Hi,
I was able to get Dynamic VPN to work on an SRX240 running 12.1 but I had it replaced with an H2 running 12.3X48-D75.4 and I'm finding something odd. I suppose it was behaving similar before because I noticed sometimes I needed to connect multiple times before I'm able to ping my protected resources.
Here's what's odd. I allocate a pool whose network is 192.168.4.0/24, low 192.168.4.101, high 192.168.4.109. Last week when I was attempting to troubleshoot, I could ping protected resources only when my Pulse Secure client (9.1.3) had Ps 192.168.4.105, and 192.168.4.106. Each time I connect I get a different IP and none of the other IPs work. I do see entries from the SRX that shows ICMP being requested from the VPN client to the protected resource. I made some additional changes and now none of the IPs work.
The configuration was from https://www.juniper.net/documentation/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-configuring.html.
Do I need to assign a zone to the Dynamic VPN pool? The recipe from the documentation does not assign a zone. My Dynamic VPN policy is the last rule of security policies from-zone untrust to-zone trust. My VPN pool is different from my protected subnet and I can't set it to an my internal subset.
I'm using 1.1.1.1 as the DNS for the VPN xauth-attributes. The rest of the configuration is basically what's outlined in the document with minor differences in names, passwords, and external interface (for me ge-0/0/0).
All operational commands show I'm connected. The only other oddity is I can only connect using my first client name, and not second. There is too much information when I start logging to show what rule(s) are preventing hosts on my internal network from replying to the ICMPs and I'm simply overwhelmed in knowing where to start.
KB 17660 at https://kb.juniper.net/InfoCenter/index?page=content&id=KB17660 suggests one workaround is to add a route but my default route should take are of it unless there is some implied zone for a Dynamic VPN subnet.
Thanks for any insights anyone could offer.