Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure Dynamic-VPN with the SRX Responder behind a NAT Device



Article ID: KB23191 KB Last Updated: 26 Feb 2020Version: 4.0
This article provides information on how to configure Junos Pulse to connect via Dynamic VPN to an SRX device, which is behind a Static 1-to-1 NAT device.
  •  Junos Pulse is connecting to SRX via Dynamic VPN.

  • SRX is the responder, which sits behind a device, is performing 1-to-1 Static NAT.

JUNOS Pulse ----- Internet ------ Static NAT Device ---- SRX Device
                                  1 to 1 NAT
 Dynamic VPN to an SRX device, which is behind a router/switch device and performing 1 to 1 Static NAT, will fail IPSec negotiations with Junos below 11.4R1.

Beginning with Junos 11.4R1, Dynamic-VPN to an SRX device behind a Static NAT device is supported. This requires a local-id configuration on the SRX IKE responder.

JUNOS Pulse ----- Internet ------ Static NAT Device ----------- SRX Device
                                   1 to 1 NAT                                                          

In this example, the SRX device has the external-interface as On the static NAT device, it is NAT'ing as the IP address.  The required IKE configuration is:

root@SRX220# show security ike 
policy ike-dyn-vpn-policy {
    mode aggressive;
    proposal-set compatible;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
gateway dyn-vpn-local-gw {
    ike-policy ike-dyn-vpn-policy;
    dynamic {
        hostname dynvpn;
        connections-limit 10;
        ike-user-type group-ike-id;
    local-identity inet;
    external-interface ge-0/0/0.0;
    xauth access-profile dyn-vpn-access-profile;
Notice that the local-identity is specified as the external public IP address, which the external-interface is advertised as out to the Pulse client. The pulse client will point its connection to the NAT'd IP address.

Note: This procedure is different than the one listed in the documentation. It refers to a site-to-site VPN configuration, in which the SRX responder is behind a 1-to-1 static NAT device.
Modification History:
2020-02-26: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search