The Dynamic VPN on SRX devices is facilitated by using Pulse Secure software and is still being used. Starting with Junos OS version 15.1X49-D80, the NCP client software is used to achieve the Dynamic VPN functionality. Please refer to the VPN section of the Release Notes of release 15.1X49-D80 for more information.
This article provides a configuration example using the CLI. For the same instructions using the GUI, refer to KB33935.
The NCP client is documented in Understanding IPsec VPNs with NCP Exclusive Remote Access Client, along with an Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients (using the authentication method - RSA signatures (cert based).
Here is another example based on pre-shared key as the authentication method.
The working CLI configuration on the SRX is as follows.
Topology
192.168.199.0/24-----(192.168.199.1/24)ge-0/0/6-[SRX]-ge-0/0/3(10.10.10.2/24)-----Internet----Remote clients
Trust Untrust
IKE and IPSEC configuration
set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$ABC123"
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "user1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2 <<<< Depends on the number of licenses purchased for NCP client
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/3 <<<< External interface which receives the VPN request
set security ike gateway remote-vpn1 aaa access-profile profile1
set security ike gateway remote-vpn1 version v1-only
set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 192.168.199.0/24 <<<< These are the local networks that you need to reach.
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0
Security zones and policies
set security policies from-zone untrust to-zone trust policy test match source-address any
set security policies from-zone untrust to-zone trust policy test match destination-address any
set security policies from-zone untrust to-zone trust policy test match application any
set security policies from-zone untrust to-zone trust policy test then permit
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces st0.0
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic protocols all
Interface configuration and system services
set system services ssh
set system services web-management https system-generated-certificate
set interfaces ge-0/0/3 unit 0 family inet address 10.10.10.2/24
set interfaces ge-0/0/6 unit 0 family inet address 192.168.199.1/24
set interfaces st0 unit 0 family inet
Access profile configuration
set access profile profile1 authentication-order password
set access profile profile1 client user1 firewall-user password "$ABC123"
set access profile profile1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 10.1.1.0/24 <<<< IP address pool assigned to remote clients
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32
2019-02-26: corrected link to GUI instructions.