I like IPSec because it was designed to bind 2 networks together from the beginning.

Purpose built engineering. Do one thing, do it well. Its available in IPv4 and IPv6. One of the things that I’ve found difficult to find is documentation for setting up a Juniper SRX for mobile IPSec that works with OS X. After quite a lot of google sifting, and a bit of piecing together, I’ve arrived at a solution which works on 12.1X45, and VPN Tracker 7. This config supports AES-128, and AES-256, SHA-256, and Diffie-Hellman group 14.

Juniper SRX config

	set security ike proposal PSK-AES128-SHA256-DH14 authentication-method pre-shared-keys
	set security ike proposal PSK-AES128-SHA256-DH14 dh-group group14
	set security ike proposal PSK-AES128-SHA256-DH14 authentication-algorithm sha-256
	set security ike proposal PSK-AES128-SHA256-DH14 encryption-algorithm aes-128-cbc
	set security ike proposal PSK-AES128-SHA256-DH14 lifetime-seconds 28800
	set security ike proposal PSK-AES256-SHA256-DH14 authentication-method pre-shared-keys
	set security ike proposal PSK-AES256-SHA256-DH14 dh-group group14
	set security ike proposal PSK-AES256-SHA256-DH14 authentication-algorithm sha-256
	set security ike proposal PSK-AES256-SHA256-DH14 encryption-algorithm aes-256-cbc
	set security ike proposal PSK-AES256-SHA256-DH14 lifetime-seconds 28800
	set security ike policy IKE-DYN-VPN-POLICY mode aggressive
	set security ike policy IKE-DYN-VPN-POLICY proposals PSK-AES128-SHA256-DH14
	set security ike policy IKE-DYN-VPN-POLICY proposals PSK-AES256-SHA256-DH14
	set security ike policy IKE-DYN-VPN-POLICY pre-shared-key ascii-text PRE_SHARED_KEY
	set security ike gateway DYN-VPN-LOCAL-GW ike-policy IKE-DYN-VPN-POLICY
	set security ike gateway DYN-VPN-LOCAL-GW dynamic hostname GROUP_NAME
	set security ike gateway DYN-VPN-LOCAL-GW dynamic connections-limit 10
	set security ike gateway DYN-VPN-LOCAL-GW dynamic ike-user-type shared-ike-id
	set security ike gateway DYN-VPN-LOCAL-GW external-interface ge-0/0/0
	set security ike gateway DYN-VPN-LOCAL-GW xauth access-profile DYN-VPN-ACCESS-PROFILE
	set security ipsec proposal ESP-AES128-SHA256 protocol esp
	set security ipsec proposal ESP-AES128-SHA256 authentication-algorithm hmac-sha256-128
	set security ipsec proposal ESP-AES128-SHA256 encryption-algorithm aes-128-cbc
	set security ipsec proposal ESP-AES128-SHA256 lifetime-seconds 28800
	set security ipsec proposal ESP-AES256-SHA256 protocol esp
	set security ipsec proposal ESP-AES256-SHA256 authentication-algorithm hmac-sha256-128
	set security ipsec proposal ESP-AES256-SHA256 encryption-algorithm aes-256-cbc
	set security ipsec proposal ESP-AES256-SHA256 lifetime-seconds 28800
	set security ipsec policy IPSEC-DYN-VPN-POLICY perfect-forward-secrecy keys group14
	set security ipsec policy IPSEC-DYN-VPN-POLICY proposals ESP-AES128-SHA256
	set security ipsec policy IPSEC-DYN-VPN-POLICY proposals ESP-AES256-SHA256
	set security ipsec vpn DYN-VPN ike gateway DYN-VPN-LOCAL-GW
	set security ipsec vpn DYN-VPN ike ipsec-policy IPSEC-DYN-VPN-POLICY
	set security policies from-zone trust to-zone untrust policy DYN-VPN-policy match source-address any
	set security policies from-zone trust to-zone untrust policy DYN-VPN-policy match destination-address any
	set security policies from-zone trust to-zone untrust policy DYN-VPN-policy match application any
	set security policies from-zone trust to-zone untrust policy DYN-VPN-policy then permit tunnel ipsec-vpn DYN-VPN
	set security policies from-zone untrust to-zone trust policy DYN-VPN-policy match source-address any
	set security policies from-zone untrust to-zone trust policy DYN-VPN-policy match destination-address any
	set security policies from-zone untrust to-zone trust policy DYN-VPN-policy match application any
	set security policies from-zone untrust to-zone trust policy DYN-VPN-policy then permit tunnel ipsec-vpn DYN-VPN
	set security policies from-zone untrust to-zone untrust policy DYN-VPN-policy match source-address any
	set security policies from-zone untrust to-zone untrust policy DYN-VPN-policy match destination-address any
	set security policies from-zone untrust to-zone untrust policy DYN-VPN-policy match application any
	set security policies from-zone untrust to-zone untrust policy DYN-VPN-policy then permit
	set security nat source rule-set untrust-to-untrust from zone untrust
	set security nat source rule-set untrust-to-untrust to zone untrust
	set security nat source rule-set untrust-to-untrust rule DYN-VPN-untrust-to-untrust match source-address 192.168.0.0/20
	set security nat source rule-set untrust-to-untrust rule DYN-VPN-untrust-to-untrust then source-nat interface
	set security dynamic-vpn access-profile DYN-VPN-ACCESS-PROFILE
	set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0
	set security dynamic-vpn clients all ipsec-vpn DYN-VPN
	set security dynamic-vpn clients all user USER
	set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
	set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services http
	set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services https
	set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ike
	set access profile DYN-VPN-ACCESS-PROFILE address-assignment pool DYN-VPN-ADDRESS-POOL
	set access address-assignment pool DYN-VPN-ADDRESS-POOL family inet network 192.168.0.248/29
	set access address-assignment pool DYN-VPN-ADDRESS-POOL family inet range dvpn-range low 192.168.0.249
	set access address-assignment pool DYN-VPN-ADDRESS-POOL family inet range dvpn-range high 192.168.0.254
	set access address-assignment pool DYN-VPN-ADDRESS-POOL family inet xauth-attributes primary-dns 192.168.3.10/32
	set access firewall-authentication web-authentication default-profile DYN-VPN-ACCESS-PROFILE
	set access profile DYN-VPN-ACCESS-PROFILE client USER firewall-user password PASSWORD

The OS X screenshots

Configuring VPN Tracker - Basic

Start with the network configuration. Using Mode config allows you to pass certain options to the VPN server. The topology is Host to Everywhere. Authentication is pre-shared key. Next to this, you can actually enter the key. XAUTH is always. Again, you can enter this in the next field. The Local Identifier is same as the dynamic hostname configured on the srx. The Remote Identifier is just set to remote IP address. If you need DNS, check the
appropriate boxes.

Configuring VPN Tracker - Advanced

PHase 1: Exchange mode should be set to aggressive. Lifetime 28800 (this should match what is configured on the SRX). Encryption can be one, or both of AES-128, AES-256. Hash
algorithm is SHA-256. Diffie-Hellman group 14 (2048 bit). Phase 2: Repeat the settings for phase 1, but instead of Diffie-Hellman, its called Perfect Forward Secrecy (PFS). Still Group 14. Everything below Phase2 can be left as defaults.