Hi,
Because we are configuring an SRX1500 for IPsec VPN we are using the NCP client.
We have a situation where the client connects, but in a strange way (FQDN Username does not equal XAUTH username but still connects)... So, one would assume that we should be able to ping the devices at the far end, but this does not appear to be happening. Firstly, here is the connectivity:
Laptop at desk (192.169.70.61) --> Netopstest-VR (SRX) --> Customer-VR (197.95.0.33 - SRX)....
So the tunnel endpoint is the 197.95.0.33 address.
Configuration of phase 1 and phase 2 as follows:
set security ike traceoptions file iketrace
set security ike traceoptions flag all
set security ike proposal ngikeproposal-1 authentication-method pre-shared-keys
set security ike proposal ngikeproposal-1 dh-group group2
set security ike proposal ngikeproposal-1 authentication-algorithm sha1
set security ike proposal ngikeproposal-1 encryption-algorithm aes-192-cbc
set security ike proposal ngikeproposal-1 lifetime-seconds 300
set security ike policy ngikepolicy-1 mode aggressive
set security ike policy ngikepolicy-1 proposals ngikeproposal-1
set security ike policy ngikepolicy-1 pre-shared-key ascii-text "$9$NO-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"
set security ike gateway ng-remote-vpn-1 ike-policy ngikepolicy-1
set security ike gateway ng-remote-vpn-1 dynamic user-at-hostname "steve@ninegroup.co.uk"
set security ike gateway ng-remote-vpn-1 dynamic connections-limit 2
set security ike gateway ng-remote-vpn-1 dynamic ike-user-type shared-ike-id
set security ike gateway ng-remote-vpn-1 external-interface ae2
set security ike gateway ng-remote-vpn-1 aaa access-profile ng-vpnuser
set security ipsec traceoptions flag all
set security ipsec proposal ng-ipsec-proposal-1 protocol esp
set security ipsec proposal ng-ipsec-proposal-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal ng-ipsec-proposal-1 encryption-algorithm aes-128-cbc
set security ipsec policy ng-ipsec-policy-1 perfect-forward-secrecy keys group2
set security ipsec policy ng-ipsec-policy-1 proposals ng-ipsec-proposal-1
set security ipsec vpn ng-remote-vpn-1 bind-interface st0.0
set security ipsec vpn ng-remote-vpn-1 ike gateway ng-remote-vpn-1
set security ipsec vpn ng-remote-vpn-1 ike ipsec-policy ng-ipsec-policy-1
set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT local-ip 0.0.0.0/0
set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT remote-ip 0.0.0.0/0
So, when I complete the following command I get:
run show security ike security-associations detail:
Phase 2 negotiations in progress: 1
But yet I can ping him from any VR on the SRX through the st0 interface. But he cannot ping anything from his client.
Also, when I logon, my colleague gets logged off and vice versa...... this VPN to NCP is almost working but not quite....