I tried following configuration provided under this link but I can't get access with Shrew Soft. I get the Phase 1 - ike tunnel up but then Shrew just stops at "bringing tunnel up" and SRX doesn't show the ipsec tunnel.
Below please find my configuration and confirmation of phase 1 getting into the device
[edit security ike]
proposal aes-128-sha1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 180;
}
+ policy Remote_Access-pol {
+ mode aggressive;
+ proposals aes-128-sha1;
+ pre-shared-key ascii-text "PSK-## SECRET-DATA"
+ }
[edit security ike]
+ gateway Remote_Access-gw {
+ ike-policy Remote_Access-pol;
+ dynamic {
+ user-at-hostname "vpn@hostname.pl";
+ connections-limit 10;
+ ike-user-type shared-ike-id;
+ }
+ external-interface ge-0/0/0.0;
+ xauth access-profile Remote_Access-profile;
+ }
[edit security ipsec]
proposal aes-128-cbc-sha1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy aes128_pfs2 {
perfect-forward-secrecy {
keys group2;
}
proposals aes-128-cbc-sha1;
}
+ vpn Remote_Access-VPN {
+ ike {
+ gateway Remote_Access-gw;
+ ipsec-policy aes128_pfs2;
+ }
+ }
[edit]
+ access {
+ profile Remote_Access-profile {
+ authentication-order password;
+ client user-login {
+ firewall-user {
+ password "user-pass"
+ }
+ }
+ address-assignment {
+ pool Remote_Access-pool;
+ }
+ }
+ address-assignment {
+ pool Remote_Access-pool {
+ family inet {
+ network 192.168.22.0/24;
+ range remote-vpn-range {
+ low 192.168.22.10;
+ high 192.168.22.100;
+ }
+ }
+ }
+ }
+ }
[edit security address-book BrzegD_addresses]
address Remote_VPN 192.168.22.0/24;
attach zone INET;
[edit security policies]
+ from-zone INET to-zone USERS {
+ policy RemoteVPN {
+ match {
+ source-address Remote_VPN;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit {
+ tunnel {
+ ipsec-vpn Remote_Access-VPN;
+ }
+ }
+ }
+ }
+ }
root@SRX300 # run show security ike security-associations index 7391592 detail
IKE peer MY-IP, Index 7391592, Gateway Name: Remote_Access-gw
Role: Responder, State: UP
Initiator cookie: 13c4e460b6863677, Responder cookie: 68976e09605ac5fc
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: SRX-IP:4500, Remote: MY-IP:32563
Lifetime: Expires in 156 seconds
Peer ike-id: vpn@hostname.com
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 1838
Output bytes : 564
Input packets: 8
Output packets: 3
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Flags: IKE SA is createdI also attached traceoption files from IKE Phase 1 (vpn-RA.txt) and IKE Phase 2 (dynvpn-auth-RA.txt)