SRX

SRX210.

I had dynamic VPN set up and working OK. I had a need to connect to a remote site, so added config to support a route-based VPN, which is working. With that, the dynamic VPN stopped working. I tried some changes on the dynamic side, then the route-based stopped working. 

I'll freely admit I'm not an expert at IPSEC - having only had to deal with it on rare occasion. So, in that regard I'm more a "follow the recipe" guy.

Anyone with a config which successfully uses both?

Hi Mike,

I have this setup working on an SRX240 to a cloud provider from an office.  See below for relevant config.

interfaces {
    ge-0/0/0 {
        description "Internet 10MB/s";
        speed 100m;
        link-mode full-duplex;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }

    st0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                filter {
                    input from-inside-office;
                }
                address 192.168.1.1/24;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input from-outside;
                }
                address XXX.XXX.XXX.83/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop XXX.XXX.XXX.81;
        route 192.168.120.0/24 next-hop st0.0;
    }
}
security {
    ike {
        traceoptions {
            file ike-file;
        }
        proposal pre-g2-aes-sha1-28800 {
            description "Phase 1";
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
        }
        policy Cloud-IKE {
            mode main;
            proposals pre-g2-aes-sha1-28800;
            pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname OfficeSRX01;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface vlan.1;
            xauth access-profile remote_access_profile;
        }
        gateway Cloud-gw {
            ike-policy Cloud-IKE;
            address XXX.XXX.XXX.42;
            local-identity inet XXX.XXX.XXX.83;
            external-interface vlan.1;
        }
    }
    ipsec {
        proposal Cloud_esp-aes-sha1-3600 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec_pol_wizard_dyn_vpn {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set compatible;
        }
        policy Cloud-IPsec {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals Cloud_esp-aes-sha1-3600;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
        vpn Cloud-VPN {
            bind-interface st0.0;
            ike {
                gateway Cloud-gw;
                proxy-identity {
                    local 192.168.1.0/24;
                    remote 192.168.120.0/24;
                }
                ipsec-policy Cloud-IPsec;
            }
            establish-tunnels immediately;
        }
    }
      dynamic-vpn {
        access-profile remote_access_profile;
        clients {
            wizard-dyn-group {
                remote-protected-resources {
                    192.168.XXX.0/24;
                    192.168.XXX.0/24;
                    172.16.XXX.0/28;
                }
                ipsec-vpn wizard_dyn_vpn;
                user {
                    User1;
                    User2;
                }
            }
        }
    }
    nat {
        source {
            rule-set Trust_Office_to_Untrust {
                from zone trust;
                to zone untrust;
                rule Cloud {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address 192.168.120.0/24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule Office_Network {
                    match {
                        source-address 192.168.1.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
  
        }
        
    }
    policies {
        from-zone trust to-zone untrust {
            policy Office-to-Cloud {
                match {
                    source-address [ Server1 Server2 ];
                    destination-address Cloud-SUBNET;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
            policy Deny-Cloud-Access {
                match {
                    source-address Office_Network;
                    destination-address Cloud-SUBNET;
                    application any;
                }
                then {
                    deny;
                    log {
                        session-init;
                    }
                }
            }
            policy trust-to-untrust {
                match {
                    source-address Office_Network;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy Default-Deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
         from-zone untrust to-zone trust {
            
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
            policy Default-Deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                    log {
                        session-init;
                    }
                }
            }
        }
        
   }
    zones {
        security-zone trust {
            address-book {
                address Office_Network 192.168.1.0/24;
                address Server1 192.168.1.XXX/32
                address Server2 192.168.1.XXX/32
 }
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ping;
                    traceroute;
                    ssh;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            address-book {
                address Cloud-SUBNET 192.168.120.0/24;
            }
            screen untrust-screen;
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ike;
                        }
                    }
                }
                st0.0;
            }

        
    }
}

access {
    profile remote_access_profile {
        client User1 {
            firewall-user {
                password "XXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
        }
        client User2 {
            firewall-user {
                password "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.30.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.100/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile remote_access_profile;
        }
    }
}

vlans {
    
    default {
        vlan-id 1;
        interface {
            ge-0/0/0.0;
        }
        l3-interface vlan.1;
    }
    vlan-trust {
        vlan-id 3;
        interface {
            ge-0/0/1.0;
        }
        l3-interface vlan.0;
    }
}

Thanks to both of you. It will likely be a few days before I get a chance to try changes - I need to leave what's working in place for the time being.

Something tells me that one VPN is using the other's proposals/policies.... Try changing the authentication/encryption algorithms on one of them.

Either that or the policy based VPNs aren't ever hitting the policy....   If you put the route based VPN in a separate zone, this should fix that issue.