Has anyone been successful in configuring a SRX for dynamic VPN using the recent documentation Juniper released? I'm able to establish a VPN connection following the instructions in the link below, but I'm unable to reach anything in the trust zone. My machine is receiving an IP address from the dyn-vpn-address-pool. I keep seeing "IPSec negotiation failed with error: Timed out. IKE Version: 1, VPN: dyn-vpn Gateway: dyn-vpn-local-gw, Local: *REMOVED*/4500, Remote: *REMOVED*/1717, Local IKE-ID: *REMOVED*, Remote IKE-ID: client1dynvpn, VR-ID: 0" in the logs, but IPSec is up.
Juniper-SRX300# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7903786 UP 191b83b9ba322d15 42c43ee97394737b Aggressive 174.240.136.92
Juniper-SRX300# run show security ike active-peer
Remote Address Port Peer IKE-ID AAA username Assigned IP
174.240.136.92 1717 client1dynvpn client1 10.10.10.3
Juniper-SRX300# run show security ipsec security-associations
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108869 ESP:aes-cbc-128/sha1 c224c5fe 3554/ 500000 - root 1717 174.240.136.92
>67108869 ESP:aes-cbc-128/sha1 32213190 3554/ 500000 - root 1717 174.240.136.92
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html
set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"
set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC456"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 1.1.1.1/32
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC789"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html