Thanks again! Unfortunately, I had those settings in place already. Here is what I've got:
admin@Firewall> show version
Hostname: Firewall
Model: srx300
Junos: 19.2R1.8
JUNOS Software Release [19.2R1.8]
IKE config:
admin@Firewall> show configuration security ike gateway Dynamic-VPN-P1-Gateway
ike-policy Dynamic-VPN-P2-Policy;
dynamic {
hostname thebox;
connections-limit 2;
ike-user-type shared-ike-id;
}
nat-keepalive 200;
external-interface ge-0/0/0.0;
aaa {
access-profile Dynamic-XAuth;
}
version v1-only;
IKE Policy Config:
admin@Firewall> show configuration security ike policy Dynamic-VPN-P1-Policy
mode aggressive;
description "Dynamic%20P1%20Policy";
proposals Dynamic-VPN-P1-Proposal;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
IPSec Config:
admin@Firewall> show configuration security ipsec vpn Dynamic-VPN
ike {
gateway Dynamic-VPN-P1-Gateway;
ipsec-policy Dynamic-P2-Policy;
}
establish-tunnels immediately;
Log output (NOTE: 192.168.1.5 is the external interface of the SRX; it is fully exposed with a FIOS NAT in front of it; no filter):
Sep 7 10:13:36 Firewall kmd[1993]: IKE negotiation successfully completed. IKE Version: 1, VPN: Dynamic-VPN Gateway: Dynamic-VPN-P1-Gateway, Local: 192.168.1.5/4500, Remote: 111.111.111.111/11344, Local IKE-ID: 192.168.1.5, Remote IKE-ID: thebox, VR-ID: 0, Role: Responder
Tcpdump Output:
10:13:36.662662 IP 111.111.111.111.11340 > 192.168.1.5.500: isakmp: phase 1 I agg
10:13:36.681588 IP 192.168.1.5.500 > 111.111.111.111.11340: isakmp: phase 1 R agg
10:13:36.734498 IP 1111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 I agg
10:13:36.738988 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.741579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
10:13:36.773911 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.777594 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.814684 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.817004 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.821579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.823822 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.863907 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.870802 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.873226 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:56.949886 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
10:14:16.978952 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
10:14:36.458051 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Even the debug logs only show success. I'm begining to wonder if its the Junos version. I've only attempted setting up the dynamic VPN on this version. Any ideas on how I could further debug this? I've never encountered this before.
Thanks!