Hi,
It seems there are some real problems using the example given and what the SRX expects......
I am trying to overcome the "Commit" errors that occur becasue of differing configuration commands and cannot get a working version from the example given. For local authentication I need to use "Pre-Shared-Keys" as no certificate is being generated (unless there is a way I can achieve that locally on the SRX - all examples I can find use a Server somewhere)..... Unfortunately, this means that I can only use Version 1 and, of course, it won't let me, it tells me I have to use Version 2 ..... it appears NCP requires version 2.
How can I get around this issue please?
This is what I have configured so far:
1: Configured Dynamic users and IP address pool;
set access profile dynamic-xauth client John firewall-user password <password>
set access profile dynamic-xauth client Dave firewall-user password <password>
set access profile dynamic-xauth client Chris firewall-user password <password>
set access profile dynamic-xauth client Daniel firewall-user password <password>
set access profile dynamic-xauth address-assignment pool dynamic-vpn-pool
set access address-assignment pool dynamic-vpn-pool family inet network 192.168.1.0/24
set access address-assignment pool dynamic-vpn-pool family inet xauth-attributes primary-dns 100.100.100.10/32
set access firewall-authentication web-authentication default-profile dynamic-xauth
2: Configured IKE Proposal:
user@THW-CORE-01#set security tcp-encap profile NCP
[edit security ike proposal nguser]
user@HEX-SRX-02#set authentication-method pre-shared-keys
user@THW-CORE-01#set authentication-method rsa-signatures
user@THW-CORE-01#set dh-group group19
user@THW-CORE-01#set encryption-algorithm aes-256-gcm
[edit security ike policy ngikepolicy]
set proposals ngvpnuser
set pre-shared-key ascii-text testing123
[edit security ike gateway ngikepolicy]
set ike-policy ngikepolicy
set dynamic hostname ninegroup.co.uk
set dynamic ike-user-type shared-ike-id
set aaa access-profile dynamic-xauth
set external-interface ae2
set tcp-encap-profile NCP
3: Configured IPsec proposal:
[edit security ipsec proposal ngipsecproposal]
set protocol esp
set encryption-algorithm aes-256-gcm
[edit security ipsec policy RemoteAccess]
set perfect-forward-secrecy keys group19
set proposals ngipsecproposal