Note: Again, watch out for the quotes when doing the password set
root@SRX> show configuration access profile DYNAMIC-ACCESS-PROFILE-1
client user1 {
firewall-user {
password "xxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
}
}
address-assignment {
pool DYNAMIC-VPN-POOL-1;
}
//This is where the DVPN address-assignment pool is configured. Keep in mind that these pools are
//known only to the SRX and will not show up in the routing table or be announced to OSPF neighbors, etc.
root@SRX> show configuration access address-assignment pool DYNAMIC-VPN-POOL-1
family inet {
network 192.168.123.0/24;
range DYNAMIC-VPN-POOL-1-RANGE-1 {
low 192.168.123.100;
high 192.168.123.200;
}
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
//This policy allows for DVPN users to access the Internet once they are connected
root@SRX> show configuration security policies from-zone UNTRUST to-zone UNTRUST
policy UNTRUST-TO-UNTRUST-POLICY-1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
//This allows the tunnel traffic in from the DVPN clients
root@SRX> show configuration security policies from-zone UNTRUST to-zone TRUST
policy UNTRUST-TO-TRUST-POLICY-1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DYNAMIC-IPSEC-VPN-1;
}
}
}
}
//This will allow the DVPN users to NAT out of your Internet connection
root@SRX> show configuration security nat source rule-set UNTRUST-TO-UNTRUST
from zone UNTRUST;
to zone UNTRUST;
rule UNTRUST-TO-UNTRUST-RULE-1 {
match {
source-address 192.168.123.0/24;
}
then {
source-nat {
interface;
}
}
}
Additional notes:
Make sure your interface in the UNTRUST security-zone has "ike" in the system-services section
--------------------------------------------------------------------------------------------------------------------------
On VPN Tracker, I use the following:
Connection based on: Custom Device/Configuration Guide
VPN Gateway: FQDN or IPv4 address of the SRX
Network Configuration: Mode Config
Topology: Host to Everywhere
Remote Networks: All traffic runs across the VPN
Authentication: Pre-shared key
Extended Authentication (XAUTH): Always
Local Identifier: FQDN: yourdomain.net
Remote Identifier: Remote Endpoint IP Address
DNS: Use Remote DNS Server (checked)
DNS: Receive DNS Settings from VPN Gateway (checked)
Use DNS Server for: All Domains